xref: /freebsd/sys/netinet6/ip_fw_nat64.h (revision 5c04f73e07b97ba421d072b7679e8ef477b8babc) 
1d8caf56eSAndrey V. Elsukov /*-
2002cae78SAndrey V. Elsukov  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3002cae78SAndrey V. Elsukov  *
4002cae78SAndrey V. Elsukov  * Copyright (c) 2015-2019 Yandex LLC
5d8caf56eSAndrey V. Elsukov  * Copyright (c) 2015 Alexander V. Chernikov <melifaro@FreeBSD.org>
6002cae78SAndrey V. Elsukov  * Copyright (c) 2015-2019 Andrey V. Elsukov <ae@FreeBSD.org>
7d8caf56eSAndrey V. Elsukov  *
8d8caf56eSAndrey V. Elsukov  * Redistribution and use in source and binary forms, with or without
9d8caf56eSAndrey V. Elsukov  * modification, are permitted provided that the following conditions
10d8caf56eSAndrey V. Elsukov  * are met:
11d8caf56eSAndrey V. Elsukov  *
12d8caf56eSAndrey V. Elsukov  * 1. Redistributions of source code must retain the above copyright
13d8caf56eSAndrey V. Elsukov  *    notice, this list of conditions and the following disclaimer.
14d8caf56eSAndrey V. Elsukov  * 2. Redistributions in binary form must reproduce the above copyright
15d8caf56eSAndrey V. Elsukov  *    notice, this list of conditions and the following disclaimer in the
16d8caf56eSAndrey V. Elsukov  *    documentation and/or other materials provided with the distribution.
17d8caf56eSAndrey V. Elsukov  *
18d8caf56eSAndrey V. Elsukov  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19d8caf56eSAndrey V. Elsukov  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20d8caf56eSAndrey V. Elsukov  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21d8caf56eSAndrey V. Elsukov  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22d8caf56eSAndrey V. Elsukov  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23d8caf56eSAndrey V. Elsukov  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24d8caf56eSAndrey V. Elsukov  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25d8caf56eSAndrey V. Elsukov  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26d8caf56eSAndrey V. Elsukov  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27d8caf56eSAndrey V. Elsukov  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28d8caf56eSAndrey V. Elsukov  *
29d8caf56eSAndrey V. Elsukov  * $FreeBSD$
30d8caf56eSAndrey V. Elsukov  */
31d8caf56eSAndrey V. Elsukov 
32d8caf56eSAndrey V. Elsukov #ifndef	_NETINET6_IP_FW_NAT64_H_
33d8caf56eSAndrey V. Elsukov #define	_NETINET6_IP_FW_NAT64_H_
34d8caf56eSAndrey V. Elsukov 
35d8caf56eSAndrey V. Elsukov struct ipfw_nat64stl_stats {
36d8caf56eSAndrey V. Elsukov 	uint64_t	opcnt64;	/* 6to4 of packets translated */
37d8caf56eSAndrey V. Elsukov 	uint64_t	opcnt46;	/* 4to6 of packets translated */
38d8caf56eSAndrey V. Elsukov 	uint64_t	ofrags;		/* number of fragments generated */
39d8caf56eSAndrey V. Elsukov 	uint64_t	ifrags;		/* number of fragments received */
40d8caf56eSAndrey V. Elsukov 	uint64_t	oerrors;	/* number of output errors */
41d8caf56eSAndrey V. Elsukov 	uint64_t	noroute4;
42d8caf56eSAndrey V. Elsukov 	uint64_t	noroute6;
43d8caf56eSAndrey V. Elsukov 	uint64_t	noproto;	/* Protocol not supported */
