1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2008 Paolo Pisati 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #include <sys/cdefs.h> 30 __FBSDID("$FreeBSD$"); 31 32 #include <sys/param.h> 33 #include <sys/systm.h> 34 #include <sys/eventhandler.h> 35 #include <sys/malloc.h> 36 #include <sys/mbuf.h> 37 #include <sys/kernel.h> 38 #include <sys/lock.h> 39 #include <sys/module.h> 40 #include <sys/rwlock.h> 41 #include <sys/rmlock.h> 42 43 #include <netinet/libalias/alias.h> 44 #include <netinet/libalias/alias_local.h> 45 46 #include <net/if.h> 47 #include <net/if_var.h> 48 #include <netinet/in.h> 49 #include <netinet/ip.h> 50 #include <netinet/ip_var.h> 51 #include <netinet/ip_fw.h> 52 #include <netinet/tcp.h> 53 #include <netinet/udp.h> 54 55 #include <netpfil/ipfw/ip_fw_private.h> 56 57 #include <machine/in_cksum.h> /* XXX for in_cksum */ 58 59 struct cfg_spool { 60 LIST_ENTRY(cfg_spool) _next; /* chain of spool instances */ 61 struct in_addr addr; 62 uint16_t port; 63 }; 64 65 /* Nat redirect configuration. */ 66 struct cfg_redir { 67 LIST_ENTRY(cfg_redir) _next; /* chain of redir instances */ 68 uint16_t mode; /* type of redirect mode */ 69 uint16_t proto; /* protocol: tcp/udp */ 70 struct in_addr laddr; /* local ip address */ 71 struct in_addr paddr; /* public ip address */ 72 struct in_addr raddr; /* remote ip address */ 73 uint16_t lport; /* local port */ 74 uint16_t pport; /* public port */ 75 uint16_t rport; /* remote port */ 76 uint16_t pport_cnt; /* number of public ports */ 77 uint16_t rport_cnt; /* number of remote ports */ 78 struct alias_link **alink; 79 u_int16_t spool_cnt; /* num of entry in spool chain */ 80 /* chain of spool instances */ 81 LIST_HEAD(spool_chain, cfg_spool) spool_chain; 82 }; 83 84 /* Nat configuration data struct. */ 85 struct cfg_nat { 86 /* chain of nat instances */ 87 LIST_ENTRY(cfg_nat) _next; 88 int id; /* nat id */ 89 struct in_addr ip; /* nat ip address */ 90 struct libalias *lib; /* libalias instance */ 91 int mode; /* aliasing mode */ 92 int redir_cnt; /* number of entry in spool chain */ 93 /* chain of redir instances */ 94 LIST_HEAD(redir_chain, cfg_redir) redir_chain; 95 char if_name[IF_NAMESIZE]; /* interface name */ 96 }; 97 98 static eventhandler_tag ifaddr_event_tag; 99 100 static void 101 ifaddr_change(void *arg __unused, struct ifnet *ifp) 102 { 103 struct cfg_nat *ptr; 104 struct ifaddr *ifa; 105 struct ip_fw_chain *chain; 106 107 KASSERT(curvnet == ifp->if_vnet, 108 ("curvnet(%p) differs from iface vnet(%p)", curvnet, ifp->if_vnet)); 109 110 if (V_ipfw_vnet_ready == 0 || V_ipfw_nat_ready == 0) 111 return; 112 113 chain = &V_layer3_chain; 114 IPFW_UH_WLOCK(chain); 115 /* Check every nat entry... */ 116 LIST_FOREACH(ptr, &chain->nat, _next) { 117 /* ...using nic 'ifp->if_xname' as dynamic alias address. */ 118 if (strncmp(ptr->if_name, ifp->if_xname, IF_NAMESIZE) != 0) 119 continue; 120 if_addr_rlock(ifp); 121 CK_STAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { 122 if (ifa->ifa_addr == NULL) 123 continue; 124 if (ifa->ifa_addr->sa_family != AF_INET) 125 continue; 126 IPFW_WLOCK(chain); 127 ptr->ip = ((struct sockaddr_in *) 128 (ifa->ifa_addr))->sin_addr; 129 LibAliasSetAddress(ptr->lib, ptr->ip); 130 IPFW_WUNLOCK(chain); 131 } 132 if_addr_runlock(ifp); 133 } 134 IPFW_UH_WUNLOCK(chain); 135 } 136 137 /* 138 * delete the pointers for nat entry ix, or all of them if ix < 0 139 */ 140 static void 141 flush_nat_ptrs(struct ip_fw_chain *chain, const int ix) 142 { 143 int i; 144 ipfw_insn_nat *cmd; 145 146 IPFW_WLOCK_ASSERT(chain); 147 for (i = 0; i < chain->n_rules; i++) { 148 cmd = (ipfw_insn_nat *)ACTION_PTR(chain->map[i]); 149 /* XXX skip log and the like ? */ 150 if (cmd->o.opcode == O_NAT && cmd->nat != NULL && 151 (ix < 0 || cmd->nat->id == ix)) 152 cmd->nat = NULL; 153 } 154 } 155 156 static void 157 del_redir_spool_cfg(struct cfg_nat *n, struct redir_chain *head) 158 { 159 struct cfg_redir *r, *tmp_r; 160 struct cfg_spool *s, *tmp_s; 161 int i, num; 162 163 LIST_FOREACH_SAFE(r, head, _next, tmp_r) { 164 num = 1; /* Number of alias_link to delete. */ 165 switch (r->mode) { 166 