1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2015-2019 Yandex LLC 5 * Copyright (c) 2015-2019 Andrey V. Elsukov <ae@FreeBSD.org> 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 #include <sys/cdefs.h> 30 __FBSDID("$FreeBSD$"); 31 32 #include "opt_ipstealth.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/counter.h> 37 #include <sys/errno.h> 38 #include <sys/kernel.h> 39 #include <sys/lock.h> 40 #include <sys/mbuf.h> 41 #include <sys/module.h> 42 #include <sys/rmlock.h> 43 #include <sys/rwlock.h> 44 #include <sys/socket.h> 45 #include <sys/queue.h> 46 47 #include <net/if.h> 48 #include <net/if_var.h> 49 #include <net/if_private.h> 50 #include <net/if_pflog.h> 51 #include <net/pfil.h> 52 #include <net/netisr.h> 53 #include <net/route.h> 54 #include <net/route/nhop.h> 55 56 #include <netinet/in.h> 57 #include <netinet/in_fib.h> 58 #include <netinet/in_var.h> 59 #include <netinet/ip.h> 60 #include <netinet/ip_var.h> 61 #include <netinet/ip_fw.h> 62 #include <netinet/ip6.h> 63 #include <netinet/icmp6.h> 64 #include <netinet/ip_icmp.h> 65 #include <netinet/tcp.h> 66 #include <netinet/udp.h> 67 #include <netinet6/in6_var.h> 68 #include <netinet6/in6_fib.h> 69 #include <netinet6/ip6_var.h> 70 #include <netinet6/ip_fw_nat64.h> 71 72 #include <netpfil/pf/pf.h> 73 #include <netpfil/ipfw/ip_fw_private.h> 74 #include <machine/in_cksum.h> 75 76 #include "ip_fw_nat64.h" 77 #include "nat64_translate.h" 78 79 typedef int (*nat64_output_t)(struct ifnet *, struct mbuf *, 80 struct sockaddr *, struct nat64_counters *, void *); 81 typedef int (*nat64_output_one_t)(struct mbuf *, struct nat64_counters *, 82 void *); 83 84 static struct nhop_object *nat64_find_route4(struct sockaddr_in *, 85 struct mbuf *); 86 static struct nhop_object *nat64_find_route6(struct sockaddr_in6 *, 87 struct mbuf *); 88 static int nat64_output_one(struct mbuf *, struct nat64_counters *, void *); 89 static int nat64_output(struct ifnet *, struct mbuf *, struct sockaddr *, 90 struct nat64_counters *, void *); 91 static int nat64_direct_output_one(struct mbuf *, struct nat64_counters *, 92 void *); 93 static int nat64_direct_output(struct ifnet *, struct mbuf *, 94 struct sockaddr *, struct nat64_counters *, void *); 95 96 struct nat64_methods { 97 nat64_output_t output; 98 nat64_output_one_t output_one; 99 }; 100 static const struct nat64_methods nat64_netisr = { 101 .output = nat64_output, 102 .output_one = nat64_output_one 103 }; 104 static const struct nat64_methods nat64_direct = { 105 .output = nat64_direct_output, 106 .output_one = nat64_direct_output_one 107 }; 108 109 /* These variables should be initialized explicitly on module loading */ 110 VNET_DEFINE_STATIC(const struct nat64_methods *, nat64out); 111 VNET_DEFINE_STATIC(const int *, nat64ipstealth); 112 VNET_DEFINE_STATIC(const int *, nat64ip6stealth); 113 #define V_nat64out VNET(nat64out) 114 #define V_nat64ipstealth VNET(nat64ipstealth) 115 #define V_nat64ip6stealth VNET(nat64ip6stealth) 116 117 static const int stealth_on = 1; 118 #ifndef IPSTEALTH 119 static const int stealth_off = 0; 120 #endif 121 122 void 123 nat64_set_output_method(int direct) 124 { 125 126 if (direct != 0) { 127 V_nat64out = &nat64_direct; 128 #ifdef IPSTEALTH 129 /* Honor corresponding variables, if IPSTEALTH is defined */ 130 V_nat64ipstealth = &V_ipstealth; 131 V_nat64ip6stealth = &V_ip6stealth; 132 #else 133 /* otherwise we need to decrement HLIM/TTL for direct case */ 134 V_nat64ipstealth = V_nat64ip6stealth = &stealth_off; 135 #endif 136 } else { 137 V_nat64out = &nat64_netisr; 138 /* Leave TTL/HLIM decrementing to forwarding code */ 139 V_nat64ipstealth = V_nat64ip6stealth = &stealth_on; 140 } 141 } 142 143 int 144 nat64_get_output_method(void) 145 { 146 147 return (V_nat64out == &nat64_direct ? 