44b11efc1eSAndrey V. Elsukov 	uint64_t	nomem;		/* mbuf allocation failed */
45d8caf56eSAndrey V. Elsukov 	uint64_t	dropped;	/* dropped due to some errors */
46d8caf56eSAndrey V. Elsukov };
47d8caf56eSAndrey V. Elsukov 
48*5c04f73eSAndrey V. Elsukov struct ipfw_nat64clat_stats {
49*5c04f73eSAndrey V. Elsukov 	uint64_t	opcnt64;	/* 6to4 of packets translated */
50*5c04f73eSAndrey V. Elsukov 	uint64_t	opcnt46;	/* 4to6 of packets translated */
51*5c04f73eSAndrey V. Elsukov 	uint64_t	ofrags;		/* number of fragments generated */
52*5c04f73eSAndrey V. Elsukov 	uint64_t	ifrags;		/* number of fragments received */
53*5c04f73eSAndrey V. Elsukov 	uint64_t	oerrors;	/* number of output errors */
54*5c04f73eSAndrey V. Elsukov 	uint64_t	noroute4;
55*5c04f73eSAndrey V. Elsukov 	uint64_t	noroute6;
56*5c04f73eSAndrey V. Elsukov 	uint64_t	noproto;	/* Protocol not supported */
57*5c04f73eSAndrey V. Elsukov 	uint64_t	nomem;		/* mbuf allocation failed */
58*5c04f73eSAndrey V. Elsukov 	uint64_t	dropped;	/* dropped due to some errors */
59*5c04f73eSAndrey V. Elsukov };
60*5c04f73eSAndrey V. Elsukov 
61d8caf56eSAndrey V. Elsukov struct ipfw_nat64lsn_stats {
62d8caf56eSAndrey V. Elsukov 	uint64_t	opcnt64;	/* 6to4 of packets translated */
63d8caf56eSAndrey V. Elsukov 	uint64_t	opcnt46;	/* 4to6 of packets translated */
64d8caf56eSAndrey V. Elsukov 	uint64_t	ofrags;		/* number of fragments generated */
65d8caf56eSAndrey V. Elsukov 	uint64_t	ifrags;		/* number of fragments received */
66d8caf56eSAndrey V. Elsukov 	uint64_t	oerrors;	/* number of output errors */
67d8caf56eSAndrey V. Elsukov 	uint64_t	noroute4;
68d8caf56eSAndrey V. Elsukov 	uint64_t	noroute6;
69d8caf56eSAndrey V. Elsukov 	uint64_t	noproto;	/* Protocol not supported */
70b11efc1eSAndrey V. Elsukov 	uint64_t	nomem;		/* mbuf allocation failed */
71d8caf56eSAndrey V. Elsukov 	uint64_t	dropped;	/* dropped due to some errors */
72d8caf56eSAndrey V. Elsukov 
73d8caf56eSAndrey V. Elsukov 	uint64_t	nomatch4;	/* No addr/port match */
74d8caf56eSAndrey V. Elsukov 	uint64_t	jcalls;		/* Number of job handler calls */
75d8caf56eSAndrey V. Elsukov 	uint64_t	jrequests;	/* Number of job requests */
76d8caf56eSAndrey V. Elsukov 	uint64_t	jhostsreq;	/* Number of job host requests */
77d8caf56eSAndrey V. Elsukov 	uint64_t	jportreq;	/* Number of portgroup requests */
78d8caf56eSAndrey V. Elsukov 	uint64_t	jhostfails;	/* Number of failed host allocs */
79d8caf56eSAndrey V. Elsukov 	uint64_t	jportfails;	/* Number of failed portgroup allocs */
80d8caf56eSAndrey V. Elsukov 	uint64_t	jreinjected;	/* Number of packets reinjected to q */
81d8caf56eSAndrey V. Elsukov 	uint64_t	jmaxlen;	/* Max queue length reached */
82d8caf56eSAndrey V. Elsukov 	uint64_t	jnomem;		/* No memory to alloc queue item */
83d8caf56eSAndrey V. Elsukov 
84d8caf56eSAndrey V. Elsukov 	uint64_t	screated;	/* Number of states created */
85d8caf56eSAndrey V. Elsukov 	uint64_t	sdeleted;	/* Number of states deleted */
86d8caf56eSAndrey V. Elsukov 	uint64_t	spgcreated;	/* Number of portgroups created */
87d8caf56eSAndrey V. Elsukov 	uint64_t	spgdeleted;	/* Number of portgroups deleted */