case NAT44_REDIR_PORT: 167 num = r->pport_cnt; 168 /* FALLTHROUGH */ 169 case NAT44_REDIR_ADDR: 170 case NAT44_REDIR_PROTO: 171 /* Delete all libalias redirect entry. */ 172 for (i = 0; i < num; i++) 173 LibAliasRedirectDelete(n->lib, r->alink[i]); 174 /* Del spool cfg if any. */ 175 LIST_FOREACH_SAFE(s, &r->spool_chain, _next, tmp_s) { 176 LIST_REMOVE(s, _next); 177 free(s, M_IPFW); 178 } 179 free(r->alink, M_IPFW); 180 LIST_REMOVE(r, _next); 181 free(r, M_IPFW); 182 break; 183 default: 184 printf("unknown redirect mode: %u\n", r->mode); 185 /* XXX - panic?!?!? */ 186 break; 187 } 188 } 189 } 190 191 static int 192 add_redir_spool_cfg(char *buf, struct cfg_nat *ptr) 193 { 194 struct cfg_redir *r; 195 struct cfg_spool *s; 196 struct nat44_cfg_redir *ser_r; 197 struct nat44_cfg_spool *ser_s; 198 199 int cnt, off, i; 200 201 for (cnt = 0, off = 0; cnt < ptr->redir_cnt; cnt++) { 202 ser_r = (struct nat44_cfg_redir *)&buf[off]; 203 r = malloc(sizeof(*r), M_IPFW, M_WAITOK | M_ZERO); 204 r->mode = ser_r->mode; 205 r->laddr = ser_r->laddr; 206 r->paddr = ser_r->paddr; 207 r->raddr = ser_r->raddr; 208 r->lport = ser_r->lport; 209 r->pport = ser_r->pport; 210 r->rport = ser_r->rport; 211 r->pport_cnt = ser_r->pport_cnt; 212 r->rport_cnt = ser_r->rport_cnt; 213 r->proto = ser_r->proto; 214 r->spool_cnt = ser_r->spool_cnt; 215 //memcpy(r, ser_r, SOF_REDIR); 216 LIST_INIT(&r->spool_chain); 217 off += sizeof(struct nat44_cfg_redir); 218 r->alink = malloc(sizeof(struct alias_link *) * r->pport_cnt, 219 M_IPFW, M_WAITOK | M_ZERO); 220 switch (r->mode) { 221 case NAT44_REDIR_ADDR: 222 r->alink[0] = LibAliasRedirectAddr(ptr->lib, r->laddr, 223 r->paddr); 224 break; 225 case NAT44_REDIR_PORT: 226 for (i = 0 ; i < r->pport_cnt; i++) { 227 /* If remotePort is all ports, set it to 0. */ 228 u_short remotePortCopy = r->rport + i; 229 if (r->rport_cnt == 1 && r->rport == 0) 230 remotePortCopy = 0; 231 r->alink[i] = LibAliasRedirectPort(ptr->lib, 232 r->laddr, htons(r->lport + i), r->raddr, 233 htons(remotePortCopy), r->paddr, 234 htons(r->pport + i), r->proto); 235 if (r->alink[i] == NULL) { 236 r->alink[0] = NULL; 237 break; 238 } 239 } 240 break; 241 case NAT44_REDIR_PROTO: 242 r->alink[0] = LibAliasRedirectProto(ptr->lib ,r->laddr, 243 r->raddr, r->paddr, r->proto); 244 break; 245 default: 246 printf("unknown redirect mode: %u\n", r->mode); 247 break; 248 } 249 if (r->alink[0] == NULL) { 250 printf("LibAliasRedirect* returned NULL\n"); 251 free(r->alink, M_IPFW); 252 free(r, M_IPFW); 253 return (EINVAL); 254 } 255 /* LSNAT handling. */ 256 for (i = 0; i < r->spool_cnt; i++) { 257 ser_s = (struct nat44_cfg_spool *)&buf[off]; 258 s = malloc(sizeof(*s), M_IPFW, M_WAITOK | M_ZERO); 259 s->addr = ser_s->addr; 260 s->port = ser_s->port; 261 LibAliasAddServer(ptr->lib, r->alink[0], 262 s->addr, htons(s->port)); 263 off += sizeof(struct nat44_cfg_spool); 264 /* Hook spool entry. */ 265 LIST_INSERT_HEAD(&r->spool_chain, s, _next); 266 } 267 /* And finally hook this redir entry. */ 268 LIST_INSERT_HEAD(&ptr->redir_chain, r, _next); 269 } 270 271 return (0); 272 } 273 274 static void 275 free_nat_instance(struct cfg_nat *ptr) 276 { 277 278 del_redir_spool_cfg(ptr, &ptr->redir_chain); 279 LibAliasUninit(ptr->lib); 280 free(ptr, M_IPFW); 281 } 282 283 284 /* 285 * ipfw_nat - perform mbuf header translation. 286 * 287 * Note V_layer3_chain has to be locked while calling ipfw_nat() in 288 * 'global' operation mode (t == NULL). 289 * 290 */ 291 static int 292 ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m) 293 { 294 struct mbuf *mcl; 295 struct ip *ip; 296 /* XXX - libalias duct tape */ 297 int ldt, retval, found; 298 struct ip_fw_chain *chain; 299 char *c; 300 301 ldt = 0; 302 retval = 0; 303 mcl = m_megapullup(m, m->m_pkthdr.len); 304 if (mcl == NULL) { 305 args->m = NULL; 306 return (IP_FW_DENY); 307 } 308 ip = mtod(mcl, struct ip *); 309 310 /* 311 * XXX - Libalias checksum offload 'duct tape': 312 * 313 * locally generated packets have only pseudo-header checksum 314 * calculated and libalias will break it[1], so mark them for 315 * later fix. Moreover there are cases when libalias modifies 316 * tcp packet data[2], mark them for later fix too. 317 * 318 * [1] libalias was never meant to run in kernel, so it does 319 * not have any knowledge about checksum offloading, and 320 * expects a packet with a full internet checksum. 