1: 0); 148 } 149 150 static void 151 nat64_log(struct pfloghdr *logdata, struct mbuf *m, sa_family_t family) 152 { 153 154 logdata->dir = PF_OUT; 155 logdata->af = family; 156 ipfw_bpf_mtap2(logdata, PFLOG_HDRLEN, m); 157 } 158 159 static int 160 nat64_direct_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, 161 struct nat64_counters *stats, void *logdata) 162 { 163 int error; 164 165 if (logdata != NULL) 166 nat64_log(logdata, m, dst->sa_family); 167 error = (*ifp->if_output)(ifp, m, dst, NULL); 168 if (error != 0) 169 NAT64STAT_INC(stats, oerrors); 170 return (error); 171 } 172 173 static int 174 nat64_direct_output_one(struct mbuf *m, struct nat64_counters *stats, 175 void *logdata) 176 { 177 struct nhop_object *nh4 = NULL; 178 struct nhop_object *nh6 = NULL; 179 struct sockaddr_in6 dst6; 180 struct sockaddr_in dst4; 181 struct sockaddr *dst; 182 struct ip6_hdr *ip6; 183 struct ip *ip4; 184 struct ifnet *ifp; 185 int error; 186 187 ip4 = mtod(m, struct ip *); 188 error = 0; 189 switch (ip4->ip_v) { 190 case IPVERSION: 191 dst4.sin_addr = ip4->ip_dst; 192 nh4 = nat64_find_route4(&dst4, m); 193 if (nh4 == NULL) { 194 NAT64STAT_INC(stats, noroute4); 195 error = EHOSTUNREACH; 196 } else { 197 ifp = nh4->nh_ifp; 198 dst = (struct sockaddr *)&dst4; 199 } 200 break; 201 case (IPV6_VERSION >> 4): 202 ip6 = mtod(m, struct ip6_hdr *); 203 dst6.sin6_addr = ip6->ip6_dst; 204 nh6 = nat64_find_route6(&dst6, m); 205 if (nh6 == NULL) { 206 NAT64STAT_INC(stats, noroute6); 207 error = EHOSTUNREACH; 208 } else { 209 ifp = nh6->nh_ifp; 210 dst = (struct sockaddr *)&dst6; 211 } 212 break; 213 default: 214 m_freem(m); 215 NAT64STAT_INC(stats, dropped); 216 DPRINTF(DP_DROPS, "dropped due to unknown IP version"); 217 return (EAFNOSUPPORT); 218 } 219 if (error != 0) { 220 m_freem(m); 221 return (EHOSTUNREACH); 222 } 223 if (logdata != NULL) 224 nat64_log(logdata, m, dst->sa_family); 225 error = (*ifp->if_output)(ifp, m, dst, NULL); 226 if (error != 0) 227 NAT64STAT_INC(stats, oerrors); 228 return (error); 229 } 230 231 static int 232 nat64_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, 233 struct nat64_counters *stats, void *logdata) 234 { 235 struct ip *ip4; 236 int ret, af; 237 238 ip4 = mtod(m, struct ip *); 239 switch (ip4->ip_v) { 240 case IPVERSION: 241 af = AF_INET; 242 ret = NETISR_IP; 243 break; 244 case (IPV6_VERSION >> 4): 245 af = AF_INET6; 246 ret = NETISR_IPV6; 247 break; 248 default: 249 m_freem(m); 250 NAT64STAT_INC(stats, dropped); 251 DPRINTF(DP_DROPS, "unknown IP version"); 252 return (EAFNOSUPPORT); 253 } 254 if (logdata != NULL) 255 nat64_log(logdata, m, af); 256 if (m->m_pkthdr.rcvif == NULL) 257 m->m_pkthdr.rcvif = V_loif; 258 ret = netisr_queue(ret, m); 259 if (ret != 0) 260 NAT64STAT_INC(stats, oerrors); 261 return (ret); 262 } 263 264 static int 265 nat64_output_one(struct mbuf *m, struct nat64_counters *stats, void *logdata) 266 { 267 268 return (nat64_output(NULL, m, NULL, stats, logdata)); 269 } 270 271 /* 272 * Check the given IPv6 prefix and length according to RFC6052: 273 * The prefixes can only have one of the following lengths: 274 * 32, 40, 48, 56, 64, or 96 (The Well-Known Prefix is 96 bits long). 275 * Returns zero on success, otherwise EINVAL. 276 */ 277 int 278 nat64_check_prefixlen(int length) 279 { 280 281 switch (length) { 282 case 32: 283 case 40: 284 case 48: 285 case 56: 286 case 64: 287 case 96: 288 return (0); 289 } 290 return (EINVAL); 291 } 292 293 int 294 nat64_check_prefix6(const struct in6_addr *prefix, int length) 295 { 296 297 if (nat64_check_prefixlen(length) != 0) 298 return (EINVAL); 299 300 /* Well-known prefix has 96 prefix length */ 301 if (IN6_IS_ADDR_WKPFX(prefix) && length != 96) 302 return (EINVAL); 303 304 /* Bits 64 to 71 must be set to zero */ 305 if (prefix->__u6_addr.