xref: /freebsd/sys/netpfil/ipfw/ip_fw_nat.c (revision e95923a2288fb2845c7be4822b1b92b2fc106d18)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2008 Paolo Pisati
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  */
28 
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
31 
32 #include <sys/param.h>
33 #include <sys/systm.h>
34 #include <sys/eventhandler.h>
35 #include <sys/malloc.h>
36 #include <sys/mbuf.h>
37 #include <sys/kernel.h>
38 #include <sys/lock.h>
39 #include <sys/module.h>
40 #include <sys/rwlock.h>
41 #include <sys/rmlock.h>
42 
43 #include <netinet/libalias/alias.h>
44 #include <netinet/libalias/alias_local.h>
45 
46 #include <net/if.h>
47 #include <net/if_var.h>
48 #include <netinet/in.h>
49 #include <netinet/ip.h>
50 #include <netinet/ip_var.h>
51 #include <netinet/ip_fw.h>
52 #include <netinet/tcp.h>
53 #include <netinet/udp.h>
54 
55 #include <netpfil/ipfw/ip_fw_private.h>
56 
57 #include <machine/in_cksum.h>	/* XXX for in_cksum */
58 
59 struct cfg_spool {
60 	LIST_ENTRY(cfg_spool)   _next;          /* chain of spool instances */
61 	struct in_addr          addr;
62 	uint16_t		port;
63 };
64 
65 /* Nat redirect configuration. */
66 struct cfg_redir {
67 	LIST_ENTRY(cfg_redir)	_next;	/* chain of redir instances */
68 	uint16_t		mode;	/* type of redirect mode */
69 	uint16_t		proto;	/* protocol: tcp/udp */
70 	struct in_addr		laddr;	/* local ip address */
71 	struct in_addr		paddr;	/* public ip address */
72 	struct in_addr		raddr;	/* remote ip address */
73 	uint16_t		lport;	/* local port */
74 	uint16_t		pport;	/* public port */
75 	uint16_t		rport;	/* remote port	*/
76 	uint16_t		pport_cnt;	/* number of public ports */
77 	uint16_t		rport_cnt;	/* number of remote ports */
78 	struct alias_link	**alink;
79 	u_int16_t		spool_cnt; /* num of entry in spool chain */
80 	/* chain of spool instances */
81 	LIST_HEAD(spool_chain, cfg_spool) spool_chain;
82 };
83 
84 /* Nat configuration data struct. */
85 struct cfg_nat {
86 	/* chain of nat instances */
87 	LIST_ENTRY(cfg_nat)	_next;
88 	int			id;		/* nat id  */
89 	struct in_addr		ip;		/* nat ip address */
90 	struct libalias		*lib;		/* libalias instance */
91 	int			mode;		/* aliasing mode */
92 	int			redir_cnt; /* number of entry in spool chain */
93 	/* chain of redir instances */
94 	LIST_HEAD(redir_chain, cfg_redir) redir_chain;
95 	char			if_name[IF_NAMESIZE];	/* interface name */
96 };
97 
98 static eventhandler_tag ifaddr_event_tag;
99 
100 static void
101 ifaddr_change(void *arg __unused, struct ifnet *ifp)
102 {
103 	struct cfg_nat *ptr;
104 	struct ifaddr *ifa;
105 	struct ip_fw_chain *chain;
106 
107 	KASSERT(curvnet == ifp->if_vnet,
108 	    ("curvnet(%p) differs from iface vnet(%p)", curvnet, ifp->if_vnet));
109 
110 	if (V_ipfw_vnet_ready == 0 || V_ipfw_nat_ready == 0)
111 		return;
112 
113 	chain = &V_layer3_chain;
114 	IPFW_UH_WLOCK(chain);
115 	/* Check every nat entry... */
116 	LIST_FOREACH(ptr, &chain->nat, _next) {
117 		/* ...using nic 'ifp->if_xname' as dynamic alias address. */
118 		if (strncmp(ptr->if_name, ifp->if_xname, IF_NAMESIZE) != 0)
119 			continue;
120 		if_addr_rlock(ifp);
121 		CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
122 			if (ifa->ifa_addr == NULL)
123 				continue;
124 			if (ifa->ifa_addr->sa_family != AF_INET)
125 				continue;
126 			IPFW_WLOCK(chain);
127 			ptr->ip = ((struct sockaddr_in *)
128 			    (ifa->ifa_addr))->sin_addr;
129 			LibAliasSetAddress(ptr->lib, ptr->ip);
130 			IPFW_WUNLOCK(chain);
131 		}
132 		if_addr_runlock(ifp);
133 	}
134 	IPFW_UH_WUNLOCK(chain);
135 }
136 
137 /*
138  * delete the pointers for nat entry ix, or all of them if ix < 0
139  */
140 static void
141 flush_nat_ptrs(struct ip_fw_chain *chain, const int ix)
142 {
143 	int i;
144 	ipfw_insn_nat *cmd;
145 
146 	IPFW_WLOCK_ASSERT(chain);
147 	for (i = 0; i < chain->n_rules; i++) {
148 		cmd = (ipfw_insn_nat *)ACTION_PTR(chain->map[i]);
149 		/* XXX skip log and the like ? */
150 		if (cmd->o.opcode == O_NAT && cmd->nat != NULL &&
151 			    (ix < 0 || cmd->nat->id == ix))
152 			cmd->nat = NULL;
153 	}
154 }
155 
156 static void
157 del_redir_spool_cfg(struct cfg_nat *n, struct redir_chain *head)
158 {
159 	struct cfg_redir *r, *tmp_r;
160 	struct cfg_spool *s, *tmp_s;
161 	int i, num;
162 
163 	LIST_FOREACH_SAFE(r, head, _next, tmp_r) {
164 		num = 1; /* Number of alias_link to delete. */
165 		switch (r->mode) {
166 		case NAT44_REDIR_PORT:
167 			num = r->pport_cnt;
168 			/* FALLTHROUGH */
169 		case NAT44_REDIR_ADDR:
170 		case NAT44_REDIR_PROTO:
171 			/* Delete all libalias redirect entry. */
172 			for (i = 0; i < num; i++)
173 				LibAliasRedirectDelete(n->lib, r->alink[i]);