321 * Unfortunately, packets generated locally will have just the 322 * pseudo header calculated, and when libalias tries to adjust 323 * the checksum it will actually compute a wrong value. 324 * 325 * [2] when libalias modifies tcp's data content, full TCP 326 * checksum has to be recomputed: the problem is that 327 * libalias does not have any idea about checksum offloading. 328 * To work around this, we do not do checksumming in LibAlias, 329 * but only mark the packets in th_x2 field. If we receive a 330 * marked packet, we calculate correct checksum for it 331 * aware of offloading. Why such a terrible hack instead of 332 * recalculating checksum for each packet? 333 * Because the previous checksum was not checked! 334 * Recalculating checksums for EVERY packet will hide ALL 335 * transmission errors. Yes, marked packets still suffer from 336 * this problem. But, sigh, natd(8) has this problem, too. 337 * 338 * TODO: -make libalias mbuf aware (so 339 * it can handle delayed checksum and tso) 340 */ 341 342 if (mcl->m_pkthdr.rcvif == NULL && 343 mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) 344 ldt = 1; 345 346 c = mtod(mcl, char *); 347 348 /* Check if this is 'global' instance */ 349 if (t == NULL) { 350 if (args->flags & IPFW_ARGS_IN) { 351 /* Wrong direction, skip processing */ 352 args->m = mcl; 353 return (IP_FW_NAT); 354 } 355 356 found = 0; 357 chain = &V_layer3_chain; 358 IPFW_RLOCK_ASSERT(chain); 359 /* Check every nat entry... */ 360 LIST_FOREACH(t, &chain->nat, _next) { 361 if ((t->mode & PKT_ALIAS_SKIP_GLOBAL) != 0) 362 continue; 363 retval = LibAliasOutTry(t->lib, c, 364 mcl->m_len + M_TRAILINGSPACE(mcl), 0); 365 if (retval == PKT_ALIAS_OK) { 366 /* Nat instance recognises state */ 367 found = 1; 368 break; 369 } 370 } 371 if (found != 1) { 372 /* No instance found, return ignore */ 373 args->m = mcl; 374 return (IP_FW_NAT); 375 } 376 } else { 377 if (args->flags & IPFW_ARGS_IN) 378 retval = LibAliasIn(t->lib, c, 379 mcl->m_len + M_TRAILINGSPACE(mcl)); 380 else 381 retval = LibAliasOut(t->lib, c, 382 mcl->m_len + M_TRAILINGSPACE(mcl)); 383 } 384 385 /* 386 * We drop packet when: 387 * 1. libalias returns PKT_ALIAS_ERROR; 388 * 2. For incoming packets: 389 * a) for unresolved fragments; 390 * b) libalias returns PKT_ALIAS_IGNORED and 391 * PKT_ALIAS_DENY_INCOMING flag is set. 392 */ 393 if (retval == PKT_ALIAS_ERROR || 394 ((args->flags & IPFW_ARGS_IN) && 395 (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT || 396 (retval == PKT_ALIAS_IGNORED && 397 (t->mode & PKT_ALIAS_DENY_INCOMING) != 0)))) { 398 /* XXX - should i add some logging? */ 399 m_free(mcl); 400 args->m = NULL; 401 return (IP_FW_DENY); 402 } 403 404 if (retval == PKT_ALIAS_RESPOND) 405 mcl->m_flags |= M_SKIP_FIREWALL; 406 mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len); 407 408 /* 409 * XXX - libalias checksum offload 410 * 'duct tape' (see above) 411 */ 412 413 if ((ip->ip_off & htons(IP_OFFMASK)) == 0 && 414 ip->ip_p == IPPROTO_TCP) { 415 struct tcphdr *th; 416 417 th = (struct tcphdr *)(ip + 1); 418 if (th->th_x2) 419 ldt = 1; 420 } 421 422 if (ldt) { 423 struct tcphdr *th; 424 struct udphdr *uh; 425 uint16_t ip_len, cksum; 426 427 ip_len = ntohs(ip->ip_len); 428 cksum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, 429 htons(ip->ip_p + ip_len - (ip->ip_hl << 2))); 430 431 switch (ip->ip_p) { 432 case IPPROTO_TCP: 433 th = (struct tcphdr *)(ip + 1); 434 /* 435 * Maybe it was set in 436 * libalias... 