__u6_addr8[8] != 0) 306 return (EINVAL); 307 308 /* Some extra checks */ 309 if (IN6_IS_ADDR_MULTICAST(prefix) || 310 IN6_IS_ADDR_UNSPECIFIED(prefix) || 311 IN6_IS_ADDR_LOOPBACK(prefix)) 312 return (EINVAL); 313 return (0); 314 } 315 316 int 317 nat64_check_private_ip4(const struct nat64_config *cfg, in_addr_t ia) 318 { 319 320 if (cfg->flags & NAT64_ALLOW_PRIVATE) 321 return (0); 322 323 /* WKPFX must not be used to represent non-global IPv4 addresses */ 324 if (cfg->flags & NAT64_WKPFX) { 325 /* IN_PRIVATE */ 326 if ((ia & htonl(0xff000000)) == htonl(0x0a000000) || 327 (ia & htonl(0xfff00000)) == htonl(0xac100000) || 328 (ia & htonl(0xffff0000)) == htonl(0xc0a80000)) 329 return (1); 330 /* 331 * RFC 5735: 332 * 192.0.0.0/24 - reserved for IETF protocol assignments 333 * 192.88.99.0/24 - for use as 6to4 relay anycast addresses 334 * 198.18.0.0/15 - for use in benchmark tests 335 * 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 - for use 336 * in documentation and example code 337 */ 338 if ((ia & htonl(0xffffff00)) == htonl(0xc0000000) || 339 (ia & htonl(0xffffff00)) == htonl(0xc0586300) || 340 (ia & htonl(0xfffffe00)) == htonl(0xc6120000) || 341 (ia & htonl(0xffffff00)) == htonl(0xc0000200) || 342 (ia & htonl(0xfffffe00)) == htonl(0xc6336400) || 343 (ia & htonl(0xffffff00)) == htonl(0xcb007100)) 344 return (1); 345 } 346 return (0); 347 } 348 349 /* 350 * Embed @ia IPv4 address into @ip6 IPv6 address. 351 * Place to embedding determined from prefix length @plen. 352 */ 353 void 354 nat64_embed_ip4(struct in6_addr *ip6, int plen, in_addr_t ia) 355 { 356 357 switch (plen) { 358 case 32: 359 case 96: 360 ip6->s6_addr32[plen / 32] = ia; 361 break; 362 case 40: 363 case 48: 364 case 56: 365 /* 366 * Preserve prefix bits. 367 * Since suffix bits should be zero and reserved for future 368 * use, we just overwrite the whole word, where they are. 369 */ 370 ip6->s6_addr32[1] &= 0xffffffff << (32 - plen % 32); 371 #if BYTE_ORDER == BIG_ENDIAN 372 ip6->s6_addr32[1] |= ia >> (plen % 32); 373 ip6->s6_addr32[2] = ia << (24 - plen % 32); 374 #elif BYTE_ORDER == LITTLE_ENDIAN 375 ip6->s6_addr32[1] |= ia << (plen % 32); 376 ip6->s6_addr32[2] = ia >> (24 - plen % 32); 377 #endif 378 break; 379 case 64: 380 #if BYTE_ORDER == BIG_ENDIAN 381 ip6->s6_addr32[2] = ia >> 8; 382 ip6->s6_addr32[3] = ia << 24; 383 #elif BYTE_ORDER == LITTLE_ENDIAN 384 ip6->s6_addr32[2] = ia << 8; 385 ip6->s6_addr32[3] = ia >> 24; 386 #endif 387 break; 388 default: 389 panic("Wrong plen: %d", plen); 390 }; 391 /* 392 * Bits 64 to 71 of the address are reserved for compatibility 393 * with the host identifier format defined in the IPv6 addressing 394 * architecture [RFC4291]. These bits MUST be set to zero. 395 */ 396 ip6->s6_addr8[8] = 0; 397 } 398 399 in_addr_t 400 nat64_extract_ip4(const struct in6_addr *ip6, int plen) 401 { 402 in_addr_t ia; 403 404 /* 405 * According to RFC 6052 p2.2: 406 * IPv4-embedded IPv6 addresses are composed of a variable-length 407 * prefix, the embedded IPv4 address, and a variable length suffix. 408 * The suffix bits are reserved for future extensions and SHOULD 409 * be set to zero. 410 */ 411 switch (plen) { 412 case 32: 413 if (ip6->s6_addr32[3] != 0 || ip6->s6_addr32[2] != 0) 414 goto badip6; 415 break; 416 case 40: 417 if (ip6->s6_addr32[3] != 0 || 418 (ip6->s6_addr32[2] & htonl(0xff00ffff)) != 0) 419 goto badip6; 420 break; 421 case 48: 422 if (ip6->s6_addr32[3] != 0 || 423 (ip6->s6_addr32[2] & htonl(0xff0000ff)) != 0) 424 goto badip6; 425 break; 426 case 56: 427 if (ip6->s6_addr32[3] != 0 || ip6->s6_addr8[8] != 0) 428 goto badip6; 429 break; 430 case 64: 431 if (ip6->s6_addr8[8] != 0 || 432 (ip6->s6_addr32[3] & htonl(0x00ffffff)) != 0) 433 goto badip6; 434 }; 435 switch (plen) { 436 case 32: 437 case 96: 438 ia = ip6->s6_addr32[plen / 32]; 439 break; 440 case 40: 441 case 48: 442 case 56: 443 #if BYTE_ORDER == BIG_ENDIAN 444 ia = (ip6->s6_addr32[1] << (plen % 32)) | 445 (ip6->s6_addr32[2] >> (24 - plen % 32)); 446 #elif BYTE_ORDER == LITTLE_ENDIAN 447 ia = (ip6->s6_addr32[1] >> (plen % 32)) | 448 (ip6->s6_addr32[2] << (24 - plen % 32)); 449 #endif 450 break; 451 case 64: 452 #if BYTE_ORDER == BIG_ENDIAN 453 ia = (ip6->s6_addr32[2] << 8) | (ip6->s6_addr32[3] >> 24); 454 #elif BYTE_ORDER == LITTLE_ENDIAN 455 ia = (ip6->s6_addr32[2] >> 8) | (ip6->s6_addr32[3] << 24); 456 #endif 457 break; 458 default: 459 return (0); 460 }; 461 if (nat64_check_ip4(ia) == 0) 462 return (ia); 463 464 DPRINTF(DP_GENERIC | DP_DROPS, 465 "invalid destination address: %08x", ia); 466 return (0); 467 badip6: 468 DPRINTF(DP_GENERIC | DP_DROPS, "invalid IPv4-embedded IPv6 address"); 469 return (0); 470 } 471 472 /* 473 * According to RFC 1624 the equation for incremental checksum update is: 474 * HC' = ~(~HC + ~m + m') -- [Eqn. 3] 475 * HC' = HC - ~m - m' -- [Eqn. 4] 476 * So, when we are replacing IPv4 addresses to IPv6, we 477 * can assume, that new bytes previously were zeros, and vise versa - 478 * when we replacing IPv6 addresses to IPv4, now unused bytes become 479 * zeros. The payload length in pseudo header has bigger size, but one 480 * half of it should be zero. Using the equation 4 we get: 481 * HC' = HC - (~m0 + m0') -- m0 is first changed word 482 * HC' = (HC - (~m0 + m0')) - (~m1 + m1') -- m1 is second changed word 483 * HC' = HC - ~m0 - m0' - ~m1 - m1' - ... = 484 * = HC - sum(~m[i] + m'[i]) 485 * 486 * The function result should be used as follows: 487 * IPv6 to IPv4: HC' = cksum_add(HC, result) 488 * IPv4 to IPv6: HC' = cksum_add(HC, ~result) 489 */ 490 static uint16_t 491 nat64_cksum_convert(struct ip6_hdr *ip6, struct ip *ip) 492 { 493 uint32_t sum; 494 uint16_t *p; 495 496 sum = ~ip->ip_src.s_addr >> 16; 497 sum += ~ip->ip_src.s_addr & 0xffff; 498 sum += ~ip->ip_dst.s_addr >> 16; 499 sum += ~ip->ip_dst.s_addr & 0xffff; 500 501 for (p = (uint16_t *)&ip6->ip6_src; 502 p < (uint16_t *)(&ip6->ip6_src + 2); p++) 503 sum += *p; 504 505 while (sum >> 16) 506 sum = (sum & 0xffff) + (sum >> 16); 507 return (sum); 508 } 509 510 static void 511 nat64_init_ip4hdr(const struct ip6_hdr *ip6, const struct ip6_frag *frag, 512 uint16_t plen, uint8_t proto, struct ip *ip) 513 { 514 515 /* assume addresses are already initialized */ 516 ip->ip_v = IPVERSION; 517 ip->ip_hl = sizeof(*ip) >> 2; 518 ip->ip_tos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 519 ip->ip_len = htons(sizeof(*ip) + plen); 520 ip->ip_ttl = ip6->ip6_hlim; 521 if (*V_nat64ip6stealth == 0) 522 ip->ip_ttl -= IPV6_HLIMDEC; 523 ip->ip_sum = 0; 524 ip->ip_p = (proto == IPPROTO_ICMPV6) ? IPPROTO_ICMP: proto; 525 ip_fillid(ip); 526 if (frag != NULL) { 527 ip->ip_off = htons(ntohs(frag->ip6f_offlg) >> 3); 528 if (frag->ip6f_offlg & IP6F_MORE_FRAG) 529 ip->ip_off |= htons(IP_MF); 530 } else { 531 ip->ip_off = htons(IP_DF); 532 } 533 ip->ip_sum = in_cksum_hdr(ip); 534 } 535 536 #define FRAGSZ(mtu) ((mtu) - sizeof(struct ip6_hdr) - sizeof(struct ip6_frag)) 537 static NAT64NOINLINE int 538 nat64_fragment6(struct nat64_counters *stats, struct ip6_hdr *ip6, 539 struct mbufq *mq, struct mbuf *m, uint32_t mtu, uint16_t ip_id, 540 uint16_t ip_off) 541 { 542 struct ip6_frag ip6f; 543 struct mbuf *n; 544 uint16_t hlen, len, offset; 545 int plen; 546 547 plen = ntohs(ip6->ip6_plen); 548 hlen = sizeof(struct ip6_hdr); 549 550 /* Fragmentation isn't needed */ 551 if (ip_off == 0 && plen <= mtu - hlen) { 552 M_PREPEND(m, hlen, M_NOWAIT); 553 if (m == NULL) { 554 NAT64STAT_INC(stats, nomem); 555 return (ENOMEM); 556 } 557 bcopy(ip6, mtod(m, void *), hlen); 558 if (mbufq_enqueue(mq, m) != 0) { 559 m_freem(m); 560 NAT64STAT_INC(stats, dropped); 561 DPRINTF(DP_DROPS, "dropped due to mbufq overflow"); 562 return (ENOBUFS); 563 } 564 return (0); 565 } 566 567 hlen += sizeof(struct ip6_frag); 568 ip6f.ip6f_reserved = 0; 569 ip6f.ip6f_nxt = ip6->ip6_nxt; 570 ip6->ip6_nxt = IPPROTO_FRAGMENT; 571 if (ip_off != 0) { 572 /* 573 * We have got an IPv4 fragment. 