1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2015-2019 Yandex LLC 5 * Copyright (c) 2015-2016 Alexander V. Chernikov <melifaro@FreeBSD.org> 6 * Copyright (c) 2015-2019 Andrey V. Elsukov <ae@FreeBSD.org> 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 __FBSDID("$FreeBSD$"); 32 33 #include <sys/types.h> 34 #include <sys/socket.h> 35 36 #include "ipfw2.h" 37 38 #include <ctype.h> 39 #include <err.h> 40 #include <errno.h> 41 #include <inttypes.h> 42 #include <netdb.h> 43 #include <stdio.h> 44 #include <stdlib.h> 45 #include <string.h> 46 #include <sysexits.h> 47 48 #include <net/if.h> 49 #include <netinet/in.h> 50 #include <netinet/ip_fw.h> 51 #include <netinet6/ip_fw_nat64.h> 52 #include <arpa/inet.h> 53 54 static void nat64lsn_fill_ntlv(ipfw_obj_ntlv *ntlv, const char *name, 55 uint8_t set); 56 typedef int (nat64lsn_cb_t)(ipfw_nat64lsn_cfg *cfg, const char *name, 57 uint8_t set); 58 static int nat64lsn_foreach(nat64lsn_cb_t *f, const char *name, uint8_t set, 59 int sort); 60 61 static void nat64lsn_create(const char *name, uint8_t set, int ac, char **av); 62 static void nat64lsn_config(const char *name, uint8_t set, int ac, char **av); 63 static void nat64lsn_destroy(const char *name, uint8_t set); 64 static void nat64lsn_stats(const char *name, uint8_t set); 65 static void nat64lsn_reset_stats(const char *name, uint8_t set); 66 static int nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *name, 67 uint8_t set); 68 static int nat64lsn_destroy_cb(ipfw_nat64lsn_cfg *cfg, const char *name, 69 uint8_t set); 70 static int nat64lsn_states_cb(ipfw_nat64lsn_cfg *cfg, const char *name, 71 uint8_t set); 72 73 static struct _s_x nat64cmds[] = { 74 { "create", TOK_CREATE }, 75 { "config", TOK_CONFIG }, 76 { "destroy", TOK_DESTROY }, 77 { "list", TOK_LIST }, 78 { "show", TOK_LIST }, 79 { "stats", TOK_STATS }, 80 { NULL, 0 } 81 }; 82 83 static uint64_t 84 nat64lsn_print_states(void *buf) 85 { 86 char s[INET6_ADDRSTRLEN], a[INET_ADDRSTRLEN], f[INET_ADDRSTRLEN]; 87 const char *proto; 88 char sflags[4], *sf; 89 ipfw_obj_header *oh; 90 ipfw_obj_data *od; 91 ipfw_nat64lsn_stg_v1 *stg; 92 ipfw_nat64lsn_state_v1 *ste; 93 uint64_t next_idx; 94 uint32_t i; 95 int sz; 96 97 oh = (ipfw_obj_header *)buf; 98 od = (ipfw_obj_data *)(oh + 1); 99 stg = (ipfw_nat64lsn_stg_v1 *)(od + 1); 100 sz = od->head.length - sizeof(*od); 101 next_idx = 0; 102 while (sz > 0 && next_idx != 0xFF) { 103 next_idx = stg->next.index; 104 sz -= sizeof(*stg); 105 if (stg->count == 0) { 106 stg++; 107 continue; 108 } 109 /* 110 * NOTE: addresses are in network byte order, 111 * ports are in host byte order. 112 */ 113 inet_ntop(AF_INET, &stg->alias4, a, sizeof(a)); 114 ste = (ipfw_nat64lsn_state_v1 *)(stg + 1); 115 for (i = 0; i < stg->count && sz > 0; i++) { 116 sf = sflags; 117 inet_ntop(AF_INET6, &ste->host6, s, sizeof(s)); 118 inet_ntop(AF_INET, &ste->daddr, f, sizeof(f)); 119 switch (ste->proto) { 120 case IPPROTO_TCP: 121 proto = "TCP"; 122 if (ste->flags & 0x02) 123 *sf++ = 'S'; 124 if (ste->flags & 0x04) 125 *sf++ = 'E'; 126 if (ste->flags & 0x01) 127 *sf++ = 'F'; 128 