174 			/* Del spool cfg if any. */
175 			LIST_FOREACH_SAFE(s, &r->spool_chain, _next, tmp_s) {
176 				LIST_REMOVE(s, _next);
177 				free(s, M_IPFW);
178 			}
179 			free(r->alink, M_IPFW);
180 			LIST_REMOVE(r, _next);
181 			free(r, M_IPFW);
182 			break;
183 		default:
184 			printf("unknown redirect mode: %u\n", r->mode);
185 			/* XXX - panic?!?!? */
186 			break;
187 		}
188 	}
189 }
190 
191 static int
192 add_redir_spool_cfg(char *buf, struct cfg_nat *ptr)
193 {
194 	struct cfg_redir *r;
195 	struct cfg_spool *s;
196 	struct nat44_cfg_redir *ser_r;
197 	struct nat44_cfg_spool *ser_s;
198 
199 	int cnt, off, i;
200 
201 	for (cnt = 0, off = 0; cnt < ptr->redir_cnt; cnt++) {
202 		ser_r = (struct nat44_cfg_redir *)&buf[off];
203 		r = malloc(sizeof(*r), M_IPFW, M_WAITOK | M_ZERO);
204 		r->mode = ser_r->mode;
205 		r->laddr = ser_r->laddr;
206 		r->paddr = ser_r->paddr;
207 		r->raddr = ser_r->raddr;
208 		r->lport = ser_r->lport;
209 		r->pport = ser_r->pport;
210 		r->rport = ser_r->rport;
211 		r->pport_cnt = ser_r->pport_cnt;
212 		r->rport_cnt = ser_r->rport_cnt;
213 		r->proto = ser_r->proto;
214 		r->spool_cnt = ser_r->spool_cnt;
215 		//memcpy(r, ser_r, SOF_REDIR);
216 		LIST_INIT(&r->spool_chain);
217 		off += sizeof(struct nat44_cfg_redir);
218 		r->alink = malloc(sizeof(struct alias_link *) * r->pport_cnt,
219 		    M_IPFW, M_WAITOK | M_ZERO);
220 		switch (r->mode) {
221 		case NAT44_REDIR_ADDR:
222 			r->alink[0] = LibAliasRedirectAddr(ptr->lib, r->laddr,
223 			    r->paddr);
224 			break;
225 		case NAT44_REDIR_PORT:
226 			for (i = 0 ; i < r->pport_cnt; i++) {
227 				/* If remotePort is all ports, set it to 0. */
228 				u_short remotePortCopy = r->rport + i;
229 				if (r->rport_cnt == 1 && r->rport == 0)
230 					remotePortCopy = 0;
231 				r->alink[i] = LibAliasRedirectPort(ptr->lib,
232 				    r->laddr, htons(r->lport + i), r->raddr,
233 				    htons(remotePortCopy), r->paddr,
234 				    htons(r->pport + i), r->proto);
235 				if (r->alink[i] == NULL) {
236 					r->alink[0] = NULL;
237 					break;
238 				}
239 			}
240 			break;
241 		case NAT44_REDIR_PROTO:
242 			r->alink[0] = LibAliasRedirectProto(ptr->lib ,r->laddr,
243 			    r->raddr, r->paddr, r->proto);
244 			break;
245 		default:
246 			printf("unknown redirect mode: %u\n", r->mode);
247 			break;
248 		}
249 		if (r->alink[0] == NULL) {
250 			printf("LibAliasRedirect* returned NULL\n");
251 			free(r->alink, M_IPFW);
252 			free(r, M_IPFW);
253 			return (EINVAL);
254 		}
255 		/* LSNAT handling. */
256 		for (i = 0; i < r->spool_cnt; i++) {
257 			ser_s = (struct nat44_cfg_spool *)&buf[off];
258 			s = malloc(sizeof(*s), M_IPFW, M_WAITOK | M_ZERO);
259 			s->addr = ser_s->addr;
260 			s->port = ser_s->port;
261 			LibAliasAddServer(ptr->lib, r->alink[0],
262 			    s->addr, htons(s->port));
263 			off += sizeof(struct nat44_cfg_spool);
264 			/* Hook spool entry. */
265 			LIST_INSERT_HEAD(&r->spool_chain, s, _next);
266 		}
267 		/* And finally hook this redir entry. */
268 		LIST_INSERT_HEAD(&ptr->redir_chain, r, _next);
269 	}
270 
271 	return (0);
272 }
273 
274 static void
275 free_nat_instance(struct cfg_nat *ptr)
276 {
277 
278 	del_redir_spool_cfg(ptr, &ptr->redir_chain);
279 	LibAliasUninit(ptr->lib);
280 	free(ptr, M_IPFW);
281 }
282 
283 
284 /*
285  * ipfw_nat - perform mbuf header translation.
286  *
287  * Note V_layer3_chain has to be locked while calling ipfw_nat() in
288  * 'global' operation mode (t == NULL).
289  *
290  */
291 static int
292 ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m)
293 {
294 	struct mbuf *mcl;
295 	struct ip *ip;
296 	/* XXX - libalias duct tape */
297 	int ldt, retval, found;
298 	struct ip_fw_chain *chain;
299 	char *c;
300 
301 	ldt = 0;
302 	retval = 0;
303 	mcl = m_megapullup(m, m->m_pkthdr.len);
304 	if (mcl == NULL) {
305 		args->m = NULL;
306 		return (IP_FW_DENY);
307 	}
308 	ip = mtod(mcl, struct ip *);
309 
310 	/*
311 	 * XXX - Libalias checksum offload 'duct tape':
312 	 *
313 	 * locally generated packets have only pseudo-header checksum
314 	 * calculated and libalias will break it[1], so mark them for
315 	 * later fix.  Moreover there are cases when libalias modifies
316 	 * tcp packet data[2], mark them for later fix too.
317 	 *
318 	 * [1] libalias was never meant to run in kernel, so it does
319 	 * not have any knowledge about checksum offloading, and
320 	 * expects a packet with a full internet checksum.
321 	 * Unfortunately, packets generated locally will have just the
322 	 * pseudo header calculated, and when libalias tries to adjust
323 	 * the checksum it will actually compute a wrong value.