437 */ 438 th->th_x2 = 0; 439 th->th_sum = cksum; 440 mcl->m_pkthdr.csum_data = 441 offsetof(struct tcphdr, th_sum); 442 break; 443 case IPPROTO_UDP: 444 uh = (struct udphdr *)(ip + 1); 445 uh->uh_sum = cksum; 446 mcl->m_pkthdr.csum_data = 447 offsetof(struct udphdr, uh_sum); 448 break; 449 } 450 /* No hw checksum offloading: do it ourselves */ 451 if ((mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) == 0) { 452 in_delayed_cksum(mcl); 453 mcl->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 454 } 455 } 456 args->m = mcl; 457 return (IP_FW_NAT); 458 } 459 460 static struct cfg_nat * 461 lookup_nat(struct nat_list *l, int nat_id) 462 { 463 struct cfg_nat *res; 464 465 LIST_FOREACH(res, l, _next) { 466 if (res->id == nat_id) 467 break; 468 } 469 return res; 470 } 471 472 static struct cfg_nat * 473 lookup_nat_name(struct nat_list *l, char *name) 474 { 475 struct cfg_nat *res; 476 int id; 477 char *errptr; 478 479 id = strtol(name, &errptr, 10); 480 if (id == 0 || *errptr != '\0') 481 return (NULL); 482 483 LIST_FOREACH(res, l, _next) { 484 if (res->id == id) 485 break; 486 } 487 return (res); 488 } 489 490 /* IP_FW3 configuration routines */ 491 492 static void 493 nat44_config(struct ip_fw_chain *chain, struct nat44_cfg_nat *ucfg) 494 { 495 struct cfg_nat *ptr, *tcfg; 496 int gencnt; 497 498 /* 499 * Find/create nat rule. 500 */ 501 IPFW_UH_WLOCK(chain); 502 gencnt = chain->gencnt; 503 ptr = lookup_nat_name(&chain->nat, ucfg->name); 504 if (ptr == NULL) { 505 IPFW_UH_WUNLOCK(chain); 506 /* New rule: allocate and init new instance. */ 507 ptr = malloc(sizeof(struct cfg_nat), M_IPFW, M_WAITOK | M_ZERO); 508 ptr->lib = LibAliasInit(NULL); 509 LIST_INIT(&ptr->redir_chain); 510 } else { 511 /* Entry already present: temporarily unhook it. */ 512 IPFW_WLOCK(chain); 513 LIST_REMOVE(ptr, _next); 514 flush_nat_ptrs(chain, ptr->id); 515 IPFW_WUNLOCK(chain); 516 IPFW_UH_WUNLOCK(chain); 517 } 518 519 /* 520 * Basic nat (re)configuration. 521 */ 522 ptr->id = strtol(ucfg->name, NULL, 10); 523 /* 524 * XXX - what if this rule doesn't nat any ip and just 525 * redirect? 526 * do we set aliasaddress to 0.0.0.0? 527 */ 528 ptr->ip = ucfg->ip; 529 ptr->redir_cnt = ucfg->redir_cnt; 530 ptr->mode = ucfg->mode; 531 strlcpy(ptr->if_name, ucfg->if_name, sizeof(ptr->if_name)); 532 LibAliasSetMode(ptr->lib, ptr->mode, ~0); 533 LibAliasSetAddress(ptr->lib, ptr->ip); 534 535 /* 536 * Redir and LSNAT configuration. 537 */ 538 /* Delete old cfgs. */ 539 del_redir_spool_cfg(ptr, &ptr->redir_chain); 540 /* Add new entries. */ 541 add_redir_spool_cfg((char *)(ucfg + 1), ptr); 542 IPFW_UH_WLOCK(chain); 543 544 /* Extra check to avoid race with another ipfw_nat_cfg() */ 545 tcfg = NULL; 546 if (gencnt != chain->gencnt) 547 tcfg = lookup_nat_name(&chain->nat, ucfg->name); 548 IPFW_WLOCK(chain); 549 if (tcfg != NULL) 550 LIST_REMOVE(tcfg, _next); 551 LIST_INSERT_HEAD(&chain->nat, ptr, _next); 552 IPFW_WUNLOCK(chain); 553 chain->gencnt++; 554 555 IPFW_UH_WUNLOCK(chain); 556 557 if (tcfg != NULL) 558 free_nat_instance(ptr); 559 } 560 561 /* 562 * Creates/configure nat44 instance 563 * Data layout (v0)(current): 564 * Request: [ ipfw_obj_header nat44_cfg_nat .. ] 565 * 566 * Returns 0 on success 567 */ 568 static int 569 nat44_cfg(struct ip_fw_chain *chain, ip_fw3_opheader *op3, 570 struct sockopt_data *sd) 571 { 572 ipfw_obj_header *oh; 573 struct nat44_cfg_nat *ucfg; 574 int id; 575 size_t read; 576 char *errptr; 577 578 /* Check minimum header size */ 579 if (sd->valsize < (sizeof(*oh) + sizeof(*ucfg))) 580 return (EINVAL); 581 582 oh = (ipfw_obj_header *)sd->kbuf; 583 584 /* Basic length checks for TLVs */ 585 if (oh->ntlv.head.length != sizeof(oh->ntlv)) 586 return (EINVAL); 587 588 ucfg = (struct nat44_cfg_nat *)(oh + 1); 589 590 /* Check if name is properly terminated and looks like number */ 591 if (strnlen(ucfg->name, sizeof(ucfg->name)) == sizeof(ucfg->name)) 592 return (EINVAL); 593 id = strtol(ucfg->name, &errptr, 10); 594 if (id == 0 || *errptr != '\0') 595 return (EINVAL); 596 597 read = sizeof(*oh) + sizeof(*ucfg); 598 /* Check number of redirs */ 599 if (sd->valsize < read + ucfg->redir_cnt*sizeof(struct nat44_cfg_redir)) 600 return (EINVAL); 601 602 nat44_config(chain, ucfg); 603 return (0); 604 } 605 606 /* 607 * Destroys given nat instances. 