break; 129 case IPPROTO_UDP: 130 proto = "UDP"; 131 break; 132 case IPPROTO_ICMP: 133 proto = "ICMPv6"; 134 break; 135 } 136 *sf = '\0'; 137 switch (ste->proto) { 138 case IPPROTO_TCP: 139 case IPPROTO_UDP: 140 printf("%s:%d\t%s:%d\t%s\t%s\t%d\t%s:%d\n", 141 s, ste->sport, a, ste->aport, proto, 142 sflags, ste->idle, f, ste->dport); 143 break; 144 case IPPROTO_ICMP: 145 printf("%s\t%s\t%s\t\t%d\t%s\n", 146 s, a, proto, ste->idle, f); 147 break; 148 default: 149 printf("%s\t%s\t%d\t\t%d\t%s\n", 150 s, a, ste->proto, ste->idle, f); 151 } 152 ste++; 153 sz -= sizeof(*ste); 154 } 155 stg = (ipfw_nat64lsn_stg_v1 *)ste; 156 } 157 return (next_idx); 158 } 159 160 static int 161 nat64lsn_states_cb(ipfw_nat64lsn_cfg *cfg, const char *name, uint8_t set) 162 { 163 ipfw_obj_header *oh; 164 ipfw_obj_data *od; 165 void *buf; 166 uint64_t next_idx; 167 size_t sz; 168 169 if (name != NULL && strcmp(cfg->name, name) != 0) 170 return (ESRCH); 171 172 if (set != 0 && cfg->set != set) 173 return (ESRCH); 174 175 next_idx = 0; 176 sz = 4096; 177 if ((buf = calloc(1, sz)) == NULL) 178 err(EX_OSERR, NULL); 179 do { 180 oh = (ipfw_obj_header *)buf; 181 oh->opheader.version = 1; /* Force using ov new API */ 182 od = (ipfw_obj_data *)(oh + 1); 183 nat64lsn_fill_ntlv(&oh->ntlv, cfg->name, set); 184 od->head.type = IPFW_TLV_OBJDATA; 185 od->head.length = sizeof(*od) + sizeof(next_idx); 186 *((uint64_t *)(od + 1)) = next_idx; 187 if (do_get3(IP_FW_NAT64LSN_LIST_STATES, &oh->opheader, &sz)) 188 err(EX_OSERR, "Error reading nat64lsn states"); 189 next_idx = nat64lsn_print_states(buf); 190 sz = 4096; 191 memset(buf, 0, sz); 192 } while (next_idx != 0xFF); 193 194 free(buf); 195 return (0); 196 } 197 198 static struct _s_x nat64statscmds[] = { 199 { "reset", TOK_RESET }, 200 { NULL, 0 } 201 }; 202 203 static void 204 ipfw_nat64lsn_stats_handler(const char *name, uint8_t set, int ac, char *av[]) 205 { 206 int tcmd; 207 208 if (ac == 0) { 209 nat64lsn_stats(name, set); 210 return; 211 } 212 NEED1("nat64lsn stats needs command"); 213 tcmd = get_token(nat64statscmds, *av, "nat64lsn stats command"); 214 switch (tcmd) { 215 case TOK_RESET: 216 nat64lsn_reset_stats(name, set); 217 } 218 } 219 220 static struct _s_x nat64listcmds[] = { 221 { "states", TOK_STATES }, 222 { "config", TOK_CONFIG }, 223 { NULL, 0 } 224 }; 225 226 static void 227 ipfw_nat64lsn_list_handler(const char *name, uint8_t set, int ac, char *av[]) 228 { 229 int tcmd; 230 231 if (ac == 0) { 232 nat64lsn_foreach(nat64lsn_show_cb, name, set, 1); 233 return; 234 } 235 NEED1("nat64lsn list needs command"); 236 tcmd = get_token(nat64listcmds, *av, "nat64lsn list command"); 237 switch (tcmd) { 238 case TOK_STATES: 239 nat64lsn_foreach(nat64lsn_states_cb, name, set, 1); 240 break; 241 case TOK_CONFIG: 242 nat64lsn_foreach(nat64lsn_show_cb, name, set, 1); 243 } 244 } 245 246 /* 247 * This one handles all nat64lsn-related commands 248 * ipfw [set N] nat64lsn NAME {create | config} ... 