574 * Use offset value and ip_id from original fragment. 575 */ 576 ip6f.ip6f_ident = htonl(ntohs(ip_id)); 577 offset = (ntohs(ip_off) & IP_OFFMASK) << 3; 578 NAT64STAT_INC(stats, ifrags); 579 } else { 580 /* The packet size exceeds interface MTU */ 581 ip6f.ip6f_ident = htonl(ip6_randomid()); 582 offset = 0; /* First fragment*/ 583 } 584 while (plen > 0 && m != NULL) { 585 n = NULL; 586 len = FRAGSZ(mtu) & ~7; 587 if (len > plen) 588 len = plen; 589 ip6->ip6_plen = htons(len + sizeof(ip6f)); 590 ip6f.ip6f_offlg = ntohs(offset); 591 if (len < plen || (ip_off & htons(IP_MF)) != 0) 592 ip6f.ip6f_offlg |= IP6F_MORE_FRAG; 593 offset += len; 594 plen -= len; 595 if (plen > 0) { 596 n = m_split(m, len, M_NOWAIT); 597 if (n == NULL) 598 goto fail; 599 } 600 M_PREPEND(m, hlen, M_NOWAIT); 601 if (m == NULL) 602 goto fail; 603 bcopy(ip6, mtod(m, void *), sizeof(struct ip6_hdr)); 604 bcopy(&ip6f, mtodo(m, sizeof(struct ip6_hdr)), 605 sizeof(struct ip6_frag)); 606 if (mbufq_enqueue(mq, m) != 0) 607 goto fail; 608 m = n; 609 } 610 NAT64STAT_ADD(stats, ofrags, mbufq_len(mq)); 611 return (0); 612 fail: 613 if (m != NULL) 614 m_freem(m); 615 if (n != NULL) 616 m_freem(n); 617 mbufq_drain(mq); 618 NAT64STAT_INC(stats, nomem); 619 return (ENOMEM); 620 } 621 622 static struct nhop_object * 623 nat64_find_route6(struct sockaddr_in6 *dst, struct mbuf *m) 624 { 625 struct nhop_object *nh; 626 627 NET_EPOCH_ASSERT(); 628 nh = fib6_lookup(M_GETFIB(m), &dst->sin6_addr, 0, NHR_NONE, 0); 629 if (nh == NULL) 630 return (NULL); 631 if (nh->nh_flags & (NHF_BLACKHOLE | NHF_REJECT)) 632 return (NULL); 633 634 dst->sin6_family = AF_INET6; 635 dst->sin6_len = sizeof(*dst); 636 if (nh->nh_flags & NHF_GATEWAY) 637 dst->sin6_addr = nh->gw6_sa.sin6_addr; 638 dst->sin6_port = 0; 639 dst->sin6_scope_id = 0; 640 dst->sin6_flowinfo = 0; 641 return (nh); 642 } 643 644 #define NAT64_ICMP6_PLEN 64 645 static NAT64NOINLINE void 646 nat64_icmp6_reflect(struct mbuf *m, uint8_t type, uint8_t code, uint32_t mtu, 647 struct nat64_counters *stats, void *logdata) 648 { 649 struct icmp6_hdr *icmp6; 650 struct ip6_hdr *ip6, *oip6; 651 struct mbuf *n; 652 int len, plen, proto; 653 654 len = 0; 655 proto = nat64_getlasthdr(m, &len); 656 if (proto < 0) { 657 DPRINTF(DP_DROPS, "mbuf isn't contigious"); 658 goto freeit; 659 } 660 /* 661 * Do not send ICMPv6 in reply to ICMPv6 errors. 662 */ 663 if (proto == IPPROTO_ICMPV6) { 664 if (m->m_len < len + sizeof(*icmp6)) { 665 DPRINTF(DP_DROPS, "mbuf isn't contigious"); 666 goto freeit; 667 } 668 icmp6 = mtodo(m, len); 669 if (icmp6->icmp6_type < ICMP6_ECHO_REQUEST || 670 icmp6->icmp6_type == ND_REDIRECT) { 671 DPRINTF(DP_DROPS, "do not send ICMPv6 in reply to " 672 "ICMPv6 errors"); 673 goto freeit; 674 } 675 /* 676 * If there are extra headers between IPv6 and ICMPv6, 677 * strip off them. 678 */ 679 if (len > sizeof(struct ip6_hdr)) { 680 /* 681 * NOTE: ipfw_chk already did m_pullup() and it is 682 * expected that data is contigious from the start 683 * of IPv6 header up to the end of ICMPv6 header. 684 */ 685 bcopy(mtod(m, caddr_t), 686 mtodo(m, len - sizeof(struct ip6_hdr)), 687 sizeof(struct ip6_hdr)); 688 m_adj(m, len - sizeof(struct ip6_hdr)); 689 } 690 } 691 /* 692 if (icmp6_ratelimit(&ip6->ip6_src, type, code)) 693 goto freeit; 694 */ 695 ip6 = mtod(m, struct ip6_hdr *); 696 switch (type) { 697 case ICMP6_DST_UNREACH: 698 case ICMP6_PACKET_TOO_BIG: 699 case ICMP6_TIME_EXCEEDED: 700 case ICMP6_PARAM_PROB: 701 break; 702 default: 703 goto freeit; 704 } 705 /* Calculate length of ICMPv6 payload */ 706 len = (m->m_pkthdr.len > NAT64_ICMP6_PLEN) ? NAT64_ICMP6_PLEN: 707 m->m_pkthdr.len; 708 709 /* Create new ICMPv6 datagram */ 710 plen = len + sizeof(struct icmp6_hdr); 711 n = m_get2(sizeof(struct ip6_hdr) + plen + max_hdr, M_NOWAIT, 712 MT_HEADER, M_PKTHDR); 713 if (n == NULL) { 714 NAT64STAT_INC(stats, nomem); 715 m_freem(m); 716 return; 717 } 718 /* 719 * Move pkthdr from original mbuf. We should have initialized some 720 * fields, because we can reinject this mbuf to netisr and it will 721 * go through input path (it requires at least rcvif should be set). 