608 * Data layout (v0)(current): 609 * Request: [ ipfw_obj_header ] 610 * 611 * Returns 0 on success 612 */ 613 static int 614 nat44_destroy(struct ip_fw_chain *chain, ip_fw3_opheader *op3, 615 struct sockopt_data *sd) 616 { 617 ipfw_obj_header *oh; 618 struct cfg_nat *ptr; 619 ipfw_obj_ntlv *ntlv; 620 621 /* Check minimum header size */ 622 if (sd->valsize < sizeof(*oh)) 623 return (EINVAL); 624 625 oh = (ipfw_obj_header *)sd->kbuf; 626 627 /* Basic length checks for TLVs */ 628 if (oh->ntlv.head.length != sizeof(oh->ntlv)) 629 return (EINVAL); 630 631 ntlv = &oh->ntlv; 632 /* Check if name is properly terminated */ 633 if (strnlen(ntlv->name, sizeof(ntlv->name)) == sizeof(ntlv->name)) 634 return (EINVAL); 635 636 IPFW_UH_WLOCK(chain); 637 ptr = lookup_nat_name(&chain->nat, ntlv->name); 638 if (ptr == NULL) { 639 IPFW_UH_WUNLOCK(chain); 640 return (ESRCH); 641 } 642 IPFW_WLOCK(chain); 643 LIST_REMOVE(ptr, _next); 644 flush_nat_ptrs(chain, ptr->id); 645 IPFW_WUNLOCK(chain); 646 IPFW_UH_WUNLOCK(chain); 647 648 free_nat_instance(ptr); 649 650 return (0); 651 } 652 653 static void 654 export_nat_cfg(struct cfg_nat *ptr, struct nat44_cfg_nat *ucfg) 655 { 656 657 snprintf(ucfg->name, sizeof(ucfg->name), "%d", ptr->id); 658 ucfg->ip = ptr->ip; 659 ucfg->redir_cnt = ptr->redir_cnt; 660 ucfg->mode = ptr->mode; 661 strlcpy(ucfg->if_name, ptr->if_name, sizeof(ucfg->if_name)); 662 } 663 664 /* 665 * Gets config for given nat instance 666 * Data layout (v0)(current): 667 * Request: [ ipfw_obj_header nat44_cfg_nat .. ] 668 * 669 * Returns 0 on success 670 */ 671 static int 672 nat44_get_cfg(struct ip_fw_chain *chain, ip_fw3_opheader *op3, 673 struct sockopt_data *sd) 674 { 675 ipfw_obj_header *oh; 676 struct nat44_cfg_nat *ucfg; 677 struct cfg_nat *ptr; 678 struct cfg_redir *r; 679 struct cfg_spool *s; 680 struct nat44_cfg_redir *ser_r; 681 struct nat44_cfg_spool *ser_s; 682 size_t sz; 683 684 sz = sizeof(*oh) + sizeof(*ucfg); 685 /* Check minimum header size */ 686 if (sd->valsize < sz) 687 return (EINVAL); 688 689 oh = (struct _ipfw_obj_header *)ipfw_get_sopt_header(sd, sz); 690 691 /* Basic length checks for TLVs */ 692 if (oh->ntlv.head.length != sizeof(oh->ntlv)) 693 return (EINVAL); 694 695 ucfg = (struct nat44_cfg_nat *)(oh + 1); 696 697 /* Check if name is properly terminated */ 698 if (strnlen(ucfg->name, sizeof(ucfg->name)) == sizeof(ucfg->name)) 699 return (EINVAL); 700 701 IPFW_UH_RLOCK(chain); 702 ptr = lookup_nat_name(&chain->nat, ucfg->name); 703 if (ptr == NULL) { 704 IPFW_UH_RUNLOCK(chain); 705 return (ESRCH); 706 } 707 708 export_nat_cfg(ptr, ucfg); 709 710 /* Estimate memory amount */ 711 sz = sizeof(ipfw_obj_header) + sizeof(struct nat44_cfg_nat); 712 LIST_FOREACH(r, &ptr->redir_chain, _next) { 713 sz += sizeof(struct nat44_cfg_redir); 714 LIST_FOREACH(s, &r->spool_chain, _next) 715 sz += sizeof(struct nat44_cfg_spool); 716 } 717 718 ucfg->size = sz; 719 if (sd->valsize < sz) { 720 721 /* 722 * Submitted buffer size is not enough. 723 * WE've already filled in @ucfg structure with 724 * relevant info including size, so we 725 * can return. Buffer will be flushed automatically. 726 */ 727 IPFW_UH_RUNLOCK(chain); 728 return (ENOMEM); 729 } 730 731 /* Size OK, let's copy data */ 732 LIST_FOREACH(r, &ptr->redir_chain, _next) { 733 ser_r = (struct nat44_cfg_redir *)ipfw_get_sopt_space(sd, 734 sizeof(*ser_r)); 735 ser_r->mode = r->mode; 736 ser_r->laddr = r->laddr; 737 ser_r->paddr = r->paddr; 738 ser_r->raddr = r->raddr; 739 ser_r->lport = r->lport; 740 ser_r->pport = r->pport; 741 ser_r->rport = r->rport; 742 ser_r->pport_cnt = r->pport_cnt; 743 ser_r->rport_cnt = r->rport_cnt; 744 ser_r->proto = r->proto; 745 ser_r->spool_cnt = r->spool_cnt; 746 747 LIST_FOREACH(s, &r->spool_chain, _next) { 748 ser_s = (struct nat44_cfg_spool *)ipfw_get_sopt_space( 749 sd, sizeof(*ser_s)); 750 751 ser_s->addr = s->addr; 752 ser_s->port = s->port; 753 } 754 } 755 756 IPFW_UH_RUNLOCK(chain); 757 758 return (0); 759 } 760 761 /* 762 * Lists all nat44 instances currently available in kernel. 