249 * ipfw [set N] nat64lsn NAME stats 250 * ipfw [set N] nat64lsn {NAME | all} destroy 251 * ipfw [set N] nat64lsn {NAME | all} {list | show} [config | states] 252 */ 253 #define nat64lsn_check_name table_check_name 254 void 255 ipfw_nat64lsn_handler(int ac, char *av[]) 256 { 257 const char *name; 258 int tcmd; 259 uint8_t set; 260 261 if (g_co.use_set != 0) 262 set = g_co.use_set - 1; 263 else 264 set = 0; 265 ac--; av++; 266 267 NEED1("nat64lsn needs instance name"); 268 name = *av; 269 if (nat64lsn_check_name(name) != 0) { 270 if (strcmp(name, "all") == 0) 271 name = NULL; 272 else 273 errx(EX_USAGE, "nat64lsn instance name %s is invalid", 274 name); 275 } 276 ac--; av++; 277 NEED1("nat64lsn needs command"); 278 279 tcmd = get_token(nat64cmds, *av, "nat64lsn command"); 280 if (name == NULL && tcmd != TOK_DESTROY && tcmd != TOK_LIST) 281 errx(EX_USAGE, "nat64lsn instance name required"); 282 switch (tcmd) { 283 case TOK_CREATE: 284 ac--; av++; 285 nat64lsn_create(name, set, ac, av); 286 break; 287 case TOK_CONFIG: 288 ac--; av++; 289 nat64lsn_config(name, set, ac, av); 290 break; 291 case TOK_LIST: 292 ac--; av++; 293 ipfw_nat64lsn_list_handler(name, set, ac, av); 294 break; 295 case TOK_DESTROY: 296 if (name == NULL) 297 nat64lsn_foreach(nat64lsn_destroy_cb, NULL, set, 0); 298 else 299 nat64lsn_destroy(name, set); 300 break; 301 case TOK_STATS: 302 ac--; av++; 303 ipfw_nat64lsn_stats_handler(name, set, ac, av); 304 } 305 } 306 307 static void 308 nat64lsn_fill_ntlv(ipfw_obj_ntlv *ntlv, const char *name, uint8_t set) 309 { 310 311 ntlv->head.type = IPFW_TLV_EACTION_NAME(1); /* it doesn't matter */ 312 ntlv->head.length = sizeof(ipfw_obj_ntlv); 313 ntlv->idx = 1; 314 ntlv->set = set; 315 strlcpy(ntlv->name, name, sizeof(ntlv->name)); 316 } 317 318 static void 319 nat64lsn_apply_mask(int af, void *prefix, uint16_t plen) 320 { 321 struct in6_addr mask6, *p6; 322 struct in_addr mask4, *p4; 323 324 if (af == AF_INET) { 325 p4 = (struct in_addr *)prefix; 326 mask4.s_addr = htonl(~((1 << (32 - plen)) - 1)); 327 p4->s_addr &= mask4.s_addr; 328 } else if (af == AF_INET6) { 329 p6 = (struct in6_addr *)prefix; 330 n2mask(&mask6, plen); 331 APPLY_MASK(p6, &mask6); 332 } 333 } 334 335 static void 336 nat64lsn_parse_prefix(const char *arg, int af, void *prefix, uint16_t *plen) 337 { 338 char *p, *l; 339 340 p = strdup(arg); 341 if (p == NULL) 342 err(EX_OSERR, NULL); 343 if ((l = strchr(p, '/')) != NULL) 344 *l++ = '\0'; 345 if (l == NULL) 346 errx(EX_USAGE, "Prefix length required"); 347 if (inet_pton(af, p, prefix) != 1) 348 errx(EX_USAGE, "Bad prefix: %s", p); 349 *plen = (uint16_t)strtol(l, &l, 10); 350 if (*l != '\0' || *plen == 0 || (af == AF_INET && *plen > 32) || 351 (af == AF_INET6 && *plen > 96)) 352 errx(EX_USAGE, "Bad prefix length: %s", arg); 353 nat64lsn_apply_mask(af, prefix, *plen); 354 free(p); 355 } 356 357 static uint32_t 358 nat64lsn_parse_int(const char *arg, const char *desc) 359 { 360 char *p; 361 uint32_t val; 362 363 val = (uint32_t)strtol(arg, &p, 10); 364 if (*p != '\0') 365 errx(EX_USAGE, "Invalid %s value: %s\n", desc, arg); 366 return (val); 367 } 368 369 static struct _s_x nat64newcmds[] = { 370 { "prefix6", TOK_PREFIX6 }, 371 { "jmaxlen", TOK_JMAXLEN }, 