1 /*- 2 * Copyright (c) 2008 Paolo Pisati 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/cdefs.h> 28 __FBSDID("$FreeBSD$"); 29 30 #include <sys/param.h> 31 #include <sys/systm.h> 32 #include <sys/eventhandler.h> 33 #include <sys/malloc.h> 34 #include <sys/mbuf.h> 35 #include <sys/kernel.h> 36 #include <sys/lock.h> 37 #include <sys/module.h> 38 #include <sys/rwlock.h> 39 #include <sys/rmlock.h> 40 41 #include <netinet/libalias/alias.h> 42 #include <netinet/libalias/alias_local.h> 43 44 #include <net/if.h> 45 #include <net/if_var.h> 46 #include <netinet/in.h> 47 #include <netinet/ip.h> 48 #include <netinet/ip_var.h> 49 #include <netinet/ip_fw.h> 50 #include <netinet/tcp.h> 51 #include <netinet/udp.h> 52 53 #include <netpfil/ipfw/ip_fw_private.h> 54 55 #include <machine/in_cksum.h> /* XXX for in_cksum */ 56 57 struct cfg_spool { 58 LIST_ENTRY(cfg_spool) _next; /* chain of spool instances */ 59 struct in_addr addr; 60 uint16_t port; 61 }; 62 63 /* Nat redirect configuration. */ 64 struct cfg_redir { 65 LIST_ENTRY(cfg_redir) _next; /* chain of redir instances */ 66 uint16_t mode; /* type of redirect mode */ 67 uint16_t proto; /* protocol: tcp/udp */ 68 struct in_addr laddr; /* local ip address */ 69 struct in_addr paddr; /* public ip address */ 70 struct in_addr raddr; /* remote ip address */ 71 uint16_t lport; /* local port */ 72 uint16_t pport; /* public port */ 73 uint16_t rport; /* remote port */ 74 uint16_t pport_cnt; /* number of public ports */ 75 uint16_t rport_cnt; /* number of remote ports */ 76 struct alias_link **alink; 77 u_int16_t spool_cnt; /* num of entry in spool chain */ 78 /* chain of spool instances */ 79 LIST_HEAD(spool_chain, cfg_spool) spool_chain; 80 }; 81 82 /* Nat configuration data struct. */ 83 struct cfg_nat { 84 /* chain of nat instances */ 85 LIST_ENTRY(cfg_nat) _next; 86 int id; /* nat id */ 87 struct in_addr ip; /* nat ip address */ 88 struct libalias *lib; /* libalias instance */ 89 int mode; /* aliasing mode */ 90 int redir_cnt; /* number of entry in spool chain */ 91 /* chain of redir instances */ 92 LIST_HEAD(redir_chain, cfg_redir) redir_chain; 93 char if_name[IF_NAMESIZE]; /* interface name */ 94 }; 95 96 static eventhandler_tag ifaddr_event_tag; 97 98 static void 99 ifaddr_change(void *arg __unused, struct ifnet *ifp) 100 { 101 struct cfg_nat *ptr; 102 struct ifaddr *ifa; 103 struct ip_fw_chain *chain; 104 105 KASSERT(curvnet == ifp->if_vnet, 106 ("curvnet(%p) differs from iface vnet(%p)", curvnet, ifp->if_vnet)); 107 chain = &V_layer3_chain; 108 IPFW_UH_WLOCK(chain); 109 /* Check every nat entry... */ 110 LIST_FOREACH(ptr, &chain->nat, _next) { 111 /* ...using nic 'ifp->if_xname' as dynamic alias address. */ 112 if (strncmp(ptr->if_name, ifp->if_xname, IF_NAMESIZE) != 0) 113 continue; 114 if_addr_rlock(ifp); 115 TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { 116 if (ifa->ifa_addr == NULL) 117 continue; 118 if (ifa->ifa_addr->sa_family != AF_INET) 119 continue; 120 IPFW_WLOCK(chain); 121 ptr->ip = ((struct sockaddr_in *) 122 (ifa->ifa_addr))->sin_addr; 123 LibAliasSetAddress(ptr->lib, ptr->ip); 124 IPFW_WUNLOCK(chain); 125 } 126 if_addr_runlock(ifp); 127 } 128 IPFW_UH_WUNLOCK(chain); 129 } 130 131 /* 132 * delete the pointers for nat entry ix, or all of them if ix < 0 133 */ 134 static void 135 flush_nat_ptrs(struct ip_fw_chain *chain, const int ix) 136 { 137 int i; 138 ipfw_insn_nat *cmd; 139 140 IPFW_WLOCK_ASSERT(chain); 141 for (i = 0; i < chain->n_rules; i++) { 142 cmd = (ipfw_insn_nat *)ACTION_PTR(chain->map[i]); 143 /* XXX skip log and the like ? */ 144 if (cmd->o.opcode == O_NAT && cmd->nat != NULL && 145 (ix < 0 || cmd->nat->id == ix)) 146 cmd->nat = NULL; 147 } 148 } 149 150 static void 151 del_redir_spool_cfg(struct cfg_nat *n, struct redir_chain *head) 152 { 153 struct cfg_redir *r, *tmp_r; 154 struct cfg_spool *s, *tmp_s; 155 int i, num; 156 157 LIST_FOREACH_SAFE(r, head, _next, tmp_r) { 158 num = 1; /* Number of alias_link to delete. */ 159 switch (r->mode) { 160 case NAT44_REDIR_PORT: 161 num = r->pport_cnt; 162 /* FALLTHROUGH */ 163 case NAT44_REDIR_ADDR: 164 case