763 * Data layout (v0)(current): 764 * Request: [ ipfw_obj_lheader ] 765 * Reply: [ ipfw_obj_lheader nat44_cfg_nat x N ] 766 * 767 * Returns 0 on success 768 */ 769 static int 770 nat44_list_nat(struct ip_fw_chain *chain, ip_fw3_opheader *op3, 771 struct sockopt_data *sd) 772 { 773 ipfw_obj_lheader *olh; 774 struct nat44_cfg_nat *ucfg; 775 struct cfg_nat *ptr; 776 int nat_count; 777 778 /* Check minimum header size */ 779 if (sd->valsize < sizeof(ipfw_obj_lheader)) 780 return (EINVAL); 781 782 olh = (ipfw_obj_lheader *)ipfw_get_sopt_header(sd, sizeof(*olh)); 783 IPFW_UH_RLOCK(chain); 784 nat_count = 0; 785 LIST_FOREACH(ptr, &chain->nat, _next) 786 nat_count++; 787 788 olh->count = nat_count; 789 olh->objsize = sizeof(struct nat44_cfg_nat); 790 olh->size = sizeof(*olh) + olh->count * olh->objsize; 791 792 if (sd->valsize < olh->size) { 793 IPFW_UH_RUNLOCK(chain); 794 return (ENOMEM); 795 } 796 797 LIST_FOREACH(ptr, &chain->nat, _next) { 798 ucfg = (struct nat44_cfg_nat *)ipfw_get_sopt_space(sd, 799 sizeof(*ucfg)); 800 export_nat_cfg(ptr, ucfg); 801 } 802 803 IPFW_UH_RUNLOCK(chain); 804 805 return (0); 806 } 807 808 /* 809 * Gets log for given nat instance 810 * Data layout (v0)(current): 811 * Request: [ ipfw_obj_header nat44_cfg_nat ] 812 * Reply: [ ipfw_obj_header nat44_cfg_nat LOGBUFFER ] 813 * 814 * Returns 0 on success 815 */ 816 static int 817 nat44_get_log(struct ip_fw_chain *chain, ip_fw3_opheader *op3, 818 struct sockopt_data *sd) 819 { 820 ipfw_obj_header *oh; 821 struct nat44_cfg_nat *ucfg; 822 struct cfg_nat *ptr; 823 void *pbuf; 824 size_t sz; 825 826 sz = sizeof(*oh) + sizeof(*ucfg); 827 /* Check minimum header size */ 828 if (sd->valsize < sz) 829 return (EINVAL); 830 831 oh = (struct _ipfw_obj_header *)ipfw_get_sopt_header(sd, sz); 832 833 /* Basic length checks for TLVs */ 834 if (oh->ntlv.head.length != sizeof(oh->ntlv)) 835 return (EINVAL); 836 837 ucfg = (struct nat44_cfg_nat *)(oh + 1); 838 839 /* Check if name is properly terminated */ 840 if (strnlen(ucfg->name, sizeof(ucfg->name)) == sizeof(ucfg->name)) 841 return (EINVAL); 842 843 IPFW_UH_RLOCK(chain); 844 ptr = lookup_nat_name(&chain->nat, ucfg->name); 845 if (ptr == NULL) { 846 IPFW_UH_RUNLOCK(chain); 847 return (ESRCH); 848 } 849 850 if (ptr->lib->logDesc == NULL) { 851 IPFW_UH_RUNLOCK(chain); 852 return (ENOENT); 853 } 854 855 export_nat_cfg(ptr, ucfg); 856 857 /* Estimate memory amount */ 858 ucfg->size = sizeof(struct nat44_cfg_nat) + LIBALIAS_BUF_SIZE; 859 if (sd->valsize < sz + sizeof(*oh)) { 860 861 /* 862 * Submitted buffer size is not enough. 863 * WE've already filled in @ucfg structure with 864 * relevant info including size, so we 865 * can return. Buffer will be flushed automatically. 866 */ 867 IPFW_UH_RUNLOCK(chain); 868 return (ENOMEM); 869 } 870 871 pbuf = (void *)ipfw_get_sopt_space(sd, LIBALIAS_BUF_SIZE); 872 memcpy(pbuf, ptr->lib->logDesc, LIBALIAS_BUF_SIZE); 873 874 IPFW_UH_RUNLOCK(chain); 875 876 return (0); 877 } 878 879 static struct ipfw_sopt_handler scodes[] = { 880 { IP_FW_NAT44_XCONFIG, 0, HDIR_SET, nat44_cfg }, 881 { IP_FW_NAT44_DESTROY, 0, HDIR_SET, nat44_destroy }, 882 { IP_FW_NAT44_XGETCONFIG, 0, HDIR_GET, nat44_get_cfg }, 883 { IP_FW_NAT44_LIST_NAT, 0, HDIR_GET, nat44_list_nat }, 884 { IP_FW_NAT44_XGETLOG, 0, HDIR_GET, nat44_get_log }, 885 }; 886 887 888 /* 889 * Legacy configuration routines 890 */ 891 892 struct cfg_spool_legacy { 893 LIST_ENTRY(cfg_spool_legacy) _next; 894 struct in_addr addr; 895 u_short port; 896 }; 897 898 struct cfg_redir_legacy { 899 LIST_ENTRY(cfg_redir) _next; 900 u_int16_t mode; 901 struct in_addr laddr; 902 struct in_addr paddr; 903 struct in_addr raddr; 904 u_short lport; 905 u_short pport; 906 u_short rport; 907 u_short pport_cnt; 908 u_short rport_cnt; 909 int proto; 910 struct alias_link **alink; 911 u_int16_t spool_cnt; 912 LIST_HEAD(, cfg_spool_legacy) spool_chain; 913 }; 914 915 struct cfg_nat_legacy { 916 LIST_ENTRY(cfg_nat_legacy) _next; 917 int id; 918 struct in_addr ip; 919 char if_name[IF_NAMESIZE]; 920 int mode; 921 struct libalias *lib; 922 int redir_cnt; 923 LIST_HEAD(, cfg_redir_legacy) redir_chain; 924 }; 925 926 static int 927 ipfw_nat_cfg(struct sockopt *sopt) 928 { 929 struct cfg_nat_legacy *cfg; 930 struct nat44_cfg_nat *ucfg; 931 struct cfg_redir_legacy *rdir; 932 struct nat44_cfg_redir *urdir; 933 char *buf; 934 size_t len, len2; 935 int error, i; 936 937 len = sopt->sopt_valsize; 938 len2 = len + 128; 939 940 /* 941 * Allocate 2x buffer to store converted structures. 