722 * Also do M_ALIGN() to reduce chances of need to allocate new mbuf 723 * in the chain, when we will do M_PREPEND() or make some type of 724 * tunneling. 725 */ 726 m_move_pkthdr(n, m); 727 M_ALIGN(n, sizeof(struct ip6_hdr) + plen + max_hdr); 728 729 n->m_len = n->m_pkthdr.len = sizeof(struct ip6_hdr) + plen; 730 oip6 = mtod(n, struct ip6_hdr *); 731 /* 732 * Make IPv6 source address selection for reflected datagram. 733 * nat64_check_ip6() doesn't allow scoped addresses, therefore 734 * we use zero scopeid. 735 */ 736 if (in6_selectsrc_addr(M_GETFIB(n), &ip6->ip6_src, 0, 737 n->m_pkthdr.rcvif, &oip6->ip6_src, NULL) != 0) { 738 /* 739 * Failed to find proper source address, drop the packet. 740 */ 741 m_freem(n); 742 goto freeit; 743 } 744 oip6->ip6_dst = ip6->ip6_src; 745 oip6->ip6_nxt = IPPROTO_ICMPV6; 746 oip6->ip6_flow = 0; 747 oip6->ip6_vfc |= IPV6_VERSION; 748 oip6->ip6_hlim = V_ip6_defhlim; 749 oip6->ip6_plen = htons(plen); 750 751 icmp6 = mtodo(n, sizeof(struct ip6_hdr)); 752 icmp6->icmp6_cksum = 0; 753 icmp6->icmp6_type = type; 754 icmp6->icmp6_code = code; 755 icmp6->icmp6_mtu = htonl(mtu); 756 757 m_copydata(m, 0, len, mtodo(n, sizeof(struct ip6_hdr) + 758 sizeof(struct icmp6_hdr))); 759 icmp6->icmp6_cksum = in6_cksum(n, IPPROTO_ICMPV6, 760 sizeof(struct ip6_hdr), plen); 761 m_freem(m); 762 V_nat64out->output_one(n, stats, logdata); 763 return; 764 freeit: 765 NAT64STAT_INC(stats, dropped); 766 m_freem(m); 767 } 768 769 static struct nhop_object * 770 nat64_find_route4(struct sockaddr_in *dst, struct mbuf *m) 771 { 772 struct nhop_object *nh; 773 774 NET_EPOCH_ASSERT(); 775 nh = fib4_lookup(M_GETFIB(m), dst->sin_addr, 0, NHR_NONE, 0); 776 if (nh == NULL) 777 return (NULL); 778 if (nh->nh_flags & (NHF_BLACKHOLE | NHF_BROADCAST | NHF_REJECT)) 779 return (NULL); 780 781 dst->sin_family = AF_INET; 782 dst->sin_len = sizeof(*dst); 783 if (nh->nh_flags & NHF_GATEWAY) 784 dst->sin_addr = nh->gw4_sa.sin_addr; 785 dst->sin_port = 0; 786 return (nh); 787 } 788 789 #define NAT64_ICMP_PLEN 64 790 static NAT64NOINLINE void 791 nat64_icmp_reflect(struct mbuf *m, uint8_t type, 792 uint8_t code, uint16_t mtu, struct nat64_counters *stats, void *logdata) 793 { 794 struct icmp *icmp; 795 struct ip *ip, *oip; 796 struct mbuf *n; 797 int len, plen; 798 799 ip = mtod(m, struct ip *); 800 /* Do not send ICMP error if packet is not the first fragment */ 801 if (ip->ip_off & ~ntohs(IP_MF|IP_DF)) { 802 DPRINTF(DP_DROPS, "not first fragment"); 803 goto freeit; 804 } 805 /* Do not send ICMP in reply to ICMP errors */ 806 if (ip->ip_p == IPPROTO_ICMP) { 807 if (m->m_len < (ip->ip_hl << 2)) { 808 DPRINTF(DP_DROPS, "mbuf isn't contigious"); 809 goto freeit; 810 } 811 icmp = mtodo(m, ip->ip_hl << 2); 812 if (!ICMP_INFOTYPE(icmp->icmp_type)) { 813 DPRINTF(DP_DROPS, "do not send ICMP in reply to " 814 "ICMP errors"); 815 goto freeit; 816 } 817 } 818 switch (type) { 819 case ICMP_UNREACH: 820 case ICMP_TIMXCEED: 821 case ICMP_PARAMPROB: 822 break; 823 default: 824 goto freeit; 825 } 826 /* Calculate length of ICMP payload */ 827 len = (m->m_pkthdr.len > NAT64_ICMP_PLEN) ? (ip->ip_hl << 2) + 8: 828 m->m_pkthdr.len; 829 830 /* Create new ICMPv4 datagram */ 831 plen = len + sizeof(struct icmphdr) + sizeof(uint32_t); 832 n = m_get2(sizeof(struct ip) + plen + max_hdr, M_NOWAIT, 833 MT_HEADER, M_PKTHDR); 834 if (n == NULL) { 835 NAT64STAT_INC(stats, nomem); 836 m_freem(m); 837 return; 838 } 839 m_move_pkthdr(n, m); 840 M_ALIGN(n, sizeof(struct