NAT44_REDIR_PROTO: 165 /* Delete all libalias redirect entry. */ 166 for (i = 0; i < num; i++) 167 LibAliasRedirectDelete(n->lib, r->alink[i]); 168 /* Del spool cfg if any. */ 169 LIST_FOREACH_SAFE(s, &r->spool_chain, _next, tmp_s) { 170 LIST_REMOVE(s, _next); 171 free(s, M_IPFW); 172 } 173 free(r->alink, M_IPFW); 174 LIST_REMOVE(r, _next); 175 free(r, M_IPFW); 176 break; 177 default: 178 printf("unknown redirect mode: %u\n", r->mode); 179 /* XXX - panic?!?!? */ 180 break; 181 } 182 } 183 } 184 185 static int 186 add_redir_spool_cfg(char *buf, struct cfg_nat *ptr) 187 { 188 struct cfg_redir *r; 189 struct cfg_spool *s; 190 struct nat44_cfg_redir *ser_r; 191 struct nat44_cfg_spool *ser_s; 192 193 int cnt, off, i; 194 195 for (cnt = 0, off = 0; cnt < ptr->redir_cnt; cnt++) { 196 ser_r = (struct nat44_cfg_redir *)&buf[off]; 197 r = malloc(sizeof(*r), M_IPFW, M_WAITOK | M_ZERO); 198 r->mode = ser_r->mode; 199 r->laddr = ser_r->laddr; 200 r->paddr = ser_r->paddr; 201 r->raddr = ser_r->raddr; 202 r->lport = ser_r->lport; 203 r->pport = ser_r->pport; 204 r->rport = ser_r->rport; 205 r->pport_cnt = ser_r->pport_cnt; 206 r->rport_cnt = ser_r->rport_cnt; 207 r->proto = ser_r->proto; 208 r->spool_cnt = ser_r->spool_cnt; 209 //memcpy(r, ser_r, SOF_REDIR); 210 LIST_INIT(&r->spool_chain); 211 off += sizeof(struct nat44_cfg_redir); 212 r->alink = malloc(sizeof(struct alias_link *) * r->pport_cnt, 213 M_IPFW, M_WAITOK | M_ZERO); 214 switch (r->mode) { 215 case NAT44_REDIR_ADDR: 216 r->alink[0] = LibAliasRedirectAddr(ptr->lib, r->laddr, 217 r->paddr); 218 break; 219 case NAT44_REDIR_PORT: 220 for (i = 0 ; i < r->pport_cnt; i++) { 221 /* If remotePort is all ports, set it to 0. */ 222 u_short remotePortCopy = r->rport + i; 223 if (r->rport_cnt == 1 && r->rport == 0) 224 remotePortCopy = 0; 225 r->alink[i] = LibAliasRedirectPort(ptr->lib, 226 r->laddr, htons(r->lport + i), r->raddr, 227 htons(remotePortCopy), r->paddr, 228 htons(r->pport + i), r->proto); 229 if (r->alink[i] == NULL) { 230 r->alink[0] = NULL; 231 break; 232 } 233 } 234 break; 235 case NAT44_REDIR_PROTO: 236 r->alink[0] = LibAliasRedirectProto(ptr->lib ,r->laddr, 237 r->raddr, r->paddr, r->proto); 238 break; 239 default: 240 printf("unknown redirect mode: %u\n", r->mode); 241 break; 242 } 243 if (r->alink[0] == NULL) { 244 printf("LibAliasRedirect* returned NULL\n"); 245 free(r->alink, M_IPFW); 246 free(r, M_IPFW); 247 return (EINVAL); 248 } 249 /* LSNAT handling. */ 250 for (i = 0; i < r->spool_cnt; i++) { 251 ser_s = (struct nat44_cfg_spool *)&buf[off]; 252 s = malloc(sizeof(*s), M_IPFW, M_WAITOK | M_ZERO); 253 s->addr = ser_s->addr; 254 s->port = ser_s->port; 255 LibAliasAddServer(ptr->lib, r->alink[0], 256 s->addr, htons(s->port)); 257 off += sizeof(struct nat44_cfg_spool); 258 /* Hook spool entry. */ 259 LIST_INSERT_HEAD(&r->spool_chain, s, _next); 260 } 261 /* And finally hook this redir entry. */ 262 LIST_INSERT_HEAD(&ptr->redir_chain, r, _next); 263 } 264 265 return (0); 266 } 267 268 static void 269 free_nat_instance(struct cfg_nat *ptr) 270 { 271 272 del_redir_spool_cfg(ptr, &ptr->redir_chain); 273 LibAliasUninit(ptr->lib); 274 free(ptr, M_IPFW); 275 } 276 277 278 /* 279 * ipfw_nat - perform mbuf header translation. 280 * 281 * Note V_layer3_chain has to be locked while calling ipfw_nat() in 282 * 'global' operation mode (t == NULL). 283 * 284 */ 285 static int 286 ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m) 287 { 288 struct mbuf *mcl; 289 struct ip *ip; 290 /* XXX - libalias duct tape */ 291 int ldt, retval, found; 292 struct ip_fw_chain *chain; 293 char *c; 294 295 ldt = 0; 296 retval = 0; 297 mcl = m_megapullup(m, m->m_pkthdr.len); 298 if (mcl == NULL) { 299 args->m = NULL; 300 return (IP_FW_DENY); 301 } 302 ip = mtod(mcl, struct ip *); 303 304 /* 305 * XXX - Libalias checksum offload 'duct tape': 306 * 307 * locally generated packets have only pseudo-header checksum 308 * calculated and libalias will break it[1], so mark them for 309 * later fix. Moreover there are cases when libalias modifies 310 * tcp packet data[2], mark them for later fix too. 311 * 312 * [1] libalias was never meant to run in kernel, so it does 313 * not have any knowledge about checksum offloading, and 314 * expects a packet with a full internet checksum. 