372 { "prefix4", TOK_PREFIX4 }, 373 { "host_del_age", TOK_HOST_DEL_AGE }, 374 { "pg_del_age", TOK_PG_DEL_AGE }, 375 { "tcp_syn_age", TOK_TCP_SYN_AGE }, 376 { "tcp_close_age",TOK_TCP_CLOSE_AGE }, 377 { "tcp_est_age", TOK_TCP_EST_AGE }, 378 { "udp_age", TOK_UDP_AGE }, 379 { "icmp_age", TOK_ICMP_AGE }, 380 { "states_chunks",TOK_STATES_CHUNKS }, 381 { "log", TOK_LOG }, 382 { "-log", TOK_LOGOFF }, 383 { "allow_private", TOK_PRIVATE }, 384 { "-allow_private", TOK_PRIVATEOFF }, 385 /* for compatibility with old configurations */ 386 { "max_ports", TOK_MAX_PORTS }, /* unused */ 387 { NULL, 0 } 388 }; 389 390 /* 391 * Creates new nat64lsn instance 392 * ipfw nat64lsn <NAME> create 393 * [ max_ports <N> ] 394 * Request: [ ipfw_obj_lheader ipfw_nat64lsn_cfg ] 395 */ 396 #define NAT64LSN_HAS_PREFIX4 0x01 397 #define NAT64LSN_HAS_PREFIX6 0x02 398 static void 399 nat64lsn_create(const char *name, uint8_t set, int ac, char **av) 400 { 401 char buf[sizeof(ipfw_obj_lheader) + sizeof(ipfw_nat64lsn_cfg)]; 402 ipfw_nat64lsn_cfg *cfg; 403 ipfw_obj_lheader *olh; 404 int tcmd, flags; 405 char *opt; 406 407 memset(&buf, 0, sizeof(buf)); 408 olh = (ipfw_obj_lheader *)buf; 409 cfg = (ipfw_nat64lsn_cfg *)(olh + 1); 410 411 /* Some reasonable defaults */ 412 inet_pton(AF_INET6, "64:ff9b::", &cfg->prefix6); 413 cfg->plen6 = 96; 414 cfg->set = set; 415 cfg->max_ports = NAT64LSN_MAX_PORTS; 416 cfg->jmaxlen = NAT64LSN_JMAXLEN; 417 cfg->nh_delete_delay = NAT64LSN_HOST_AGE; 418 cfg->pg_delete_delay = NAT64LSN_PG_AGE; 419 cfg->st_syn_ttl = NAT64LSN_TCP_SYN_AGE; 420 cfg->st_estab_ttl = NAT64LSN_TCP_EST_AGE; 421 cfg->st_close_ttl = NAT64LSN_TCP_FIN_AGE; 422 cfg->st_udp_ttl = NAT64LSN_UDP_AGE; 423 cfg->st_icmp_ttl = NAT64LSN_ICMP_AGE; 424 flags = NAT64LSN_HAS_PREFIX6; 425 while (ac > 0) { 426 tcmd = get_token(nat64newcmds, *av, "option"); 427 opt = *av; 428 ac--; av++; 429 430 switch (tcmd) { 431 case TOK_PREFIX4: 432 NEED1("IPv4 prefix required"); 433 nat64lsn_parse_prefix(*av, AF_INET, &cfg->prefix4, 434 &cfg->plen4); 435 flags |= NAT64LSN_HAS_PREFIX4; 436 ac--; av++; 437 break; 438 case TOK_PREFIX6: 439 NEED1("IPv6 prefix required"); 440 nat64lsn_parse_prefix(*av, AF_INET6, &cfg->prefix6, 441 &cfg->plen6); 442 if (ipfw_check_nat64prefix(&cfg->prefix6, 443 cfg->plen6) != 0 && 444 !IN6_IS_ADDR_UNSPECIFIED(&cfg->prefix6)) 445 errx(EX_USAGE, "Bad prefix6 %s", *av); 446 447 ac--; av++; 448 break; 449 case TOK_JMAXLEN: 450 NEED1("job queue length required"); 451 cfg->jmaxlen = nat64lsn_parse_int(*av, opt); 452 ac--; av++; 453 break; 454 case TOK_MAX_PORTS: 455 NEED1("Max per-user ports required"); 456 cfg->max_ports = nat64lsn_parse_int(*av, opt); 457 ac--; av++; 458 break; 459 case TOK_HOST_DEL_AGE: 460 NEED1("host delete delay required"); 461 cfg->nh_delete_delay = (uint16_t)nat64lsn_parse_int( 462 *av, opt); 463 ac--; av++; 464 break; 465 case TOK_PG_DEL_AGE: 466 NEED1("portgroup delete delay required"); 467 cfg->pg_delete_delay = (uint16_t)nat64lsn_parse_int( 468 *av, opt); 469 ac--; av++; 470 break; 471 case TOK_TCP_SYN_AGE: 472 NEED1("tcp syn age required"); 473 cfg->st_syn_ttl = (uint16_t)nat64lsn_parse_int( 474 *av, opt); 475 ac--; av++; 476 break; 477 case TOK_TCP_CLOSE_AGE: 478 NEED1("tcp close age required"); 479 cfg->st_close_ttl = (uint16_t)nat64lsn_parse_int( 480 *av, opt); 481 ac--; av++; 482 break; 483 case TOK_TCP_EST_AGE: 484 NEED1("tcp est age required"); 485 cfg->st_estab_ttl = (uint16_t)nat64lsn_parse_int( 486 *av, opt); 487 ac--; av++; 488 break; 489 case TOK_UDP_AGE: 490 NEED1("udp age required"); 491 cfg->st_udp_ttl = (uint16_t)nat64lsn_parse_int( 492 *av, opt); 493 ac--; av++; 494 break; 495 case TOK_ICMP_AGE: 496 NEED1("icmp age required"); 497 cfg->st_icmp_ttl = (uint16_t)nat64lsn_parse_int( 498 *av, opt); 499 ac--; av++; 500 break; 501 case TOK_STATES_CHUNKS: 502 NEED1("number of chunks required"); 503 cfg->states_chunks = (uint8_t)nat64lsn_parse_int( 504 *av, opt); 505 ac--; av++; 506 break; 507 case TOK_LOG: 508 cfg->flags |= NAT64_LOG; 509 break; 510 case TOK_LOGOFF: 511 cfg->flags &= ~NAT64_LOG; 512 break; 513 case TOK_PRIVATE: 514 cfg->flags |= NAT64_ALLOW_PRIVATE; 515 break; 516 case TOK_PRIVATEOFF: 517 cfg->flags &= ~NAT64_ALLOW_PRIVATE; 518 break; 519 } 520 } 521 522 /* Check validness */ 523 if ((flags & NAT64LSN_HAS_PREFIX4) != NAT64LSN_HAS_PREFIX4) 524 errx(EX_USAGE, "prefix4 required"); 525 526 olh->count = 1; 527 olh->objsize = sizeof(*cfg); 528 olh->size = sizeof(buf); 529 strlcpy(cfg->name, name, sizeof(cfg->name)); 530 if (do_set3(IP_FW_NAT64LSN_CREATE, &olh->opheader, sizeof(buf)) != 0) 531 err(EX_OSERR, "nat64lsn instance creation failed"); 532 } 533 534 /* 535 * Configures existing nat64lsn instance 536 * ipfw nat64lsn <NAME> config <options> 537 * Request: [ ipfw_obj_header ipfw_nat64lsn_cfg ] 538 */ 539 static void 540 nat64lsn_config(const char *name, uint8_t set, int ac, char **av) 541 { 542 char buf[sizeof(ipfw_obj_header) + sizeof(ipfw_nat64lsn_cfg)]; 543 ipfw_nat64lsn_cfg *cfg; 544 ipfw_obj_header *oh; 545 size_t sz; 546 char *opt; 547 int tcmd; 548 549 if (ac == 0) 550 errx(EX_USAGE, "config options required"); 551 memset(&buf, 0, sizeof(buf)); 552 oh = (ipfw_obj_header *)buf; 553 cfg = (ipfw_nat64lsn_cfg *)(oh + 1); 554 sz = sizeof(buf); 555 556 nat64lsn_fill_ntlv(&oh->ntlv, name, set); 557 if (do_get3(IP_FW_NAT64LSN_CONFIG, &oh->opheader, &sz) != 0) 558 err(EX_OSERR, "failed to get config for instance %s", name); 559 560 while (ac > 0) { 561 tcmd = get_token(nat64newcmds, *av, "option"); 562 opt = *av; 563 ac--; av++; 564 565 switch (tcmd) { 566 case TOK_MAX_PORTS: 567 NEED1("Max per-user ports required"); 568 cfg->max_ports = nat64lsn_parse_int(*av, opt); 569 ac--; av++; 570 break; 571 case TOK_JMAXLEN: 572 NEED1("job queue length required"); 573 cfg->jmaxlen = nat64lsn_parse_int(*av, opt); 574 ac--; av++; 575 break; 576 case TOK_HOST_DEL_AGE: 577 NEED1("host delete delay required"); 578 cfg->nh_delete_delay = (uint16_t)nat64lsn_parse_int( 579 *av, opt); 580 ac--; av++; 581 break; 582 case TOK_PG_DEL_AGE: 583 NEED1("portgroup delete delay required"); 584 cfg->pg_delete_delay = (uint16_t)nat64lsn_parse_int( 585 *av, opt); 586 ac--; av++; 587 break; 588 case