324 	 *
325 	 * [2] when libalias modifies tcp's data content, full TCP
326 	 * checksum has to be recomputed: the problem is that
327 	 * libalias does not have any idea about checksum offloading.
328 	 * To work around this, we do not do checksumming in LibAlias,
329 	 * but only mark the packets in th_x2 field. If we receive a
330 	 * marked packet, we calculate correct checksum for it
331 	 * aware of offloading.  Why such a terrible hack instead of
332 	 * recalculating checksum for each packet?
333 	 * Because the previous checksum was not checked!
334 	 * Recalculating checksums for EVERY packet will hide ALL
335 	 * transmission errors. Yes, marked packets still suffer from
336 	 * this problem. But, sigh, natd(8) has this problem, too.
337 	 *
338 	 * TODO: -make libalias mbuf aware (so
339 	 * it can handle delayed checksum and tso)
340 	 */
341 
342 	if (mcl->m_pkthdr.rcvif == NULL &&
343 	    mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA)
344 		ldt = 1;
345 
346 	c = mtod(mcl, char *);
347 
348 	/* Check if this is 'global' instance */
349 	if (t == NULL) {
350 		if (args->flags & IPFW_ARGS_IN) {
351 			/* Wrong direction, skip processing */
352 			args->m = mcl;
353 			return (IP_FW_NAT);
354 		}
355 
356 		found = 0;
357 		chain = &V_layer3_chain;
358 		IPFW_RLOCK_ASSERT(chain);
359 		/* Check every nat entry... */
360 		LIST_FOREACH(t, &chain->nat, _next) {
361 			if ((t->mode & PKT_ALIAS_SKIP_GLOBAL) != 0)
362 				continue;
363 			retval = LibAliasOutTry(t->lib, c,
364 			    mcl->m_len + M_TRAILINGSPACE(mcl), 0);
365 			if (retval == PKT_ALIAS_OK) {
366 				/* Nat instance recognises state */
367 				found = 1;
368 				break;
369 			}
370 		}
371 		if (found != 1) {
372 			/* No instance found, return ignore */
373 			args->m = mcl;
374 			return (IP_FW_NAT);
375 		}
376 	} else {
377 		if (args->flags & IPFW_ARGS_IN)
378 			retval = LibAliasIn(t->lib, c,
379 				mcl->m_len + M_TRAILINGSPACE(mcl));
380 		else
381 			retval = LibAliasOut(t->lib, c,
382 				mcl->m_len + M_TRAILINGSPACE(mcl));
383 	}
384 
385 	/*
386 	 * We drop packet when:
387 	 * 1. libalias returns PKT_ALIAS_ERROR;
388 	 * 2. For incoming packets:
389 	 *	a) for unresolved fragments;
390 	 *	b) libalias returns PKT_ALIAS_IGNORED and
391 	 *		PKT_ALIAS_DENY_INCOMING flag is set.
392 	 */
393 	if (retval == PKT_ALIAS_ERROR ||
394 	    ((args->flags & IPFW_ARGS_IN) &&
395 	    (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
396 	    (retval == PKT_ALIAS_IGNORED &&
397 	    (t->mode & PKT_ALIAS_DENY_INCOMING) != 0)))) {
398 		/* XXX - should i add some logging? */
399 		m_free(mcl);
400 		args->m = NULL;
401 		return (IP_FW_DENY);
402 	}
403 
404 	if (retval == PKT_ALIAS_RESPOND)
405 		mcl->m_flags |= M_SKIP_FIREWALL;
406 	mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len);
407 
408 	/*
409 	 * XXX - libalias checksum offload
410 	 * 'duct tape' (see above)
411 	 */
412 
413 	if ((ip->ip_off & htons(IP_OFFMASK)) == 0 &&
414 	    ip->ip_p == IPPROTO_TCP) {
415 		struct tcphdr 	*th;
416 
417 		th = (struct tcphdr *)(ip + 1);
418 		if (th->th_x2)
419 			ldt = 1;
420 	}
421 
422 	if (ldt) {
423 		struct tcphdr 	*th;
424 		struct udphdr 	*uh;
425 		uint16_t ip_len, cksum;
426 
427 		ip_len = ntohs(ip->ip_len);
428 		cksum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
429 		    htons(ip->ip_p + ip_len - (ip->ip_hl << 2)));
430 
431 		switch (ip->ip_p) {
432 		case IPPROTO_TCP:
433 			th = (struct tcphdr *)(ip + 1);
434 			/*
435 			 * Maybe it was set in
436 			 * libalias...
437 			 */
438 			th->th_x2 = 0;
439 			th->th_sum = cksum;
440 			mcl->m_pkthdr.csum_data =
441 			    offsetof(struct tcphdr, th_sum);
442 			break;
443 		case IPPROTO_UDP:
444 			uh = (struct udphdr *)(ip + 1);
445 			uh->uh_sum = cksum;
446 			mcl->m_pkthdr.csum_data =
447 			    offsetof(struct udphdr, uh_sum);
448 			break;
449 		}
450 		/* No hw checksum offloading: do it ourselves */
451 		if ((mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) == 0) {
452 			in_delayed_cksum(mcl);
453 			mcl->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
454 		}
455 	}
456 	args->m = mcl;
457 	return (IP_FW_NAT);
458 }
459 
460 static struct cfg_nat *
461 lookup_nat(struct nat_list *l, int nat_id)
462 {
463 	struct cfg_nat *res;
464 
465 	LIST_FOREACH(res, l, _next) {
466 		if (res->id == nat_id)
467 			break;
468 	}
469 	return res;
470 }
471 
472 static struct cfg_nat *
473 lookup_nat_name(struct nat_list *l, char *name)
474 {
475 	struct cfg_nat *res;
476 	int id;
477 	char *errptr;
478 
479 	id = strtol(name, &errptr, 10);
480 	if (id == 0 || *errptr != '\0')
481 		return (NULL);
482 
483 	LIST_FOREACH(res, l, _next) {
484 		if (res->id == id)
485 			break;
486 	}
487 	return (res);
488 }
489 
490 /* IP_FW3 configuration routines */
491 
492 static void
493 nat44_config(struct ip_fw_chain *chain, struct nat44_cfg_nat *ucfg)
494 {
495 	struct cfg_nat *ptr, *tcfg;
496 	int gencnt;
497 
498 	/*
499 	 * Find/create nat rule.