315 * Unfortunately, packets generated locally will have just the 316 * pseudo header calculated, and when libalias tries to adjust 317 * the checksum it will actually compute a wrong value. 318 * 319 * [2] when libalias modifies tcp's data content, full TCP 320 * checksum has to be recomputed: the problem is that 321 * libalias does not have any idea about checksum offloading. 322 * To work around this, we do not do checksumming in LibAlias, 323 * but only mark the packets in th_x2 field. If we receive a 324 * marked packet, we calculate correct checksum for it 325 * aware of offloading. Why such a terrible hack instead of 326 * recalculating checksum for each packet? 327 * Because the previous checksum was not checked! 328 * Recalculating checksums for EVERY packet will hide ALL 329 * transmission errors. Yes, marked packets still suffer from 330 * this problem. But, sigh, natd(8) has this problem, too. 331 * 332 * TODO: -make libalias mbuf aware (so 333 * it can handle delayed checksum and tso) 334 */ 335 336 if (mcl->m_pkthdr.rcvif == NULL && 337 mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) 338 ldt = 1; 339 340 c = mtod(mcl, char *); 341 342 /* Check if this is 'global' instance */ 343 if (t == NULL) { 344 if (args->oif == NULL) { 345 /* Wrong direction, skip processing */ 346 args->m = mcl; 347 return (IP_FW_NAT); 348 } 349 350 found = 0; 351 chain = &V_layer3_chain; 352 IPFW_RLOCK_ASSERT(chain); 353 /* Check every nat entry... */ 354 LIST_FOREACH(t, &chain->nat, _next) { 355 if ((t->mode & PKT_ALIAS_SKIP_GLOBAL) != 0) 356 continue; 357 retval = LibAliasOutTry(t->lib, c, 358 mcl->m_len + M_TRAILINGSPACE(mcl), 0); 359 if (retval == PKT_ALIAS_OK) { 360 /* Nat instance recognises state */ 361 found = 1; 362 break; 363 } 364 } 365 if (found != 1) { 366 /* No instance found, return ignore */ 367 args->m = mcl; 368 return (IP_FW_NAT); 369 } 370 } else { 371 if (args->oif == NULL) 372 retval = LibAliasIn(t->lib, c, 373 mcl->m_len + M_TRAILINGSPACE(mcl)); 374 else 375 retval = LibAliasOut(t->lib, c, 376 mcl->m_len + M_TRAILINGSPACE(mcl)); 377 } 378 379 /* 380 * We drop packet when: 381 * 1. libalias returns PKT_ALIAS_ERROR; 382 * 2. For incoming packets: 383 * a) for unresolved fragments; 384 * b) libalias returns PKT_ALIAS_IGNORED and 385 * PKT_ALIAS_DENY_INCOMING flag is set. 386 */ 387 if (retval == PKT_ALIAS_ERROR || 388 (args->oif == NULL && (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT || 389 (retval == PKT_ALIAS_IGNORED && 390 (t->mode & PKT_ALIAS_DENY_INCOMING) != 0)))) { 391 /* XXX - should i add some logging? */ 392 m_free(mcl); 393 args->m = NULL; 394 return (IP_FW_DENY); 395 } 396 397 if (retval == PKT_ALIAS_RESPOND) 398 mcl->m_flags |= M_SKIP_FIREWALL; 399 mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len); 400 401 /* 402 * XXX - libalias checksum offload 403 * 'duct tape' (see above) 404 */ 405 406 if ((ip->ip_off & htons(IP_OFFMASK)) == 0 && 407 ip->ip_p == IPPROTO_TCP) { 408 struct tcphdr *th; 409 410 th = (struct tcphdr *)(ip + 1); 411 if (th->th_x2) 412 ldt = 1; 413 } 414 415 if (ldt) { 416 struct tcphdr *th; 417 struct udphdr *uh; 418 uint16_t ip_len, cksum; 419 420 ip_len = ntohs(ip->ip_len); 421 cksum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, 422 htons(ip->ip_p + ip_len - (ip->ip_hl << 2))); 423 424 switch (ip->ip_p) { 425 case IPPROTO_TCP: 426 th = (struct tcphdr *)(ip + 1); 427 /* 428 * Maybe it was set in 429 * libalias... 