TOK_TCP_SYN_AGE: 589 NEED1("tcp syn age required"); 590 cfg->st_syn_ttl = (uint16_t)nat64lsn_parse_int( 591 *av, opt); 592 ac--; av++; 593 break; 594 case TOK_TCP_CLOSE_AGE: 595 NEED1("tcp close age required"); 596 cfg->st_close_ttl = (uint16_t)nat64lsn_parse_int( 597 *av, opt); 598 ac--; av++; 599 break; 600 case TOK_TCP_EST_AGE: 601 NEED1("tcp est age required"); 602 cfg->st_estab_ttl = (uint16_t)nat64lsn_parse_int( 603 *av, opt); 604 ac--; av++; 605 break; 606 case TOK_UDP_AGE: 607 NEED1("udp age required"); 608 cfg->st_udp_ttl = (uint16_t)nat64lsn_parse_int( 609 *av, opt); 610 ac--; av++; 611 break; 612 case TOK_ICMP_AGE: 613 NEED1("icmp age required"); 614 cfg->st_icmp_ttl = (uint16_t)nat64lsn_parse_int( 615 *av, opt); 616 ac--; av++; 617 break; 618 case TOK_STATES_CHUNKS: 619 NEED1("number of chunks required"); 620 cfg->states_chunks = (uint8_t)nat64lsn_parse_int( 621 *av, opt); 622 ac--; av++; 623 break; 624 case TOK_LOG: 625 cfg->flags |= NAT64_LOG; 626 break; 627 case TOK_LOGOFF: 628 cfg->flags &= ~NAT64_LOG; 629 break; 630 case TOK_PRIVATE: 631 cfg->flags |= NAT64_ALLOW_PRIVATE; 632 break; 633 case TOK_PRIVATEOFF: 634 cfg->flags &= ~NAT64_ALLOW_PRIVATE; 635 break; 636 default: 637 errx(EX_USAGE, "Can't change %s option", opt); 638 } 639 } 640 641 if (do_set3(IP_FW_NAT64LSN_CONFIG, &oh->opheader, sizeof(buf)) != 0) 642 err(EX_OSERR, "nat64lsn instance configuration failed"); 643 } 644 645 /* 646 * Reset nat64lsn instance statistics specified by @oh->ntlv. 647 * Request: [ ipfw_obj_header ] 648 */ 649 static void 650 nat64lsn_reset_stats(const char *name, uint8_t set) 651 { 652 ipfw_obj_header oh; 653 654 memset(&oh, 0, sizeof(oh)); 655 nat64lsn_fill_ntlv(&oh.ntlv, name, set); 656 if (do_set3(IP_FW_NAT64LSN_RESET_STATS, &oh.opheader, sizeof(oh)) != 0) 657 err(EX_OSERR, "failed to reset stats for instance %s", name); 658 } 659 660 /* 661 * Destroys nat64lsn instance specified by @oh->ntlv. 662 * Request: [ ipfw_obj_header ] 663 */ 664 static void 665 nat64lsn_destroy(const char *name, uint8_t set) 666 { 667 ipfw_obj_header oh; 668 669 memset(&oh, 0, sizeof(oh)); 670 nat64lsn_fill_ntlv(&oh.ntlv, name, set); 671 if (do_set3(IP_FW_NAT64LSN_DESTROY, &oh.opheader, sizeof(oh)) != 0) 672 err(EX_OSERR, "failed to destroy nat instance %s", name); 673 } 674 675 /* 676 * Get nat64lsn instance statistics. 677 * Request: [ ipfw_obj_header ] 678 * Reply: [ ipfw_obj_header ipfw_obj_ctlv [ uint64_t x N ] ] 679 */ 680 static int 681 nat64lsn_get_stats(const char *name, uint8_t set, 682 struct ipfw_nat64lsn_stats *stats) 683 { 684 ipfw_obj_header *oh; 685 ipfw_obj_ctlv *oc; 686 size_t sz; 687 688 sz = sizeof(*oh) + sizeof(*oc) + sizeof(*stats); 689 oh = calloc(1, sz); 690 nat64lsn_fill_ntlv(&oh->ntlv, name, set); 691 if (do_get3(IP_FW_NAT64LSN_STATS, &oh->opheader, &sz) == 0) { 692 oc = (ipfw_obj_ctlv *)(oh + 1); 693 memcpy(stats, oc + 1, sizeof(*stats)); 694 free(oh); 695 return (0); 696 } 697 free(oh); 698 return (-1); 699 } 700 701 static void 702 nat64lsn_stats(const char *name, uint8_t set) 703 { 704 struct ipfw_nat64lsn_stats stats; 705 706 if (nat64lsn_get_stats(name, set, &stats) != 0) 707 err(EX_OSERR, "Error retrieving stats"); 708 709 if (g_co.use_set != 0 || set != 0) 710 printf("set %u ", set); 711 printf("nat64lsn %s\n", name); 712 printf("\t%ju packets translated from IPv6 to IPv4\n", 713 (uintmax_t)stats.opcnt64); 714 printf("\t%ju packets translated from IPv4 to IPv6\n", 715 (uintmax_t)stats.opcnt46); 716 printf("\t%ju IPv6 fragments created\n", 717 (uintmax_t)stats.ofrags); 718 printf("\t%ju IPv4 fragments received\n", 719 (uintmax_t)stats.ifrags); 720 printf("\t%ju output packets dropped due to no bufs, etc.\n", 721 (uintmax_t)stats.oerrors); 722 printf("\t%ju output packets discarded due to no IPv4 route\n", 723 (uintmax_t)stats.noroute4); 724 printf("\t%ju output packets discarded due to no IPv6 route\n", 725 (uintmax_t)stats.noroute6); 726 printf("\t%ju packets discarded due to unsupported protocol\n", 727 (uintmax_t)stats.noproto); 728 printf("\t%ju packets discarded due to memory allocation problems\n", 729 (uintmax_t)stats.nomem); 730 printf("\t%ju packets discarded due to some errors\n", 731 (uintmax_t)stats.dropped); 732 printf("\t%ju packets not matched with IPv4 prefix\n", 733 (uintmax_t)stats.nomatch4); 734 735 printf("\t%ju mbufs queued for post processing\n", 736 (uintmax_t)stats.jreinjected); 737 printf("\t%ju times the job queue was processed\n", 738 (uintmax_t)stats.jcalls); 739 printf("\t%ju job requests queued\n", 740 (uintmax_t)stats.jrequests); 741 printf("\t%ju job requests queue limit reached\n", 742 (uintmax_t)stats.jmaxlen); 743 printf("\t%ju job requests failed due to memory allocation problems\n", 744 (uintmax_t)stats.jnomem); 745 746 printf("\t%ju hosts allocated\n", (uintmax_t)stats.hostcount); 747 printf("\t%ju hosts requested\n", (uintmax_t)stats.jhostsreq); 748 printf("\t%ju host requests failed\n", (uintmax_t)stats.jhostfails); 749 750 printf("\t%ju portgroups requested\n", (uintmax_t)stats.jportreq); 751 printf("\t%ju portgroups allocated\n", (uintmax_t)stats.spgcreated); 752 printf("\t%ju portgroups deleted\n", (uintmax_t)stats.spgdeleted); 753 printf("\t%ju portgroup requests failed\n", 754 (uintmax_t)stats.jportfails); 755 printf("\t%ju portgroups allocated for TCP\n", 756 (uintmax_t)stats.tcpchunks); 757 printf("\t%ju portgroups allocated for UDP\n", 758 (uintmax_t)stats.udpchunks); 759 printf("\t%ju portgroups allocated for ICMP\n", 760 (uintmax_t)stats.icmpchunks); 761 762 printf("\t%ju states created\n", (uintmax_t)stats.screated); 763 printf("\t%ju states deleted\n", (uintmax_t)stats.sdeleted); 764 } 765 766 static int 767 nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *name, uint8_t set) 768 { 769 char abuf[INET6_ADDRSTRLEN]; 770 771 if (name != NULL && strcmp(cfg->name, name) != 0) 772 return (ESRCH); 773 774 if (g_co.use_set != 0 && cfg->set != set) 775 return (ESRCH); 776 777 if (g_co.use_set != 0 || cfg->set != 0) 778 printf("set %u ", cfg->set); 779 inet_ntop(AF_INET, &cfg->prefix4, abuf, sizeof(abuf)); 780 printf("nat64lsn %s prefix4 %s/%u", cfg->name, abuf, cfg->plen4); 781 inet_ntop(AF_INET6, &cfg->prefix6, abuf, sizeof(abuf)); 