500 	 */
501 	IPFW_UH_WLOCK(chain);
502 	gencnt = chain->gencnt;
503 	ptr = lookup_nat_name(&chain->nat, ucfg->name);
504 	if (ptr == NULL) {
505 		IPFW_UH_WUNLOCK(chain);
506 		/* New rule: allocate and init new instance. */
507 		ptr = malloc(sizeof(struct cfg_nat), M_IPFW, M_WAITOK | M_ZERO);
508 		ptr->lib = LibAliasInit(NULL);
509 		LIST_INIT(&ptr->redir_chain);
510 	} else {
511 		/* Entry already present: temporarily unhook it. */
512 		IPFW_WLOCK(chain);
513 		LIST_REMOVE(ptr, _next);
514 		flush_nat_ptrs(chain, ptr->id);
515 		IPFW_WUNLOCK(chain);
516 		IPFW_UH_WUNLOCK(chain);
517 	}
518 
519 	/*
520 	 * Basic nat (re)configuration.
521 	 */
522 	ptr->id = strtol(ucfg->name, NULL, 10);
523 	/*
524 	 * XXX - what if this rule doesn't nat any ip and just
525 	 * redirect?
526 	 * do we set aliasaddress to 0.0.0.0?
527 	 */
528 	ptr->ip = ucfg->ip;
529 	ptr->redir_cnt = ucfg->redir_cnt;
530 	ptr->mode = ucfg->mode;
531 	strlcpy(ptr->if_name, ucfg->if_name, sizeof(ptr->if_name));
532 	LibAliasSetMode(ptr->lib, ptr->mode, ~0);
533 	LibAliasSetAddress(ptr->lib, ptr->ip);
534 
535 	/*
536 	 * Redir and LSNAT configuration.
537 	 */
538 	/* Delete old cfgs. */
539 	del_redir_spool_cfg(ptr, &ptr->redir_chain);
540 	/* Add new entries. */
541 	add_redir_spool_cfg((char *)(ucfg + 1), ptr);
542 	IPFW_UH_WLOCK(chain);
543 
544 	/* Extra check to avoid race with another ipfw_nat_cfg() */
545 	tcfg = NULL;
546 	if (gencnt != chain->gencnt)
547 	    tcfg = lookup_nat_name(&chain->nat, ucfg->name);
548 	IPFW_WLOCK(chain);
549 	if (tcfg != NULL)
550 		LIST_REMOVE(tcfg, _next);
551 	LIST_INSERT_HEAD(&chain->nat, ptr, _next);
552 	IPFW_WUNLOCK(chain);
553 	chain->gencnt++;
554 
555 	IPFW_UH_WUNLOCK(chain);
556 
557 	if (tcfg != NULL)
558 		free_nat_instance(ptr);
559 }
560 
561 /*
562  * Creates/configure nat44 instance
563  * Data layout (v0)(current):
564  * Request: [ ipfw_obj_header nat44_cfg_nat .. ]
565  *
566  * Returns 0 on success
567  */
568 static int
569 nat44_cfg(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
570     struct sockopt_data *sd)
571 {
572 	ipfw_obj_header *oh;
573 	struct nat44_cfg_nat *ucfg;
574 	int id;
575 	size_t read;
576 	char *errptr;
577 
578 	/* Check minimum header size */
579 	if (sd->valsize < (sizeof(*oh) + sizeof(*ucfg)))
580 		return (EINVAL);
581 
582 	oh = (ipfw_obj_header *)sd->kbuf;
583 
584 	/* Basic length checks for TLVs */
585 	if (oh->ntlv.head.length != sizeof(oh->ntlv))
586 		return (EINVAL);
587 
588 	ucfg = (struct nat44_cfg_nat *)(oh + 1);
589 
590 	/* Check if name is properly terminated and looks like number */
591 	if (strnlen(ucfg->name, sizeof(ucfg->name)) == sizeof(ucfg->name))
592 		return (EINVAL);
593 	id = strtol(ucfg->name, &errptr, 10);
594 	if (id == 0 || *errptr != '\0')
595 		return (EINVAL);
596 
597 	read = sizeof(*oh) + sizeof(*ucfg);
598 	/* Check number of redirs */
599 	if (sd->valsize < read + ucfg->redir_cnt*sizeof(struct nat44_cfg_redir))
600 		return (EINVAL);
601 
602 	nat44_config(chain, ucfg);
603 	return (0);
604 }
605 
606 /*
607  * Destroys given nat instances.