430 */ 431 th->th_x2 = 0; 432 th->th_sum = cksum; 433 mcl->m_pkthdr.csum_data = 434 offsetof(struct tcphdr, th_sum); 435 break; 436 case IPPROTO_UDP: 437 uh = (struct udphdr *)(ip + 1); 438 uh->uh_sum = cksum; 439 mcl->m_pkthdr.csum_data = 440 offsetof(struct udphdr, uh_sum); 441 break; 442 } 443 /* No hw checksum offloading: do it ourselves */ 444 if ((mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) == 0) { 445 in_delayed_cksum(mcl); 446 mcl->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 447 } 448 } 449 args->m = mcl; 450 return (IP_FW_NAT); 451 } 452 453 static struct cfg_nat * 454 lookup_nat(struct nat_list *l, int nat_id) 455 { 456 struct cfg_nat *res; 457 458 LIST_FOREACH(res, l, _next) { 459 if (res->id == nat_id) 460 break; 461 } 462 return res; 463 } 464 465 static struct cfg_nat * 466 lookup_nat_name(struct nat_list *l, char *name) 467 { 468 struct cfg_nat *res; 469 int id; 470 char *errptr; 471 472 id = strtol(name, &errptr, 10); 473 if (id == 0 || *errptr != '\0') 474 return (NULL); 475 476 LIST_FOREACH(res, l, _next) { 477 if (res->id == id) 478 break; 479 } 480 return (res); 481 } 482 483 /* IP_FW3 configuration routines */ 484 485 static void 486 nat44_config(struct ip_fw_chain *chain, struct nat44_cfg_nat *ucfg) 487 { 488 struct cfg_nat *ptr, *tcfg; 489 int gencnt; 490 491 /* 492 * Find/create nat rule. 493 */ 494 IPFW_UH_WLOCK(chain); 495 gencnt = chain->gencnt; 496 ptr = lookup_nat_name(&chain->nat, ucfg->name); 497 if (ptr == NULL) { 498 IPFW_UH_WUNLOCK(chain); 499 /* New rule: allocate and init new instance. */ 500 ptr = malloc(sizeof(struct cfg_nat), M_IPFW, M_WAITOK | M_ZERO); 501 ptr->lib = LibAliasInit(NULL); 502 LIST_INIT(&ptr->redir_chain); 503 } else { 504 /* Entry already present: temporarily unhook it. */ 505 IPFW_WLOCK(chain); 506 LIST_REMOVE(ptr, _next); 507 flush_nat_ptrs(chain, ptr->id); 508 IPFW_WUNLOCK(chain); 509 IPFW_UH_WUNLOCK(chain); 510 } 511 512 /* 513 * Basic nat (re)configuration. 514 */ 515 ptr->id = strtol(ucfg->name, NULL, 10); 516 /* 517 * XXX - what if this rule doesn't nat any ip and just 518 * redirect? 519 * do we set aliasaddress to 0.0.0.0? 520 */ 521 ptr->ip = ucfg->ip; 522 ptr->redir_cnt = ucfg->redir_cnt; 523 ptr->mode = ucfg->mode; 524 strlcpy(ptr->if_name, ucfg->if_name, sizeof(ptr->if_name)); 525 LibAliasSetMode(ptr->lib, ptr->mode, ~0); 526 LibAliasSetAddress(ptr->lib, ptr->ip); 527 528 /* 529 * Redir and LSNAT configuration. 530 */ 531 /* Delete old cfgs. */ 532 del_redir_spool_cfg(ptr, &ptr->redir_chain); 533 /* Add new entries. */ 534 add_redir_spool_cfg((char *)(ucfg + 1), ptr); 535 IPFW_UH_WLOCK(chain); 536 537 /* Extra check to avoid race with another ipfw_nat_cfg() */ 538 tcfg = NULL; 539 if (gencnt != chain->gencnt) 540 tcfg = lookup_nat_name(&chain->nat, ucfg->name); 541 IPFW_WLOCK(chain); 542 if (tcfg != NULL) 543 LIST_REMOVE(tcfg, _next); 544 LIST_INSERT_HEAD(&chain->nat, ptr, _next); 545 IPFW_WUNLOCK(chain); 546 chain->gencnt++; 547 548 IPFW_UH_WUNLOCK(chain); 549 550 if (tcfg != NULL) 551 free_nat_instance(ptr); 552 } 553 554 /* 555 * Creates/configure nat44 instance 556 * Data layout (v0)(current): 557 * Request: [ ipfw_obj_header nat44_cfg_nat .. ] 558 * 559 * Returns 0 on success 560 */ 561 static int 562 nat44_cfg(struct ip_fw_chain *chain, ip_fw3_opheader *op3, 563 struct sockopt_data *sd) 564 { 565 ipfw_obj_header *oh; 566 struct nat44_cfg_nat *ucfg; 567 int id; 568 size_t read; 569 char *errptr; 570 571 /* Check minimum header size */ 572 if (sd->valsize < (sizeof(*oh) + sizeof(*ucfg))) 573 return (EINVAL); 574 575 oh = (ipfw_obj_header *)sd->kbuf; 576 577 /* Basic length checks for TLVs */ 578 if (oh->ntlv.head.length != sizeof(oh->ntlv)) 579 return (EINVAL); 580 581 ucfg = (struct nat44_cfg_nat *)(oh + 1); 582 583 /* Check if name is properly terminated and looks like number */ 584 if (strnlen(ucfg->name, sizeof(ucfg->name)) == sizeof(ucfg->name)) 585 return (EINVAL); 586 id = strtol(ucfg->name, &errptr, 10); 587 if (id == 0 || *errptr != '\0') 588 return (EINVAL); 589 590 read = sizeof(*oh) + sizeof(*ucfg); 591 /* Check number of redirs */ 592 if (sd->valsize < read + ucfg->redir_cnt*sizeof(struct nat44_cfg_redir)) 593 return (EINVAL); 594 595 nat44_config(chain, ucfg); 596 return (0); 597 } 598 599 /* 600 * Destroys given nat instances. 