782 printf(" prefix6 %s/%u", abuf, cfg->plen6); 783 if (g_co.verbose || cfg->states_chunks > 1) 784 printf(" states_chunks %u", cfg->states_chunks); 785 if (g_co.verbose || cfg->nh_delete_delay != NAT64LSN_HOST_AGE) 786 printf(" host_del_age %u", cfg->nh_delete_delay); 787 if (g_co.verbose || cfg->pg_delete_delay != NAT64LSN_PG_AGE) 788 printf(" pg_del_age %u", cfg->pg_delete_delay); 789 if (g_co.verbose || cfg->st_syn_ttl != NAT64LSN_TCP_SYN_AGE) 790 printf(" tcp_syn_age %u", cfg->st_syn_ttl); 791 if (g_co.verbose || cfg->st_close_ttl != NAT64LSN_TCP_FIN_AGE) 792 printf(" tcp_close_age %u", cfg->st_close_ttl); 793 if (g_co.verbose || cfg->st_estab_ttl != NAT64LSN_TCP_EST_AGE) 794 printf(" tcp_est_age %u", cfg->st_estab_ttl); 795 if (g_co.verbose || cfg->st_udp_ttl != NAT64LSN_UDP_AGE) 796 printf(" udp_age %u", cfg->st_udp_ttl); 797 if (g_co.verbose || cfg->st_icmp_ttl != NAT64LSN_ICMP_AGE) 798 printf(" icmp_age %u", cfg->st_icmp_ttl); 799 if (g_co.verbose || cfg->jmaxlen != NAT64LSN_JMAXLEN) 800 printf(" jmaxlen %u", cfg->jmaxlen); 801 if (cfg->flags & NAT64_LOG) 802 printf(" log"); 803 if (cfg->flags & NAT64_ALLOW_PRIVATE) 804 printf(" allow_private"); 805 printf("\n"); 806 return (0); 807 } 808 809 static int 810 nat64lsn_destroy_cb(ipfw_nat64lsn_cfg *cfg, const char *name __unused, 811 uint8_t set) 812 { 813 814 if (g_co.use_set != 0 && cfg->set != set) 815 return (ESRCH); 816 817 nat64lsn_destroy(cfg->name, cfg->set); 818 return (0); 819 } 820 821 822 /* 823 * Compare nat64lsn instances names. 824 * Honor number comparison. 825 */ 826 static int 827 nat64name_cmp(const void *a, const void *b) 828 { 829 const ipfw_nat64lsn_cfg *ca, *cb; 830 831 ca = (const ipfw_nat64lsn_cfg *)a; 832 cb = (const ipfw_nat64lsn_cfg *)b; 833 834 if (ca->set > cb->set) 835 return (1); 836 else if (ca->set < cb->set) 837 return (-1); 838 return (stringnum_cmp(ca->name, cb->name)); 839 } 840 841 /* 842 * Retrieves nat64lsn instance list from kernel, 843 * optionally sorts it and calls requested function for each instance. 844 * 845 * Request: [ ipfw_obj_lheader ] 846 * Reply: [ ipfw_obj_lheader ipfw_nat64lsn_cfg x N ] 847 */ 848 static int 849 nat64lsn_foreach(nat64lsn_cb_t *f, const char *name, uint8_t set, int sort) 850 { 851 ipfw_obj_lheader *olh; 852 ipfw_nat64lsn_cfg *cfg; 853 size_t sz; 854 uint32_t i; 855 int error; 856 857 /* Start with reasonable default */ 858 sz = sizeof(*olh) + 16 * sizeof(ipfw_nat64lsn_cfg); 859 860 for (;;) { 861 if ((olh = calloc(1, sz)) == NULL) 862 return (ENOMEM); 863 864 olh->size = sz; 865 if (do_get3(IP_FW_NAT64LSN_LIST, &olh->opheader, &sz) != 0) { 866 sz = olh->size; 867 free(olh); 868 if (errno != ENOMEM) 869 return (errno); 870 continue; 871 } 872 873 if (sort != 0) 874 qsort(olh + 1, olh->count, olh->objsize, 875 nat64name_cmp); 876 877 cfg = (ipfw_nat64lsn_cfg *)(olh + 1); 878 for (i = 0; i < olh->count; i++) { 879 error = f(cfg, name, set); /* Ignore errors for now */ 880 cfg = (ipfw_nat64lsn_cfg *)((caddr_t)cfg + 881 olh->objsize); 882 } 883 free(olh); 884 break; 885 } 886 return (0); 887 } 888 889