942 * new redir_cfg has shrunk, so we're sure that 943 * new buffer size is enough. 944 */ 945 buf = malloc(roundup2(len, 8) + len2, M_TEMP, M_WAITOK | M_ZERO); 946 error = sooptcopyin(sopt, buf, len, sizeof(struct cfg_nat_legacy)); 947 if (error != 0) 948 goto out; 949 950 cfg = (struct cfg_nat_legacy *)buf; 951 if (cfg->id < 0) { 952 error = EINVAL; 953 goto out; 954 } 955 956 ucfg = (struct nat44_cfg_nat *)&buf[roundup2(len, 8)]; 957 snprintf(ucfg->name, sizeof(ucfg->name), "%d", cfg->id); 958 strlcpy(ucfg->if_name, cfg->if_name, sizeof(ucfg->if_name)); 959 ucfg->ip = cfg->ip; 960 ucfg->mode = cfg->mode; 961 ucfg->redir_cnt = cfg->redir_cnt; 962 963 if (len < sizeof(*cfg) + cfg->redir_cnt * sizeof(*rdir)) { 964 error = EINVAL; 965 goto out; 966 } 967 968 urdir = (struct nat44_cfg_redir *)(ucfg + 1); 969 rdir = (struct cfg_redir_legacy *)(cfg + 1); 970 for (i = 0; i < cfg->redir_cnt; i++) { 971 urdir->mode = rdir->mode; 972 urdir->laddr = rdir->laddr; 973 urdir->paddr = rdir->paddr; 974 urdir->raddr = rdir->raddr; 975 urdir->lport = rdir->lport; 976 urdir->pport = rdir->pport; 977 urdir->rport = rdir->rport; 978 urdir->pport_cnt = rdir->pport_cnt; 979 urdir->rport_cnt = rdir->rport_cnt; 980 urdir->proto = rdir->proto; 981 urdir->spool_cnt = rdir->spool_cnt; 982 983 urdir++; 984 rdir++; 985 } 986 987 nat44_config(&V_layer3_chain, ucfg); 988 989 out: 990 free(buf, M_TEMP); 991 return (error); 992 } 993 994 static int 995 ipfw_nat_del(struct sockopt *sopt) 996 { 997 struct cfg_nat *ptr; 998 struct ip_fw_chain *chain = &V_layer3_chain; 999 int i; 1000 1001 sooptcopyin(sopt, &i, sizeof i, sizeof i); 1002 /* XXX validate i */ 1003 IPFW_UH_WLOCK(chain); 1004 ptr = lookup_nat(&chain->nat, i); 1005 if (ptr == NULL) { 1006 IPFW_UH_WUNLOCK(chain); 1007 return (EINVAL); 1008 } 1009 IPFW_WLOCK(chain); 1010 LIST_REMOVE(ptr, _next); 1011 flush_nat_ptrs(chain, i); 1012 IPFW_WUNLOCK(chain); 1013 IPFW_UH_WUNLOCK(chain); 1014 free_nat_instance(ptr); 1015 return (0); 1016 } 1017 1018 static int 1019 ipfw_nat_get_cfg(struct sockopt *sopt) 1020 { 1021 struct ip_fw_chain *chain = &V_layer3_chain; 1022 struct cfg_nat *n; 1023 struct cfg_nat_legacy *ucfg; 1024 struct cfg_redir *r; 1025 struct cfg_spool *s; 1026 struct cfg_redir_legacy *ser_r; 1027 struct cfg_spool_legacy *ser_s; 1028 char *data; 1029 int gencnt, nat_cnt, len, error; 1030 1031 nat_cnt = 0; 1032 len = sizeof(nat_cnt); 1033 1034 IPFW_UH_RLOCK(chain); 1035 retry: 1036 gencnt = chain->gencnt; 1037 /* Estimate memory amount */ 1038 LIST_FOREACH(n, &chain->nat, _next) { 1039 nat_cnt++; 1040 len += sizeof(struct cfg_nat_legacy); 1041 LIST_FOREACH(r, &n->redir_chain, _next) { 1042 len += sizeof(struct cfg_redir_legacy); 1043 LIST_FOREACH(s, &r->spool_chain, _next) 1044 len += sizeof(struct cfg_spool_legacy); 1045 } 1046 } 1047 IPFW_UH_RUNLOCK(chain); 1048 1049 data = malloc(len, M_TEMP, M_WAITOK | M_ZERO); 1050 bcopy(&nat_cnt, data, sizeof(nat_cnt)); 1051 1052 nat_cnt = 0; 1053 len = sizeof(nat_cnt); 1054 1055 IPFW_UH_RLOCK(chain); 1056 if (gencnt != chain->gencnt) { 1057 free(data, M_TEMP); 1058 goto retry; 1059 } 1060 /* Serialize all the data. */ 1061 LIST_FOREACH(n, &chain->nat, _next) { 1062 ucfg = (struct cfg_nat_legacy *)&data[len]; 1063 ucfg->id = n->id; 1064 ucfg->ip = n->ip; 1065 ucfg->redir_cnt = n->redir_cnt; 1066 ucfg->mode = n->mode; 1067 strlcpy(ucfg->if_name, n->if_name, sizeof(ucfg->if_name)); 1068 len += sizeof(struct cfg_nat_legacy); 1069 LIST_FOREACH(r, &n->redir_chain, _next) { 1070 ser_r = (struct cfg_redir_legacy *)&data[len]; 1071 ser_r->mode = r->mode; 1072 ser_r->laddr = r->laddr; 1073 ser_r->paddr = r->paddr; 1074 ser_r->raddr = r->raddr; 1075 ser_r->lport = r->lport; 1076 ser_r->pport = r->pport; 1077 ser_r->rport = r->rport; 1078 ser_r->pport_cnt = r->pport_cnt; 1079 ser_r->rport_cnt = r->rport_cnt; 1080 ser_r->proto = r->proto; 1081 ser_r->spool_cnt = r->spool_cnt; 1082 len += sizeof(struct cfg_redir_legacy); 1083 LIST_FOREACH(s, &r->spool_chain, _next) { 1084 ser_s = (struct cfg_spool_legacy *)&data[len]; 1085 ser_s->addr = s->addr; 1086 ser_s->port = s->port; 1087 len += sizeof(struct cfg_spool_legacy); 1088 } 1089 } 1090 } 1091 IPFW_UH_RUNLOCK(chain); 1092 1093 error = sooptcopyout(sopt, data, len); 1094 free(data, M_TEMP); 1095 1096 return (error); 1097 } 1098 1099 static int 1100 ipfw_nat_get_log(struct sockopt *sopt) 1101 { 1102 uint8_t *data; 1103 struct cfg_nat *ptr; 1104 int i, size; 1105 struct ip_fw_chain *chain; 1106 IPFW_RLOCK_TRACKER; 1107 1108 chain = &V_layer3_chain; 1109 1110 IPFW_RLOCK(chain); 1111 /* one pass to count, one to copy the data */ 1112 i = 0; 1113 LIST_FOREACH(ptr, &chain->nat, _next) { 1114 if (ptr->lib->logDesc == NULL) 1115 continue; 1116 i++; 1117 } 1118 size = i * (LIBALIAS_BUF_SIZE + sizeof(int)); 1119 data = malloc(size, M_IPFW, M_NOWAIT | M_ZERO); 1120 if (data == NULL) { 1121 IPFW_RUNLOCK(chain); 1122 return (ENOSPC); 1123 } 1124 i = 0; 1125 LIST_FOREACH(ptr, &chain->nat, _next) { 1126 if (ptr->lib->logDesc == NULL) 1127 continue; 1128 bcopy(&ptr->id, &data[i], sizeof(int)); 1129 i += sizeof(int); 1130 bcopy(ptr->lib->logDesc, &data[i], LIBALIAS_BUF_SIZE); 1131 i += LIBALIAS_BUF_SIZE; 1132 } 1133 IPFW_RUNLOCK(chain); 1134 sooptcopyout(sopt, data, size); 1135 free(data, M_IPFW); 1136 return(0); 1137 } 1138 1139 static int 1140 vnet_ipfw_nat_init(const void *arg __unused) 1141 { 1142 1143 V_ipfw_nat_ready = 1; 1144 return (0); 1145 } 1146 1147 static int 1148 vnet_ipfw_nat_uninit(const void *arg __unused) 1149 { 1150 struct cfg_nat *ptr, *ptr_temp; 1151 struct ip_fw_chain *chain; 1152 1153 chain = &V_layer3_chain; 1154 IPFW_WLOCK(chain); 1155 V_ipfw_nat_ready = 0; 1156 LIST_FOREACH_SAFE(ptr, &chain->nat, _next, ptr_temp) { 1157 LIST_REMOVE(ptr, _next); 1158 free_nat_instance(ptr); 1159 } 1160 flush_nat_ptrs(chain, -1 /* flush all */); 1161 IPFW_WUNLOCK(chain); 1162 return (0); 1163 } 1164 1165 static void 1166 ipfw_nat_init(void) 1167 { 1168 1169 /* init ipfw hooks */ 1170 ipfw_nat_ptr = ipfw_nat; 1171 lookup_nat_ptr = lookup_nat; 1172 ipfw_nat_cfg_ptr = ipfw_nat_cfg; 1173 ipfw_nat_del_ptr = ipfw_nat_del; 1174 ipfw_nat_get_cfg_ptr = ipfw_nat_get_cfg; 1175 ipfw_nat_get_log_ptr = ipfw_nat_get_log; 1176 IPFW_ADD_SOPT_HANDLER(1, scodes); 1177 1178 ifaddr_event_tag = EVENTHANDLER_REGISTER(ifaddr_event, ifaddr_change, 1179 NULL, EVENTHANDLER_PRI_ANY); 1180 } 1181 1182 static void 1183 ipfw_nat_destroy(void) 1184 { 1185 1186 EVENTHANDLER_DEREGISTER(ifaddr_event, ifaddr_event_tag); 1187 /* deregister ipfw_nat */ 1188 IPFW_DEL_SOPT_HANDLER(1, scodes); 1189 ipfw_nat_ptr = NULL; 1190 lookup_nat_ptr = NULL; 1191 ipfw_nat_cfg_ptr = NULL; 1192 ipfw_nat_del_ptr = NULL; 1193 ipfw_nat_get_cfg_ptr = NULL; 1194 ipfw_nat_get_log_ptr = NULL; 1195 } 1196 1197 static int 1198 ipfw_nat_modevent(module_t mod, int type, void *unused) 1199 { 1200 int err = 0; 1201 1202 switch (type) { 1203 case MOD_LOAD: 1204 break; 1205 1206 case MOD_UNLOAD: 1207 break; 1208 1209 default: 1210 return EOPNOTSUPP; 1211 break; 1212 } 1213 return err; 1214 } 1215 1216 static moduledata_t ipfw_nat_mod = { 1217 "ipfw_nat", 1218 ipfw_nat_modevent, 1219 0 1220 }; 1221 1222 /* Define startup order. */ 1223 #define IPFW_NAT_SI_SUB_FIREWALL SI_SUB_PROTO_FIREWALL 1224 #define IPFW_NAT_MODEVENT_ORDER (SI_ORDER_ANY - 128) /* after ipfw */ 1225 #define IPFW_NAT_MODULE_ORDER (IPFW_NAT_MODEVENT_ORDER + 1) 1226 #define IPFW_NAT_VNET_ORDER (IPFW_NAT_MODEVENT_ORDER + 2) 1227 1228 DECLARE_MODULE(ipfw_nat, ipfw_nat_mod, IPFW_NAT_SI_SUB_FIREWALL, SI_ORDER_ANY); 1229 MODULE_DEPEND(ipfw_nat, libalias, 1, 1, 1); 1230 MODULE_DEPEND(ipfw_nat, ipfw, 3, 3, 3); 1231 MODULE_VERSION(ipfw_nat, 1); 1232 1233 SYSINIT(ipfw_nat_init, IPFW_NAT_SI_SUB_FIREWALL, IPFW_NAT_MODULE_ORDER, 1234 ipfw_nat_init, NULL); 1235 VNET_SYSINIT(vnet_ipfw_nat_init, IPFW_NAT_SI_SUB_FIREWALL, IPFW_NAT_VNET_ORDER, 1236 vnet_ipfw_nat_init, NULL); 1237 1238 SYSUNINIT(ipfw_nat_destroy, IPFW_NAT_SI_SUB_FIREWALL, IPFW_NAT_MODULE_ORDER, 1239 ipfw_nat_destroy, NULL); 1240 VNET_SYSUNINIT(vnet_ipfw_nat_uninit, IPFW_NAT_SI_SUB_FIREWALL, 1241 IPFW_NAT_VNET_ORDER, vnet_ipfw_nat_uninit, NULL); 1242 1243 /* end of file */ 1244