601 * Data layout (v0)(current): 602 * Request: [ ipfw_obj_header ] 603 * 604 * Returns 0 on success 605 */ 606 static int 607 nat44_destroy(struct ip_fw_chain *chain, ip_fw3_opheader *op3, 608 struct sockopt_data *sd) 609 { 610 ipfw_obj_header *oh; 611 struct cfg_nat *ptr; 612 ipfw_obj_ntlv *ntlv; 613 614 /* Check minimum header size */ 615 if (sd->valsize < sizeof(*oh)) 616 return (EINVAL); 617 618 oh = (ipfw_obj_header *)sd->kbuf; 619 620 /* Basic length checks for TLVs */ 621 if (oh->ntlv.head.length != sizeof(oh->ntlv)) 622 return (EINVAL); 623 624 ntlv = &oh->ntlv; 625 /* Check if name is properly terminated */ 626 if (strnlen(ntlv->name, sizeof(ntlv->name)) == sizeof(ntlv->name)) 627 return (EINVAL); 628 629 IPFW_UH_WLOCK(chain); 630 ptr = lookup_nat_name(&chain->nat, ntlv->name); 631 if (ptr == NULL) { 632 IPFW_UH_WUNLOCK(chain); 633 return (ESRCH); 634 } 635 IPFW_WLOCK(chain); 636 LIST_REMOVE(ptr, _next); 637 flush_nat_ptrs(chain, ptr->id); 638 IPFW_WUNLOCK(chain); 639 IPFW_UH_WUNLOCK(chain); 640 641 free_nat_instance(ptr); 642 643 return (0); 644 } 645 646 static void 647 export_nat_cfg(struct cfg_nat *ptr, struct nat44_cfg_nat *ucfg) 648 { 649 650 snprintf(ucfg->name, sizeof(ucfg->name), "%d", ptr->id); 651 ucfg->ip = ptr->ip; 652 ucfg->redir_cnt = ptr->redir_cnt; 653 ucfg->mode = ptr->mode; 654 strlcpy(ucfg->if_name, ptr->if_name, sizeof(ucfg->if_name)); 655 } 656 657 /* 658 * Gets config for given nat instance 659 * Data layout (v0)(current): 660 * Request: [ ipfw_obj_header nat44_cfg_nat .. ] 661 * 662 * Returns 0 on success 663 */ 664 static int 665 nat44_get_cfg(struct ip_fw_chain *chain, ip_fw3_opheader *op3, 666 struct sockopt_data *sd) 667 { 668 ipfw_obj_header *oh; 669 struct nat44_cfg_nat *ucfg; 670 struct cfg_nat *ptr; 671 struct cfg_redir *r; 672 struct cfg_spool *s; 673 struct nat44_cfg_redir *ser_r; 674 struct nat44_cfg_spool *ser_s; 675 size_t sz; 676 677 sz = sizeof(*oh) + sizeof(*ucfg); 678 /* Check minimum header size */ 679 if (sd->valsize < sz) 680 return (EINVAL); 681 682 oh = (struct _ipfw_obj_header *)ipfw_get_sopt_header(sd, sz); 683 684 /* Basic length checks for TLVs */ 685 if (oh->ntlv.head.length != sizeof(oh->ntlv)) 686 return (EINVAL); 687 688 ucfg = (struct nat44_cfg_nat *)(oh + 1); 689 690 /* Check if name is properly terminated */ 691 if (strnlen(ucfg->name, sizeof(ucfg->name)) == sizeof(ucfg->name)) 692 return (EINVAL); 693 694 IPFW_UH_RLOCK(chain); 695 ptr = lookup_nat_name(&chain->nat, ucfg->name); 696 if (ptr == NULL) { 697 IPFW_UH_RUNLOCK(chain); 698 return (ESRCH); 699 } 700 701 export_nat_cfg(ptr, ucfg); 702 703 /* Estimate memory amount */ 704 sz = sizeof(ipfw_obj_header) + sizeof(struct nat44_cfg_nat); 705 LIST_FOREACH(r, &ptr->redir_chain, _next) { 706 sz += sizeof(struct nat44_cfg_redir); 707 LIST_FOREACH(s, &r->spool_chain, _next) 708 sz += sizeof(struct nat44_cfg_spool); 709 } 710 711 ucfg->size = sz; 712 if (sd->valsize < sz) { 713 714 /* 715 * Submitted buffer size is not enough. 716 * WE've already filled in @ucfg structure with 717 * relevant info including size, so we 718 * can return. Buffer will be flushed automatically. 719 */ 720 IPFW_UH_RUNLOCK(chain); 721 return (ENOMEM); 722 } 723 724 /* Size OK, let's copy data */ 725 LIST_FOREACH(r, &ptr->redir_chain, _next) { 726 ser_r = (struct nat44_cfg_redir *)ipfw_get_sopt_space(sd, 727 sizeof(*ser_r)); 728 ser_r->mode = r->mode; 729 ser_r->laddr = r->laddr; 730 ser_r->paddr = r->paddr; 731 ser_r->raddr = r->raddr; 732 ser_r->lport = r->lport; 733 ser_r->pport = r->pport; 734 ser_r->rport = r->rport; 735 ser_r->pport_cnt = r->pport_cnt; 736 ser_r->rport_cnt = r->rport_cnt; 737 ser_r->proto = r->proto; 738 ser_r->spool_cnt = r->spool_cnt; 739 740 LIST_FOREACH(s, &r->spool_chain, _next) { 741 ser_s = (struct nat44_cfg_spool *)ipfw_get_sopt_space( 742 sd, sizeof(*ser_s)); 743 744 ser_s->addr = s->addr; 745 ser_s->port = s->port; 746 } 747 } 748 749 IPFW_UH_RUNLOCK(chain); 750 751 return (0); 752 } 753 754 /* 755 * Lists all nat44 instances currently available in kernel. 