608  * Data layout (v0)(current):
609  * Request: [ ipfw_obj_header ]
610  *
611  * Returns 0 on success
612  */
613 static int
614 nat44_destroy(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
615     struct sockopt_data *sd)
616 {
617 	ipfw_obj_header *oh;
618 	struct cfg_nat *ptr;
619 	ipfw_obj_ntlv *ntlv;
620 
621 	/* Check minimum header size */
622 	if (sd->valsize < sizeof(*oh))
623 		return (EINVAL);
624 
625 	oh = (ipfw_obj_header *)sd->kbuf;
626 
627 	/* Basic length checks for TLVs */
628 	if (oh->ntlv.head.length != sizeof(oh->ntlv))
629 		return (EINVAL);
630 
631 	ntlv = &oh->ntlv;
632 	/* Check if name is properly terminated */
633 	if (strnlen(ntlv->name, sizeof(ntlv->name)) == sizeof(ntlv->name))
634 		return (EINVAL);
635 
636 	IPFW_UH_WLOCK(chain);
637 	ptr = lookup_nat_name(&chain->nat, ntlv->name);
638 	if (ptr == NULL) {
639 		IPFW_UH_WUNLOCK(chain);
640 		return (ESRCH);
641 	}
642 	IPFW_WLOCK(chain);
643 	LIST_REMOVE(ptr, _next);
644 	flush_nat_ptrs(chain, ptr->id);
645 	IPFW_WUNLOCK(chain);
646 	IPFW_UH_WUNLOCK(chain);
647 
648 	free_nat_instance(ptr);
649 
650 	return (0);
651 }
652 
653 static void
654 export_nat_cfg(struct cfg_nat *ptr, struct nat44_cfg_nat *ucfg)
655 {
656 
657 	snprintf(ucfg->name, sizeof(ucfg->name), "%d", ptr->id);
658 	ucfg->ip = ptr->ip;
659 	ucfg->redir_cnt = ptr->redir_cnt;
660 	ucfg->mode = ptr->mode;
661 	strlcpy(ucfg->if_name, ptr->if_name, sizeof(ucfg->if_name));
662 }
663 
664 /*
665  * Gets config for given nat instance
666  * Data layout (v0)(current):
667  * Request: [ ipfw_obj_header nat44_cfg_nat .. ]
668  *
669  * Returns 0 on success
670  */
671 static int
672 nat44_get_cfg(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
673     struct sockopt_data *sd)
674 {
675 	ipfw_obj_header *oh;
676 	struct nat44_cfg_nat *ucfg;
677 	struct cfg_nat *ptr;
678 	struct cfg_redir *r;
679 	struct cfg_spool *s;
680 	struct nat44_cfg_redir *ser_r;
681 	struct nat44_cfg_spool *ser_s;
682 	size_t sz;
683 
684 	sz = sizeof(*oh) + sizeof(*ucfg);
685 	/* Check minimum header size */
686 	if (sd->valsize < sz)
687 		return (EINVAL);
688 
689 	oh = (struct _ipfw_obj_header *)ipfw_get_sopt_header(sd, sz);
690 
691 	/* Basic length checks for TLVs */
692 	if (oh->ntlv.head.length != sizeof(oh->ntlv))
693 		return (EINVAL);
694 
695 	ucfg = (struct nat44_cfg_nat *)(oh + 1);
696 
697 	/* Check if name is properly terminated */
698 	if (strnlen(ucfg->name, sizeof(ucfg->name)) == sizeof(ucfg->name))
699 		return (EINVAL);
700 
701 	IPFW_UH_RLOCK(chain);
702 	ptr = lookup_nat_name(&chain->nat, ucfg->name);
703 	if (ptr == NULL) {
704 		IPFW_UH_RUNLOCK(chain);
705 		return (ESRCH);
706 	}
707 
708 	export_nat_cfg(ptr, ucfg);
709 
710 	/* Estimate memory amount */
711 	sz = sizeof(ipfw_obj_header) + sizeof(struct nat44_cfg_nat);
712 	LIST_FOREACH(r, &ptr->redir_chain, _next) {
713 		sz += sizeof(struct nat44_cfg_redir);
714 		LIST_FOREACH(s, &r->spool_chain, _next)
715 			sz += sizeof(struct nat44_cfg_spool);
716 	}
717 
718 	ucfg->size = sz;
719 	if (sd->valsize < sz) {
720 
721 		/*
722 		 * Submitted buffer size is not enough.
723 		 * WE've already filled in @ucfg structure with
724 		 * relevant info including size, so we
725 		 * can return. Buffer will be flushed automatically.
726 		 */
727 		IPFW_UH_RUNLOCK(chain);
728 		return (ENOMEM);
729 	}
730 
731 	/* Size OK, let's copy data */
732 	LIST_FOREACH(r, &ptr->redir_chain, _next) {
733 		ser_r = (struct nat44_cfg_redir *)ipfw_get_sopt_space(sd,
734 		    sizeof(*ser_r));
735 		ser_r->mode = r->mode;
736 		ser_r->laddr = r->laddr;
737 		ser_r->paddr = r->paddr;
738 		ser_r->raddr = r->raddr;
739 		ser_r->lport = r->lport;
740 		ser_r->pport = r->pport;
741 		ser_r->rport = r->rport;
742 		ser_r->pport_cnt = r->pport_cnt;
743 		ser_r->rport_cnt = r->rport_cnt;
744 		ser_r->proto = r->proto;
745 		ser_r->spool_cnt = r->spool_cnt;
746 
747 		LIST_FOREACH(s, &r->spool_chain, _next) {
748 			ser_s = (struct nat44_cfg_spool *)ipfw_get_sopt_space(
749 			    sd, sizeof(*ser_s));
750 
751 			ser_s->addr = s->addr;
752 			ser_s->port = s->port;
753 		}
754 	}
755 
756 	IPFW_UH_RUNLOCK(chain);
757 
758 	return (0);
759 }
760 
761 /*
762  * Lists all nat44 instances currently available in kernel.