ip) + plen + max_hdr); 841 842 n->m_len = n->m_pkthdr.len = sizeof(struct ip) + plen; 843 oip = mtod(n, struct ip *); 844 oip->ip_v = IPVERSION; 845 oip->ip_hl = sizeof(struct ip) >> 2; 846 oip->ip_tos = 0; 847 oip->ip_len = htons(n->m_pkthdr.len); 848 oip->ip_ttl = V_ip_defttl; 849 oip->ip_p = IPPROTO_ICMP; 850 ip_fillid(oip); 851 oip->ip_off = htons(IP_DF); 852 oip->ip_src = ip->ip_dst; 853 oip->ip_dst = ip->ip_src; 854 oip->ip_sum = 0; 855 oip->ip_sum = in_cksum_hdr(oip); 856 857 icmp = mtodo(n, sizeof(struct ip)); 858 icmp->icmp_type = type; 859 icmp->icmp_code = code; 860 icmp->icmp_cksum = 0; 861 icmp->icmp_pmvoid = 0; 862 icmp->icmp_nextmtu = htons(mtu); 863 m_copydata(m, 0, len, mtodo(n, sizeof(struct ip) + 864 sizeof(struct icmphdr) + sizeof(uint32_t))); 865 icmp->icmp_cksum = in_cksum_skip(n, sizeof(struct ip) + plen, 866 sizeof(struct ip)); 867 m_freem(m); 868 V_nat64out->output_one(n, stats, logdata); 869 return; 870 freeit: 871 NAT64STAT_INC(stats, dropped); 872 m_freem(m); 873 } 874 875 /* Translate ICMP echo request/reply into ICMPv6 */ 876 static void 877 nat64_icmp_handle_echo(struct ip6_hdr *ip6, struct icmp6_hdr *icmp6, 878 uint16_t id, uint8_t type) 879 { 880 uint16_t old; 881 882 old = *(uint16_t *)icmp6; /* save type+code in one word */ 883 icmp6->icmp6_type = type; 884 /* Reflect ICMPv6 -> ICMPv4 type translation in the cksum */ 885 icmp6->icmp6_cksum = cksum_adjust(icmp6->icmp6_cksum, 886 old, *(uint16_t *)icmp6); 887 if (id != 0) { 888 old = icmp6->icmp6_id; 889 icmp6->icmp6_id = id; 890 /* Reflect ICMP id translation in the cksum */ 891 icmp6->icmp6_cksum = cksum_adjust(icmp6->icmp6_cksum, 892 old, id); 893 } 894 /* Reflect IPv6 pseudo header in the cksum */ 895 icmp6->icmp6_cksum = ~in6_cksum_pseudo(ip6, ntohs(ip6->ip6_plen), 896 IPPROTO_ICMPV6, ~icmp6->icmp6_cksum); 897 } 898 899 static NAT64NOINLINE struct mbuf * 900 nat64_icmp_translate(struct mbuf *m, struct ip6_hdr *ip6, uint16_t icmpid, 901 int offset, struct nat64_config *cfg) 902 { 903 struct ip ip; 904 struct icmp *icmp; 905 struct tcphdr *tcp; 906 struct udphdr *udp; 907 struct ip6_hdr *eip6; 908 struct mbuf *n; 909 uint32_t mtu; 910 int len, hlen, plen; 911 uint8_t type, code; 912 913 if (m->m_len < offset + ICMP_MINLEN) 914 m = m_pullup(m, offset + ICMP_MINLEN); 915 if (m == NULL) { 916 NAT64STAT_INC(&cfg->stats, nomem); 917 return (m); 918 } 919 mtu = 0; 920 icmp = mtodo(m, offset); 921 /* RFC 7915 p4.2 */ 922 switch (icmp->icmp_type) { 923 case ICMP_ECHOREPLY: 924 type = ICMP6_ECHO_REPLY; 925 code = 0; 926 break; 927 case ICMP_UNREACH: 928 type = ICMP6_DST_UNREACH; 929 switch (icmp->icmp_code) { 930 case ICMP_UNREACH_NET: 931 case ICMP_UNREACH_HOST: 932 case ICMP_UNREACH_SRCFAIL: 933 case ICMP_UNREACH_NET_UNKNOWN: 934 case ICMP_UNREACH_HOST_UNKNOWN: 935 case ICMP_UNREACH_TOSNET: 936 case ICMP_UNREACH_TOSHOST: 937 code = ICMP6_DST_UNREACH_NOROUTE; 938 break; 939 case ICMP_UNREACH_PROTOCOL: 940 type = ICMP6_PARAM_PROB; 941 code = ICMP6_PARAMPROB_NEXTHEADER; 942 break; 943 case ICMP_UNREACH_PORT: 944 code = ICMP6_DST_UNREACH_NOPORT; 945 break; 946 case ICMP_UNREACH_NEEDFRAG: 947 type = ICMP6_PACKET_TOO_BIG; 948 code = 0; 949 /* XXX: needs an additional look */ 950 mtu = max(IPV6_MMTU, ntohs(icmp->icmp_nextmtu) + 20); 951 break; 952 case ICMP_UNREACH_NET_PROHIB: 953 case ICMP_UNREACH_HOST_PROHIB: 954 case ICMP_UNREACH_FILTER_PROHIB: 955 case ICMP_UNREACH_PRECEDENCE_CUTOFF: 956 code = ICMP6_DST_UNREACH_ADMIN; 957 break; 958 default: 959 DPRINTF(DP_DROPS, "Unsupported ICMP type %d, code %d", 960 icmp->icmp_type, icmp->icmp_code); 961 goto freeit; 962 } 963 break; 964 case ICMP_TIMXCEED: 965 type = ICMP6_TIME_EXCEEDED; 966 code = icmp->icmp_code; 967 break; 968 case ICMP_ECHO: 969 type = ICMP6_ECHO_REQUEST; 970 code = 0; 971 break; 972 case ICMP_PARAMPROB: 973 type = ICMP6_PARAM_PROB; 