756 * Data layout (v0)(current): 757 * Request: [ ipfw_obj_lheader ] 758 * Reply: [ ipfw_obj_lheader nat44_cfg_nat x N ] 759 * 760 * Returns 0 on success 761 */ 762 static int 763 nat44_list_nat(struct ip_fw_chain *chain, ip_fw3_opheader *op3, 764 struct sockopt_data *sd) 765 { 766 ipfw_obj_lheader *olh; 767 struct nat44_cfg_nat *ucfg; 768 struct cfg_nat *ptr; 769 int nat_count; 770 771 /* Check minimum header size */ 772 if (sd->valsize < sizeof(ipfw_obj_lheader)) 773 return (EINVAL); 774 775 olh = (ipfw_obj_lheader *)ipfw_get_sopt_header(sd, sizeof(*olh)); 776 IPFW_UH_RLOCK(chain); 777 nat_count = 0; 778 LIST_FOREACH(ptr, &chain->nat, _next) 779 nat_count++; 780 781 olh->count = nat_count; 782 olh->objsize = sizeof(struct nat44_cfg_nat); 783 olh->size = sizeof(*olh) + olh->count * olh->objsize; 784 785 if (sd->valsize < olh->size) { 786 IPFW_UH_RUNLOCK(chain); 787 return (ENOMEM); 788 } 789 790 LIST_FOREACH(ptr, &chain->nat, _next) { 791 ucfg = (struct nat44_cfg_nat *)ipfw_get_sopt_space(sd, 792 sizeof(*ucfg)); 793 export_nat_cfg(ptr, ucfg); 794 } 795 796 IPFW_UH_RUNLOCK(chain); 797 798 return (0); 799 } 800 801 /* 802 * Gets log for given nat instance 803 * Data layout (v0)(current): 804 * Request: [ ipfw_obj_header nat44_cfg_nat ] 805 * Reply: [ ipfw_obj_header nat44_cfg_nat LOGBUFFER ] 806 * 807 * Returns 0 on success 808 */ 809 static int 810 nat44_get_log(struct ip_fw_chain *chain, ip_fw3_opheader *op3, 811 struct sockopt_data *sd) 812 { 813 ipfw_obj_header *oh; 814 struct nat44_cfg_nat *ucfg; 815 struct cfg_nat *ptr; 816 void *pbuf; 817 size_t sz; 818 819 sz = sizeof(*oh) + sizeof(*ucfg); 820 /* Check minimum header size */ 821 if (sd->valsize < sz) 822 return (EINVAL); 823 824 oh = (struct _ipfw_obj_header *)ipfw_get_sopt_header(sd, sz); 825 826 /* Basic length checks for TLVs */ 827 if (oh->ntlv.head.length != sizeof(oh->ntlv)) 828 return (EINVAL); 829 830 ucfg = (struct nat44_cfg_nat *)(oh + 1); 831 832 /* Check if name is properly terminated */ 833 if (strnlen(ucfg->name, sizeof(ucfg->name)) == sizeof(ucfg->name)) 834 return (EINVAL); 835 836 IPFW_UH_RLOCK(chain); 837 ptr = lookup_nat_name(&chain->nat, ucfg->name); 838 if (ptr == NULL) { 839 IPFW_UH_RUNLOCK(chain); 840 return (ESRCH); 841 } 842 843 if (ptr->lib->logDesc == NULL) { 844 IPFW_UH_RUNLOCK(chain); 845 return (ENOENT); 846 } 847 848 export_nat_cfg(ptr, ucfg); 849 850 /* Estimate memory amount */ 851 ucfg->size = sizeof(struct nat44_cfg_nat) + LIBALIAS_BUF_SIZE; 852 if (sd->valsize < sz + sizeof(*oh)) { 853 854 /* 855 * Submitted buffer size is not enough. 856 * WE've already filled in @ucfg structure with 857 * relevant info including size, so we 858 * can return. Buffer will be flushed automatically. 859 */ 860 IPFW_UH_RUNLOCK(chain); 861 return (ENOMEM); 862 } 863 864 pbuf = (void *)ipfw_get_sopt_space(sd, LIBALIAS_BUF_SIZE); 865 memcpy(pbuf, ptr->lib->logDesc, LIBALIAS_BUF_SIZE); 866 867 IPFW_UH_RUNLOCK(chain); 868 869 return (0); 870 } 871 872 static struct ipfw_sopt_handler scodes[] = { 873 { IP_FW_NAT44_XCONFIG, 0, HDIR_SET, nat44_cfg }, 874 { IP_FW_NAT44_DESTROY, 0, HDIR_SET, nat44_destroy }, 875 { IP_FW_NAT44_XGETCONFIG, 0, HDIR_GET, nat44_get_cfg }, 876 { IP_FW_NAT44_LIST_NAT, 0, HDIR_GET, nat44_list_nat }, 877 { IP_FW_NAT44_XGETLOG, 0, HDIR_GET, nat44_get_log }, 878 }; 879 880 881 /* 882 * Legacy configuration routines 883 */ 884 885 struct cfg_spool_legacy { 886 LIST_ENTRY(cfg_spool_legacy) _next; 887 struct in_addr addr; 888 u_short port; 889 }; 890 891 struct cfg_redir_legacy { 892 LIST_ENTRY(cfg_redir) _next; 893 u_int16_t mode; 894 struct in_addr laddr; 895 struct in_addr paddr; 896 struct in_addr raddr; 897 u_short lport; 898 u_short pport; 899 u_short rport; 900 u_short pport_cnt; 901 u_short rport_cnt; 902 int proto; 903 struct alias_link **alink; 904 u_int16_t spool_cnt; 905 LIST_HEAD(, cfg_spool_legacy) spool_chain; 906 }; 907 908 struct cfg_nat_legacy { 909 LIST_ENTRY(cfg_nat_legacy) _next; 910 int id; 911 struct in_addr ip; 912 char if_name[IF_NAMESIZE]; 913 int mode; 914 struct libalias *lib; 915 int redir_cnt; 916 LIST_HEAD(, cfg_redir_legacy) redir_chain; 917 }; 918 919 static int 920 ipfw_nat_cfg(struct sockopt *sopt) 921 { 922 struct cfg_nat_legacy *cfg; 923 struct nat44_cfg_nat *ucfg; 924 struct cfg_redir_legacy *rdir; 925 struct nat44_cfg_redir *urdir; 926 char *buf; 927 size_t len, len2; 928 int error, i; 929 930 len = sopt->sopt_valsize; 931 len2 = len + 128; 932 933 /* 934 * Allocate 2x buffer to store converted structures. 