763  * Data layout (v0)(current):
764  * Request: [ ipfw_obj_lheader ]
765  * Reply: [ ipfw_obj_lheader nat44_cfg_nat x N ]
766  *
767  * Returns 0 on success
768  */
769 static int
770 nat44_list_nat(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
771     struct sockopt_data *sd)
772 {
773 	ipfw_obj_lheader *olh;
774 	struct nat44_cfg_nat *ucfg;
775 	struct cfg_nat *ptr;
776 	int nat_count;
777 
778 	/* Check minimum header size */
779 	if (sd->valsize < sizeof(ipfw_obj_lheader))
780 		return (EINVAL);
781 
782 	olh = (ipfw_obj_lheader *)ipfw_get_sopt_header(sd, sizeof(*olh));
783 	IPFW_UH_RLOCK(chain);
784 	nat_count = 0;
785 	LIST_FOREACH(ptr, &chain->nat, _next)
786 		nat_count++;
787 
788 	olh->count = nat_count;
789 	olh->objsize = sizeof(struct nat44_cfg_nat);
790 	olh->size = sizeof(*olh) + olh->count * olh->objsize;
791 
792 	if (sd->valsize < olh->size) {
793 		IPFW_UH_RUNLOCK(chain);
794 		return (ENOMEM);
795 	}
796 
797 	LIST_FOREACH(ptr, &chain->nat, _next) {
798 		ucfg = (struct nat44_cfg_nat *)ipfw_get_sopt_space(sd,
799 		    sizeof(*ucfg));
800 		export_nat_cfg(ptr, ucfg);
801 	}
802 
803 	IPFW_UH_RUNLOCK(chain);
804 
805 	return (0);
806 }
807 
808 /*
809  * Gets log for given nat instance
810  * Data layout (v0)(current):
811  * Request: [ ipfw_obj_header nat44_cfg_nat ]
812  * Reply: [ ipfw_obj_header nat44_cfg_nat LOGBUFFER ]
813  *
814  * Returns 0 on success
815  */
816 static int
817 nat44_get_log(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
818     struct sockopt_data *sd)
819 {
820 	ipfw_obj_header *oh;
821 	struct nat44_cfg_nat *ucfg;
822 	struct cfg_nat *ptr;
823 	void *pbuf;
824 	size_t sz;
825 
826 	sz = sizeof(*oh) + sizeof(*ucfg);
827 	/* Check minimum header size */
828 	if (sd->valsize < sz)
829 		return (EINVAL);
830 
831 	oh = (struct _ipfw_obj_header *)ipfw_get_sopt_header(sd, sz);
832 
833 	/* Basic length checks for TLVs */
834 	if (oh->ntlv.head.length != sizeof(oh->ntlv))
835 		return (EINVAL);
836 
837 	ucfg = (struct nat44_cfg_nat *)(oh + 1);
838 
839 	/* Check if name is properly terminated */
840 	if (strnlen(ucfg->name, sizeof(ucfg->name)) == sizeof(ucfg->name))
841 		return (EINVAL);
842 
843 	IPFW_UH_RLOCK(chain);
844 	ptr = lookup_nat_name(&chain->nat, ucfg->name);
845 	if (ptr == NULL) {
846 		IPFW_UH_RUNLOCK(chain);
847 		return (ESRCH);
848 	}
849 
850 	if (ptr->lib->logDesc == NULL) {
851 		IPFW_UH_RUNLOCK(chain);
852 		return (ENOENT);
853 	}
854 
855 	export_nat_cfg(ptr, ucfg);
856 
857 	/* Estimate memory amount */
858 	ucfg->size = sizeof(struct nat44_cfg_nat) + LIBALIAS_BUF_SIZE;
859 	if (sd->valsize < sz + sizeof(*oh)) {
860 
861 		/*
862 		 * Submitted buffer size is not enough.
863 		 * WE've already filled in @ucfg structure with
864 		 * relevant info including size, so we
865 		 * can return. Buffer will be flushed automatically.
866 		 */
867 		IPFW_UH_RUNLOCK(chain);
868 		return (ENOMEM);
869 	}
870 
871 	pbuf = (void *)ipfw_get_sopt_space(sd, LIBALIAS_BUF_SIZE);
872 	memcpy(pbuf, ptr->lib->logDesc, LIBALIAS_BUF_SIZE);
873 
874 	IPFW_UH_RUNLOCK(chain);
875 
876 	return (0);
877 }
878 
879 static struct ipfw_sopt_handler	scodes[] = {
880 	{ IP_FW_NAT44_XCONFIG,	0,	HDIR_SET,	nat44_cfg },
881 	{ IP_FW_NAT44_DESTROY,	0,	HDIR_SET,	nat44_destroy },
882 	{ IP_FW_NAT44_XGETCONFIG,	0,	HDIR_GET,	nat44_get_cfg },
883 	{ IP_FW_NAT44_LIST_NAT,	0,	HDIR_GET,	nat44_list_nat },
884 	{ IP_FW_NAT44_XGETLOG,	0,	HDIR_GET,	nat44_get_log },
885 };
886 
887 
888 /*
889  * Legacy configuration routines
890  */
891 
892 struct cfg_spool_legacy {
893 	LIST_ENTRY(cfg_spool_legacy)	_next;
894 	struct in_addr			addr;
895 	u_short				port;
896 };
897 
898 struct cfg_redir_legacy {
899 	LIST_ENTRY(cfg_redir)   _next;
900 	u_int16_t               mode;
901 	struct in_addr	        laddr;
902 	struct in_addr	        paddr;
903 	struct in_addr	        raddr;
904 	u_short                 lport;
905 	u_short                 pport;
906 	u_short                 rport;
907 	u_short                 pport_cnt;
908 	u_short                 rport_cnt;
909 	int                     proto;
910 	struct alias_link       **alink;
911 	u_int16_t               spool_cnt;
912 	LIST_HEAD(, cfg_spool_legacy) spool_chain;
913 };
914 
915 struct cfg_nat_legacy {
916 	LIST_ENTRY(cfg_nat_legacy)	_next;
917 	int				id;
918 	struct in_addr			ip;
919 	char				if_name[IF_NAMESIZE];
920 	int				mode;
921 	struct libalias			*lib;
922 	int				redir_cnt;
923 	LIST_HEAD(, cfg_redir_legacy)	redir_chain;
924 };
925 
926 static int
927 ipfw_nat_cfg(struct sockopt *sopt)
928 {
929 	struct cfg_nat_legacy *cfg;
930 	struct nat44_cfg_nat *ucfg;
931 	struct cfg_redir_legacy *rdir;
932 	struct nat44_cfg_redir *urdir;
933 	char *buf;
934 	size_t len, len2;
935 	int error, i;
936 
937 	len = sopt->sopt_valsize;
938 	len2 = len + 128;
939 
940 	/*
941 	 * Allocate 2x buffer to store converted structures.
942 	 * new redir_cfg has shrunk, so we're sure that
943 	 * new buffer size is enough.