88d8caf56eSAndrey V. Elsukov 	uint64_t	hostcount;	/* Number of hosts  */
89d8caf56eSAndrey V. Elsukov 	uint64_t	tcpchunks;	/* Number of TCP chunks */
90d8caf56eSAndrey V. Elsukov 	uint64_t	udpchunks;	/* Number of UDP chunks */
91d8caf56eSAndrey V. Elsukov 	uint64_t	icmpchunks;	/* Number of ICMP chunks */
92d8caf56eSAndrey V. Elsukov 
93d8caf56eSAndrey V. Elsukov 	uint64_t	_reserved[4];
94d8caf56eSAndrey V. Elsukov };
95d8caf56eSAndrey V. Elsukov 
96d8caf56eSAndrey V. Elsukov #define	NAT64_LOG		0x0001	/* Enable logging via BPF */
97b11efc1eSAndrey V. Elsukov #define	NAT64_ALLOW_PRIVATE	0x0002	/* Allow private IPv4 address
98b11efc1eSAndrey V. Elsukov 					 * translation
99b11efc1eSAndrey V. Elsukov 					 */
100d8caf56eSAndrey V. Elsukov typedef struct _ipfw_nat64stl_cfg {
101d8caf56eSAndrey V. Elsukov 	char		name[64];	/* NAT name			*/
102d8caf56eSAndrey V. Elsukov 	ipfw_obj_ntlv	ntlv6;		/* object name tlv		*/
103d8caf56eSAndrey V. Elsukov 	ipfw_obj_ntlv	ntlv4;		/* object name tlv		*/
104d8caf56eSAndrey V. Elsukov 	struct in6_addr	prefix6;	/* NAT64 prefix */
105d8caf56eSAndrey V. Elsukov 	uint8_t		plen6;		/* Prefix length */
106d8caf56eSAndrey V. Elsukov 	uint8_t		set;		/* Named instance set [0..31] */
107d8caf56eSAndrey V. Elsukov 	uint8_t		spare[2];
108d8caf56eSAndrey V. Elsukov 	uint32_t	flags;
109d8caf56eSAndrey V. Elsukov } ipfw_nat64stl_cfg;
110d8caf56eSAndrey V. Elsukov 
111*5c04f73eSAndrey V. Elsukov typedef struct _ipfw_nat64clat_cfg {
112*5c04f73eSAndrey V. Elsukov 	char		name[64];	/* NAT name			*/
113*5c04f73eSAndrey V. Elsukov 	struct in6_addr	plat_prefix;	/* NAT64 (PLAT) prefix */
114*5c04f73eSAndrey V. Elsukov 	struct in6_addr	clat_prefix;	/* Client (CLAT) prefix */
115*5c04f73eSAndrey V. Elsukov 	uint8_t		plat_plen;	/* PLAT Prefix length */
116*5c04f73eSAndrey V. Elsukov 	uint8_t		clat_plen;	/* CLAT Prefix length */
117*5c04f73eSAndrey V. Elsukov 	uint8_t		set;		/* Named instance set [0..31] */
118*5c04f73eSAndrey V. Elsukov 	uint8_t		spare;
119*5c04f73eSAndrey V. Elsukov 	uint32_t	flags;
120*5c04f73eSAndrey V. Elsukov } ipfw_nat64clat_cfg;
121*5c04f73eSAndrey V. Elsukov 
122d8caf56eSAndrey V. Elsukov /*
123d8caf56eSAndrey V. Elsukov  * NAT64LSN default configuration values
124d8caf56eSAndrey V. Elsukov  */
125d8caf56eSAndrey V. Elsukov #define	NAT64LSN_MAX_PORTS	2048	/* Max number of ports per host */
126d8caf56eSAndrey V. Elsukov #define	NAT64LSN_JMAXLEN	2048	/* Max outstanding requests. */
127d8caf56eSAndrey V. Elsukov #define	NAT64LSN_TCP_SYN_AGE	10	/* State's TTL after SYN received. */
128d8caf56eSAndrey V. Elsukov #define	NAT64LSN_TCP_EST_AGE	(2 * 3600) /* TTL for established connection */
129d8caf56eSAndrey V. Elsukov #define	NAT64LSN_TCP_FIN_AGE	180	/* State's TTL after FIN/RST received */
130d8caf56eSAndrey V. Elsukov #define	NAT64LSN_UDP_AGE	120	/* TTL for UDP states */
131d8caf56eSAndrey V. Elsukov #define	NAT64LSN_ICMP_AGE	60	/* TTL for ICMP states */
132d8caf56eSAndrey V. Elsukov #define	NAT64LSN_HOST_AGE	3600	/* TTL for stale host entry */
133d8caf56eSAndrey V. Elsukov #define	NAT64LSN_PG_AGE		900	/* TTL for stale ports groups */