935 * new redir_cfg has shrinked, so we're sure that 936 * new buffer size is enough. 937 */ 938 buf = malloc(roundup2(len, 8) + len2, M_TEMP, M_WAITOK | M_ZERO); 939 error = sooptcopyin(sopt, buf, len, sizeof(struct cfg_nat_legacy)); 940 if (error != 0) 941 goto out; 942 943 cfg = (struct cfg_nat_legacy *)buf; 944 if (cfg->id < 0) { 945 error = EINVAL; 946 goto out; 947 } 948 949 ucfg = (struct nat44_cfg_nat *)&buf[roundup2(len, 8)]; 950 snprintf(ucfg->name, sizeof(ucfg->name), "%d", cfg->id); 951 strlcpy(ucfg->if_name, cfg->if_name, sizeof(ucfg->if_name)); 952 ucfg->ip = cfg->ip; 953 ucfg->mode = cfg->mode; 954 ucfg->redir_cnt = cfg->redir_cnt; 955 956 if (len < sizeof(*cfg) + cfg->redir_cnt * sizeof(*rdir)) { 957 error = EINVAL; 958 goto out; 959 } 960 961 urdir = (struct nat44_cfg_redir *)(ucfg + 1); 962 rdir = (struct cfg_redir_legacy *)(cfg + 1); 963 for (i = 0; i < cfg->redir_cnt; i++) { 964 urdir->mode = rdir->mode; 965 urdir->laddr = rdir->laddr; 966 urdir->paddr = rdir->paddr; 967 urdir->raddr = rdir->raddr; 968 urdir->lport = rdir->lport; 969 urdir->pport = rdir->pport; 970 urdir->rport = rdir->rport; 971 urdir->pport_cnt = rdir->pport_cnt; 972 urdir->rport_cnt = rdir->rport_cnt; 973 urdir->proto = rdir->proto; 974 urdir->spool_cnt = rdir->spool_cnt; 975 976 urdir++; 977 rdir++; 978 } 979 980 nat44_config(&V_layer3_chain, ucfg); 981 982 out: 983 free(buf, M_TEMP); 984 return (error); 985 } 986 987 static int 988 ipfw_nat_del(struct sockopt *sopt) 989 { 990 struct cfg_nat *ptr; 991 struct ip_fw_chain *chain = &V_layer3_chain; 992 int i; 993 994 sooptcopyin(sopt, &i, sizeof i, sizeof i); 995 /* XXX validate i */ 996 IPFW_UH_WLOCK(chain); 997 ptr = lookup_nat(&chain->nat, i); 998 if (ptr == NULL) { 999 IPFW_UH_WUNLOCK(chain); 1000 return (EINVAL); 1001 } 1002 IPFW_WLOCK(chain); 1003 LIST_REMOVE(ptr, _next); 1004 flush_nat_ptrs(chain, i); 1005 IPFW_WUNLOCK(chain); 1006 IPFW_UH_WUNLOCK(chain); 1007 free_nat_instance(ptr); 1008 return (0); 1009 } 1010 1011 static int 1012 ipfw_nat_get_cfg(struct sockopt *sopt) 1013 { 1014 struct ip_fw_chain *chain = &V_layer3_chain; 1015 struct cfg_nat *n; 1016 struct cfg_nat_legacy *ucfg; 1017 struct cfg_redir *r; 1018 struct cfg_spool *s; 1019 struct cfg_redir_legacy *ser_r; 1020 struct cfg_spool_legacy *ser_s; 1021 char *data; 1022 int gencnt, nat_cnt, len, error; 1023 1024 nat_cnt = 0; 1025 len = sizeof(nat_cnt); 1026 1027 IPFW_UH_RLOCK(chain); 1028 retry: 1029 gencnt = chain->gencnt; 1030 /* Estimate memory amount */ 1031 LIST_FOREACH(n, &chain->nat, _next) { 1032 nat_cnt++; 1033 len += sizeof(struct cfg_nat_legacy); 1034 LIST_FOREACH(r, &n->redir_chain, _next) { 1035 len += sizeof(struct cfg_redir_legacy); 1036 LIST_FOREACH(s, &r->spool_chain, _next) 1037 len += sizeof(struct cfg_spool_legacy); 1038 } 1039 } 1040 IPFW_UH_RUNLOCK(chain); 1041 1042 data = malloc(len, M_TEMP, M_WAITOK | M_ZERO); 1043 bcopy(&nat_cnt, data, sizeof(nat_cnt)); 1044 1045 nat_cnt = 0; 1046 len = sizeof(nat_cnt); 1047 1048 IPFW_UH_RLOCK(chain); 1049 if (gencnt != chain->gencnt) { 1050 free(data, M_TEMP); 1051 goto retry; 1052 } 1053 /* Serialize all the data. */ 1054 LIST_FOREACH(n, &chain->nat, _next) { 1055 ucfg = (struct cfg_nat_legacy *)&data[len]; 1056 ucfg->id = n->id; 1057 ucfg->ip = n->ip; 1058 ucfg->redir_cnt = n->redir_cnt; 1059 ucfg->mode = n->mode; 1060 strlcpy(ucfg->if_name, n->if_name, sizeof(ucfg->if_name)); 1061 len += sizeof(struct cfg_nat_legacy); 1062 LIST_FOREACH(r, &n->redir_chain, _next) { 1063 ser_r = (struct cfg_redir_legacy *)&data[len]; 1064 ser_r->mode = r->mode; 1065 ser_r->laddr = r->laddr; 1066 ser_r->paddr = r->paddr; 1067 ser_r->raddr = r->raddr; 1068 ser_r->lport = r->lport; 1069 ser_r->pport = r->pport; 1070 ser_r->rport = r->rport; 1071 ser_r->pport_cnt = r->pport_cnt; 1072 ser_r->rport_cnt = r->rport_cnt; 1073 ser_r->proto = r->proto; 1074 ser_r->spool_cnt = r->spool_cnt; 1075 len += sizeof(struct cfg_redir_legacy); 1076 LIST_FOREACH(s, &r->spool_chain, _next) { 1077 ser_s = (struct cfg_spool_legacy *)&data[len]; 1078 ser_s->addr = s->addr; 1079 ser_s->port = s->port; 1080 len += sizeof(struct cfg_spool_legacy); 1081 } 1082 } 1083 } 1084 IPFW_UH_RUNLOCK(chain); 1085 1086 error = sooptcopyout(sopt, data, len); 1087 free(data, M_TEMP); 1088 1089 return (error); 1090 } 1091 1092 static int 1093 ipfw_nat_get_log(struct sockopt *sopt) 1094 { 1095 uint8_t *data; 1096 struct cfg_nat *ptr; 1097 int i, size; 1098 struct ip_fw_chain *chain; 1099 IPFW_RLOCK_TRACKER; 1100 1101 chain = &V_layer3_chain; 1102 1103 IPFW_RLOCK(chain); 1104 /* one pass to count, one to copy the data */ 1105 i = 0; 1106 LIST_FOREACH(ptr, &chain->nat, _next) { 1107 if (ptr->lib->logDesc == NULL) 1108 continue; 1109 i++; 1110 } 1111 size = i * (LIBALIAS_BUF_SIZE + sizeof(int)); 1112 data = malloc(size, M_IPFW, M_NOWAIT | M_ZERO); 1113 if (data == NULL) { 1114 IPFW_RUNLOCK(chain); 1115 return (ENOSPC); 1116 } 1117 i = 0; 1118 LIST_FOREACH(ptr, &chain->nat, _next) { 1119 if (ptr->lib->logDesc == NULL) 1120 continue; 1121 bcopy(&ptr->id, &data[i], sizeof(int)); 1122 i += sizeof(int); 1123 bcopy(ptr->lib->logDesc, &data[i], LIBALIAS_BUF_SIZE); 1124 i += LIBALIAS_BUF_SIZE; 1125 } 1126 IPFW_RUNLOCK(chain); 1127 sooptcopyout(sopt, data, size); 1128 free(data, M_IPFW); 1129 return(0); 1130 } 1131 1132 static int 1133 vnet_ipfw_nat_init(const void *arg __unused) 1134 { 1135 1136 V_ipfw_nat_ready = 1; 1137 return (0); 1138 } 1139 1140 static int 1141 vnet_ipfw_nat_uninit(const void *arg __unused) 1142 { 1143 struct cfg_nat *ptr, *ptr_temp; 1144 struct ip_fw_chain *chain; 1145 1146 chain = &V_layer3_chain; 1147 IPFW_WLOCK(chain); 1148 LIST_FOREACH_SAFE(ptr, &chain->nat, _next, ptr_temp) { 1149 LIST_REMOVE(ptr, _next); 1150 free_nat_instance(ptr); 1151 } 1152 flush_nat_ptrs(chain, -1 /* flush all */); 1153 V_ipfw_nat_ready = 0; 1154 IPFW_WUNLOCK(chain); 1155 return (0); 1156 } 1157 1158 static void 1159 ipfw_nat_init(void) 1160 { 1161 1162 /* init ipfw hooks */ 1163 ipfw_nat_ptr = ipfw_nat; 1164 lookup_nat_ptr = lookup_nat; 1165 ipfw_nat_cfg_ptr = ipfw_nat_cfg; 1166 ipfw_nat_del_ptr = ipfw_nat_del; 1167 ipfw_nat_get_cfg_ptr = ipfw_nat_get_cfg; 1168 ipfw_nat_get_log_ptr = ipfw_nat_get_log; 1169 IPFW_ADD_SOPT_HANDLER(1, scodes); 1170 1171 ifaddr_event_tag = EVENTHANDLER_REGISTER(ifaddr_event, ifaddr_change, 1172 NULL, EVENTHANDLER_PRI_ANY); 1173 } 1174 1175 static void 1176 ipfw_nat_destroy(void) 1177 { 1178 1179 EVENTHANDLER_DEREGISTER(ifaddr_event, ifaddr_event_tag); 1180 /* deregister ipfw_nat */ 1181 IPFW_DEL_SOPT_HANDLER(1, scodes); 1182 ipfw_nat_ptr = NULL; 1183 lookup_nat_ptr = NULL; 1184 ipfw_nat_cfg_ptr = NULL; 1185 ipfw_nat_del_ptr = NULL; 1186 ipfw_nat_get_cfg_ptr = NULL; 1187 ipfw_nat_get_log_ptr = NULL; 1188 } 1189 1190 static int 1191 ipfw_nat_modevent(module_t mod, int type, void *unused) 1192 { 1193 int err = 0; 1194 1195 switch (type) { 1196 case MOD_LOAD: 1197 break; 1198 1199 case MOD_UNLOAD: 1200 break; 1201 1202 default: 1203 return EOPNOTSUPP; 1204 break; 1205 } 1206 return err; 1207 } 1208 1209 static moduledata_t ipfw_nat_mod = { 1210 "ipfw_nat", 1211 ipfw_nat_modevent, 1212 0 1213 }; 1214 1215 /* Define startup order. */ 1216 #define IPFW_NAT_SI_SUB_FIREWALL SI_SUB_PROTO_IFATTACHDOMAIN 1217 #define IPFW_NAT_MODEVENT_ORDER (SI_ORDER_ANY - 128) /* after ipfw */ 1218 #define IPFW_NAT_MODULE_ORDER (IPFW_NAT_MODEVENT_ORDER + 1) 1219 #define IPFW_NAT_VNET_ORDER (IPFW_NAT_MODEVENT_ORDER + 2) 1220 1221 DECLARE_MODULE(ipfw_nat, ipfw_nat_mod, IPFW_NAT_SI_SUB_FIREWALL, SI_ORDER_ANY); 1222 MODULE_DEPEND(ipfw_nat, libalias, 1, 1, 1); 1223 MODULE_DEPEND(ipfw_nat, ipfw, 3, 3, 3); 1224 MODULE_VERSION(ipfw_nat, 1); 1225 1226 SYSINIT(ipfw_nat_init, IPFW_NAT_SI_SUB_FIREWALL, IPFW_NAT_MODULE_ORDER, 1227 ipfw_nat_init, NULL); 1228 VNET_SYSINIT(vnet_ipfw_nat_init, IPFW_NAT_SI_SUB_FIREWALL, IPFW_NAT_VNET_ORDER, 1229 vnet_ipfw_nat_init, NULL); 1230 1231 SYSUNINIT(ipfw_nat_destroy, IPFW_NAT_SI_SUB_FIREWALL, IPFW_NAT_MODULE_ORDER, 1232 ipfw_nat_destroy, NULL); 1233 VNET_SYSUNINIT(vnet_ipfw_nat_uninit, IPFW_NAT_SI_SUB_FIREWALL, 1234 IPFW_NAT_VNET_ORDER, vnet_ipfw_nat_uninit, NULL); 1235 1236 /* end of file */ 1237