944 	 */
945 	buf = malloc(roundup2(len, 8) + len2, M_TEMP, M_WAITOK | M_ZERO);
946 	error = sooptcopyin(sopt, buf, len, sizeof(struct cfg_nat_legacy));
947 	if (error != 0)
948 		goto out;
949 
950 	cfg = (struct cfg_nat_legacy *)buf;
951 	if (cfg->id < 0) {
952 		error = EINVAL;
953 		goto out;
954 	}
955 
956 	ucfg = (struct nat44_cfg_nat *)&buf[roundup2(len, 8)];
957 	snprintf(ucfg->name, sizeof(ucfg->name), "%d", cfg->id);
958 	strlcpy(ucfg->if_name, cfg->if_name, sizeof(ucfg->if_name));
959 	ucfg->ip = cfg->ip;
960 	ucfg->mode = cfg->mode;
961 	ucfg->redir_cnt = cfg->redir_cnt;
962 
963 	if (len < sizeof(*cfg) + cfg->redir_cnt * sizeof(*rdir)) {
964 		error = EINVAL;
965 		goto out;
966 	}
967 
968 	urdir = (struct nat44_cfg_redir *)(ucfg + 1);
969 	rdir = (struct cfg_redir_legacy *)(cfg + 1);
970 	for (i = 0; i < cfg->redir_cnt; i++) {
971 		urdir->mode = rdir->mode;
972 		urdir->laddr = rdir->laddr;
973 		urdir->paddr = rdir->paddr;
974 		urdir->raddr = rdir->raddr;
975 		urdir->lport = rdir->lport;
976 		urdir->pport = rdir->pport;
977 		urdir->rport = rdir->rport;
978 		urdir->pport_cnt = rdir->pport_cnt;
979 		urdir->rport_cnt = rdir->rport_cnt;
980 		urdir->proto = rdir->proto;
981 		urdir->spool_cnt = rdir->spool_cnt;
982 
983 		urdir++;
984 		rdir++;
985 	}
986 
987 	nat44_config(&V_layer3_chain, ucfg);
988 
989 out:
990 	free(buf, M_TEMP);
991 	return (error);
992 }
993 
994 static int
995 ipfw_nat_del(struct sockopt *sopt)
996 {
997 	struct cfg_nat *ptr;
998 	struct ip_fw_chain *chain = &V_layer3_chain;
999 	int i;
1000 
1001 	sooptcopyin(sopt, &i, sizeof i, sizeof i);
1002 	/* XXX validate i */
1003 	IPFW_UH_WLOCK(chain);
1004 	ptr = lookup_nat(&chain->nat, i);
1005 	if (ptr == NULL) {
1006 		IPFW_UH_WUNLOCK(chain);
1007 		return (EINVAL);
1008 	}
1009 	IPFW_WLOCK(chain);
1010 	LIST_REMOVE(ptr, _next);
1011 	flush_nat_ptrs(chain, i);
1012 	IPFW_WUNLOCK(chain);
1013 	IPFW_UH_WUNLOCK(chain);
1014 	free_nat_instance(ptr);
1015 	return (0);
1016 }
1017 
1018 static int
1019 ipfw_nat_get_cfg(struct sockopt *sopt)
1020 {
1021 	struct ip_fw_chain *chain = &V_layer3_chain;
1022 	struct cfg_nat *n;
1023 	struct cfg_nat_legacy *ucfg;
1024 	struct cfg_redir *r;
1025 	struct cfg_spool *s;
1026 	struct cfg_redir_legacy *ser_r;
1027 	struct cfg_spool_legacy *ser_s;
1028 	char *data;
1029 	int gencnt, nat_cnt, len, error;
1030 
1031 	nat_cnt = 0;
1032 	len = sizeof(nat_cnt);
1033 
1034 	IPFW_UH_RLOCK(chain);
1035 retry:
1036 	gencnt = chain->gencnt;
1037 	/* Estimate memory amount */
1038 	LIST_FOREACH(n, &chain->nat, _next) {
1039 		nat_cnt++;
1040 		len += sizeof(struct cfg_nat_legacy);
1041 		LIST_FOREACH(r, &n->redir_chain, _next) {
1042 			len += sizeof(struct cfg_redir_legacy);
1043 			LIST_FOREACH(s, &r->spool_chain, _next)
1044 				len += sizeof(struct cfg_spool_legacy);
1045 		}
1046 	}
1047 	IPFW_UH_RUNLOCK(chain);
1048 
1049 	data = malloc(len, M_TEMP, M_WAITOK | M_ZERO);
1050 	bcopy(&nat_cnt, data, sizeof(nat_cnt));
1051 
1052 	nat_cnt = 0;
1053 	len = sizeof(nat_cnt);
1054 
1055 	IPFW_UH_RLOCK(chain);
1056 	if (gencnt != chain->gencnt) {
1057 		free(data, M_TEMP);
1058 		goto retry;
1059 	}
1060 	/* Serialize all the data. */
1061 	LIST_FOREACH(n, &chain->nat, _next) {
1062 		ucfg = (struct cfg_nat_legacy *)&data[len];
1063 		ucfg->id = n->id;
1064 		ucfg->ip = n->ip;
1065 		ucfg->redir_cnt = n->redir_cnt;
1066 		ucfg->mode = n->mode;
1067 		strlcpy(ucfg->if_name, n->if_name, sizeof(ucfg->if_name));
1068 		len += sizeof(struct cfg_nat_legacy);
1069 		LIST_FOREACH(r, &n->redir_chain, _next) {
1070 			ser_r = (struct cfg_redir_legacy *)&data[len];
1071 			ser_r->mode = r->mode;
1072 			ser_r->laddr = r->laddr;
1073 			ser_r->paddr = r->paddr;
1074 			ser_r->raddr = r->raddr;
1075 			ser_r->lport = r->lport;
1076 			ser_r->pport = r->pport;
1077 			ser_r->rport = r->rport;
1078 			ser_r->pport_cnt = r->pport_cnt;
1079 			ser_r->rport_cnt = r->rport_cnt;
1080 			ser_r->proto = r->proto;
1081 			ser_r->spool_cnt = r->spool_cnt;
1082 			len += sizeof(struct cfg_redir_legacy);
1083 			LIST_FOREACH(s, &r->spool_chain, _next) {
1084 				ser_s = (struct cfg_spool_legacy *)&data[len];
1085 				ser_s->addr = s->addr;
1086 				ser_s->port = s->port;