134d8caf56eSAndrey V. Elsukov 
135d8caf56eSAndrey V. Elsukov typedef struct _ipfw_nat64lsn_cfg {
136d8caf56eSAndrey V. Elsukov 	char		name[64];	/* NAT name			*/
137d8caf56eSAndrey V. Elsukov 	uint32_t	flags;
138d8caf56eSAndrey V. Elsukov 	uint32_t	max_ports;	/* Max ports per client */
139d8caf56eSAndrey V. Elsukov 	uint32_t	agg_prefix_len;	/* Prefix length to count */
140d8caf56eSAndrey V. Elsukov 	uint32_t	agg_prefix_max;	/* Max hosts per agg prefix */
141d8caf56eSAndrey V. Elsukov 	struct in_addr	prefix4;
142d8caf56eSAndrey V. Elsukov 	uint16_t	plen4;		/* Prefix length */
143d8caf56eSAndrey V. Elsukov 	uint16_t	plen6;		/* Prefix length */
144d8caf56eSAndrey V. Elsukov 	struct in6_addr	prefix6;	/* NAT64 prefix */
145d8caf56eSAndrey V. Elsukov 	uint32_t	jmaxlen;	/* Max jobqueue length */
146d8caf56eSAndrey V. Elsukov 	uint16_t	min_port;	/* Min port group # to use */
147d8caf56eSAndrey V. Elsukov 	uint16_t	max_port;	/* Max port group # to use */
148d8caf56eSAndrey V. Elsukov 	uint16_t	nh_delete_delay;/* Stale host delete delay */
149d8caf56eSAndrey V. Elsukov 	uint16_t	pg_delete_delay;/* Stale portgroup delete delay */
150d8caf56eSAndrey V. Elsukov 	uint16_t	st_syn_ttl;	/* TCP syn expire */
151d8caf56eSAndrey V. Elsukov 	uint16_t	st_close_ttl;	/* TCP fin expire */
152d8caf56eSAndrey V. Elsukov 	uint16_t	st_estab_ttl;	/* TCP established expire */
153d8caf56eSAndrey V. Elsukov 	uint16_t	st_udp_ttl;	/* UDP expire */
154d8caf56eSAndrey V. Elsukov 	uint16_t	st_icmp_ttl;	/* ICMP expire */
155d8caf56eSAndrey V. Elsukov 	uint8_t		set;		/* Named instance set [0..31] */
156d8caf56eSAndrey V. Elsukov 	uint8_t		spare;
157d8caf56eSAndrey V. Elsukov } ipfw_nat64lsn_cfg;
158d8caf56eSAndrey V. Elsukov 
159d8caf56eSAndrey V. Elsukov typedef struct _ipfw_nat64lsn_state {
160d8caf56eSAndrey V. Elsukov 	struct in_addr	daddr;		/* Remote IPv4 address */
161d8caf56eSAndrey V. Elsukov 	uint16_t	dport;		/* Remote destination port */
162d8caf56eSAndrey V. Elsukov 	uint16_t	aport;		/* Local alias port */
163d8caf56eSAndrey V. Elsukov 	uint16_t	sport;		/* Source port */
164d8caf56eSAndrey V. Elsukov 	uint8_t		flags;		/* State flags */
165d8caf56eSAndrey V. Elsukov 	uint8_t		spare[3];
166d8caf56eSAndrey V. Elsukov 	uint16_t	idle;		/* Last used time */
167d8caf56eSAndrey V. Elsukov } ipfw_nat64lsn_state;
168d8caf56eSAndrey V. Elsukov 
169d8caf56eSAndrey V. Elsukov typedef struct _ipfw_nat64lsn_stg {
170d8caf56eSAndrey V. Elsukov 	uint64_t	next_idx;	/* next state index */
171d8caf56eSAndrey V. Elsukov 	struct in_addr	alias4;		/* IPv4 alias address */
172d8caf56eSAndrey V. Elsukov 	uint8_t		proto;		/* protocol */
173d8caf56eSAndrey V. Elsukov 	uint8_t		flags;
174d8caf56eSAndrey V. Elsukov 	uint16_t	spare;
175d8caf56eSAndrey V. Elsukov 	struct in6_addr	host6;		/* Bound IPv6 host */
176d8caf56eSAndrey V. Elsukov 	uint32_t	count;		/* Number of states */
177d8caf56eSAndrey V. Elsukov 	uint32_t	spare2;
178d8caf56eSAndrey V. Elsukov } ipfw_nat64lsn_stg;
179d8caf56eSAndrey V. Elsukov 
180d8caf56eSAndrey V. Elsukov #endif /* _NETINET6_IP_FW_NAT64_H_ */
181d8caf56eSAndrey V. Elsukov 
182