1087 				len += sizeof(struct cfg_spool_legacy);
1088 			}
1089 		}
1090 	}
1091 	IPFW_UH_RUNLOCK(chain);
1092 
1093 	error = sooptcopyout(sopt, data, len);
1094 	free(data, M_TEMP);
1095 
1096 	return (error);
1097 }
1098 
1099 static int
1100 ipfw_nat_get_log(struct sockopt *sopt)
1101 {
1102 	uint8_t *data;
1103 	struct cfg_nat *ptr;
1104 	int i, size;
1105 	struct ip_fw_chain *chain;
1106 	IPFW_RLOCK_TRACKER;
1107 
1108 	chain = &V_layer3_chain;
1109 
1110 	IPFW_RLOCK(chain);
1111 	/* one pass to count, one to copy the data */
1112 	i = 0;
1113 	LIST_FOREACH(ptr, &chain->nat, _next) {
1114 		if (ptr->lib->logDesc == NULL)
1115 			continue;
1116 		i++;
1117 	}
1118 	size = i * (LIBALIAS_BUF_SIZE + sizeof(int));
1119 	data = malloc(size, M_IPFW, M_NOWAIT | M_ZERO);
1120 	if (data == NULL) {
1121 		IPFW_RUNLOCK(chain);
1122 		return (ENOSPC);
1123 	}
1124 	i = 0;
1125 	LIST_FOREACH(ptr, &chain->nat, _next) {
1126 		if (ptr->lib->logDesc == NULL)
1127 			continue;
1128 		bcopy(&ptr->id, &data[i], sizeof(int));
1129 		i += sizeof(int);
1130 		bcopy(ptr->lib->logDesc, &data[i], LIBALIAS_BUF_SIZE);
1131 		i += LIBALIAS_BUF_SIZE;
1132 	}
1133 	IPFW_RUNLOCK(chain);
1134 	sooptcopyout(sopt, data, size);
1135 	free(data, M_IPFW);
1136 	return(0);
1137 }
1138 
1139 static int
1140 vnet_ipfw_nat_init(const void *arg __unused)
1141 {
1142 
1143 	V_ipfw_nat_ready = 1;
1144 	return (0);
1145 }
1146 
1147 static int
1148 vnet_ipfw_nat_uninit(const void *arg __unused)
1149 {
1150 	struct cfg_nat *ptr, *ptr_temp;
1151 	struct ip_fw_chain *chain;
1152 
1153 	chain = &V_layer3_chain;
1154 	IPFW_WLOCK(chain);
1155 	V_ipfw_nat_ready = 0;
1156 	LIST_FOREACH_SAFE(ptr, &chain->nat, _next, ptr_temp) {
1157 		LIST_REMOVE(ptr, _next);
1158 		free_nat_instance(ptr);
1159 	}
1160 	flush_nat_ptrs(chain, -1 /* flush all */);
1161 	IPFW_WUNLOCK(chain);
1162 	return (0);
1163 }
1164 
1165 static void
1166 ipfw_nat_init(void)
1167 {
1168 
1169 	/* init ipfw hooks */
1170 	ipfw_nat_ptr = ipfw_nat;
1171 	lookup_nat_ptr = lookup_nat;
1172 	ipfw_nat_cfg_ptr = ipfw_nat_cfg;
1173 	ipfw_nat_del_ptr = ipfw_nat_del;
1174 	ipfw_nat_get_cfg_ptr = ipfw_nat_get_cfg;
1175 	ipfw_nat_get_log_ptr = ipfw_nat_get_log;
1176 	IPFW_ADD_SOPT_HANDLER(1, scodes);
1177 
1178 	ifaddr_event_tag = EVENTHANDLER_REGISTER(ifaddr_event, ifaddr_change,
1179 	    NULL, EVENTHANDLER_PRI_ANY);
1180 }
1181 
1182 static void
1183 ipfw_nat_destroy(void)
1184 {
1185 
1186 	EVENTHANDLER_DEREGISTER(ifaddr_event, ifaddr_event_tag);
1187 	/* deregister ipfw_nat */
1188 	IPFW_DEL_SOPT_HANDLER(1, scodes);
1189 	ipfw_nat_ptr = NULL;
1190 	lookup_nat_ptr = NULL;
1191 	ipfw_nat_cfg_ptr = NULL;
1192 	ipfw_nat_del_ptr = NULL;
1193 	ipfw_nat_get_cfg_ptr = NULL;
1194 	ipfw_nat_get_log_ptr = NULL;
1195 }
1196 
1197 static int
1198 ipfw_nat_modevent(module_t mod, int type, void *unused)
1199 {
1200 	int err = 0;
1201 
1202 	switch (type) {
1203 	case MOD_LOAD:
1204 		break;
1205 
1206 	case MOD_UNLOAD:
1207 		break;
1208 
1209 	default:
1210 		return EOPNOTSUPP;
1211 		break;
1212 	}
1213 	return err;
1214 }
1215 
1216 static moduledata_t ipfw_nat_mod = {
1217 	"ipfw_nat",
1218 	ipfw_nat_modevent,
1219 	0
1220 };
1221 
1222 /* Define startup order. */
1223 #define	IPFW_NAT_SI_SUB_FIREWALL	SI_SUB_PROTO_FIREWALL
1224 #define	IPFW_NAT_MODEVENT_ORDER		(SI_ORDER_ANY - 128) /* after ipfw */
1225 #define	IPFW_NAT_MODULE_ORDER		(IPFW_NAT_MODEVENT_ORDER + 1)
1226 #define	IPFW_NAT_VNET_ORDER		(IPFW_NAT_MODEVENT_ORDER + 2)
1227 
1228 DECLARE_MODULE(ipfw_nat, ipfw_nat_mod, IPFW_NAT_SI_SUB_FIREWALL, SI_ORDER_ANY);
1229 MODULE_DEPEND(ipfw_nat, libalias, 1, 1, 1);
1230 MODULE_DEPEND(ipfw_nat, ipfw, 3, 3, 3);
1231 MODULE_VERSION(ipfw_nat, 1);
1232 
1233 SYSINIT(ipfw_nat_init, IPFW_NAT_SI_SUB_FIREWALL, IPFW_NAT_MODULE_ORDER,
1234     ipfw_nat_init, NULL);
1235 VNET_SYSINIT(vnet_ipfw_nat_init, IPFW_NAT_SI_SUB_FIREWALL, IPFW_NAT_VNET_ORDER,
1236     vnet_ipfw_nat_init, NULL);
1237 
1238 SYSUNINIT(ipfw_nat_destroy, IPFW_NAT_SI_SUB_FIREWALL, IPFW_NAT_MODULE_ORDER,
1239     ipfw_nat_destroy, NULL);
1240 VNET_SYSUNINIT(vnet_ipfw_nat_uninit, IPFW_NAT_SI_SUB_FIREWALL,
1241     IPFW_NAT_VNET_ORDER, vnet_ipfw_nat_uninit, NULL);
1242 
1243 /* end of file */
1244