974 switch (icmp->icmp_code) { 975 case ICMP_PARAMPROB_ERRATPTR: 976 case ICMP_PARAMPROB_LENGTH: 977 code = ICMP6_PARAMPROB_HEADER; 978 switch (icmp->icmp_pptr) { 979 case 0: /* Version/IHL */ 980 case 1: /* Type Of Service */ 981 mtu = icmp->icmp_pptr; 982 break; 983 case 2: /* Total Length */ 984 case 3: mtu = 4; /* Payload Length */ 985 break; 986 case 8: /* Time to Live */ 987 mtu = 7; /* Hop Limit */ 988 break; 989 case 9: /* Protocol */ 990 mtu = 6; /* Next Header */ 991 break; 992 case 12: /* Source address */ 993 case 13: 994 case 14: 995 case 15: 996 mtu = 8; 997 break; 998 case 16: /* Destination address */ 999 case 17: 1000 case 18: 1001 case 19: 1002 mtu = 24; 1003 break; 1004 default: /* Silently drop */ 1005 DPRINTF(DP_DROPS, "Unsupported ICMP type %d," 1006 " code %d, pptr %d", icmp->icmp_type, 1007 icmp->icmp_code, icmp->icmp_pptr); 1008 goto freeit; 1009 } 1010 break; 1011 default: 1012 DPRINTF(DP_DROPS, "Unsupported ICMP type %d," 1013 " code %d, pptr %d", icmp->icmp_type, 1014 icmp->icmp_code, icmp->icmp_pptr); 1015 goto freeit; 1016 } 1017 break; 1018 default: 1019 DPRINTF(DP_DROPS, "Unsupported ICMP type %d, code %d", 1020 icmp->icmp_type, icmp->icmp_code); 1021 goto freeit; 1022 } 1023 /* 1024 * For echo request/reply we can use original payload, 1025 * but we need adjust icmp_cksum, because ICMPv6 cksum covers 1026 * IPv6 pseudo header and ICMPv6 types differs from ICMPv4. 1027 */ 1028 if (type == ICMP6_ECHO_REQUEST || type == ICMP6_ECHO_REPLY) { 1029 nat64_icmp_handle_echo(ip6, ICMP6(icmp), icmpid, type); 1030 return (m); 1031 } 1032 /* 1033 * For other types of ICMP messages we need to translate inner 1034 * IPv4 header to IPv6 header. 1035 * Assume ICMP src is the same as payload dst 1036 * E.g. we have ( GWsrc1 , NATIP1 ) in outer header 1037 * and ( NATIP1, Hostdst1 ) in ICMP copy header. 1038 * In that case, we already have map for NATIP1 and GWsrc1. 1039 * The only thing we need is to copy IPv6 map prefix to 1040 * Hostdst1. 1041 */ 1042 hlen = offset + ICMP_MINLEN; 1043 if (m->m_pkthdr.len < hlen + sizeof(struct ip) + ICMP_MINLEN) { 1044 DPRINTF(DP_DROPS, "Message is too short %d", 1045 m->m_pkthdr.len); 1046 goto freeit; 1047 } 1048 m_copydata(m, hlen, sizeof(struct ip), (char *)&ip); 1049 if (ip.ip_v != IPVERSION) { 1050 DPRINTF(DP_DROPS, "Wrong IP version %d", ip.ip_v); 1051 goto freeit; 1052 } 1053 hlen += ip.ip_hl << 2; /* Skip inner IP header */ 1054 if (nat64_check_ip4(ip.ip_src.s_addr) != 0 || 1055 nat64_check_ip4(ip.ip_dst.s_addr) != 0 || 1056 nat64_check_private_ip4(cfg, ip.ip_src.s_addr) != 0 || 1057 nat64_check_private_ip4(cfg, ip.ip_dst.s_addr) != 0) { 1058 DPRINTF(DP_DROPS, "IP addresses checks failed %04x -> %04x", 1059 ntohl(ip.ip_src.s_addr), ntohl(ip.ip_dst.s_addr)); 1060 goto freeit; 1061 } 1062 if (m->m_pkthdr.len < hlen + ICMP_MINLEN) { 1063 DPRINTF(DP_DROPS, "Message is too short %d", 1064 m->m_pkthdr.len); 1065 goto freeit; 1066 } 1067 #if 0 1068 /* 1069 * Check that inner source matches the outer destination. 1070 * XXX: We need some method to convert IPv4 into IPv6 address here, 1071 * and compare IPv6 addresses. 1072 */ 1073 if (ip.ip_src.s_addr != nat64_get_ip4(&ip6->ip6_dst)) { 1074 DPRINTF(DP_GENERIC, "Inner source doesn't match destination ", 1075 "%04x vs %04x", ip.ip_src.s_addr, 1076 nat64_get_ip4(&ip6->ip6_dst)); 1077 goto freeit; 1078 } 1079 #endif 1080 /* 1081 * Create new mbuf for ICMPv6 datagram. 1082 * NOTE: len is data length just after inner IP header. 1083 */ 1084 len = m->m_pkthdr.len - hlen; 1085 if (sizeof(struct ip6_hdr) + 1086 sizeof(struct icmp6_hdr) + len > NAT64_ICMP6_PLEN) 1087 len = NAT64_ICMP6_PLEN - sizeof(struct icmp6_hdr) - 1088 sizeof(struct ip6_hdr); 1089 plen = sizeof(struct icmp6_hdr) + sizeof(struct ip6_hdr) + len; 1090 n = m_get2(offset + plen + max_hdr, M_NOWAIT, MT_HEADER, M_PKTHDR); 1091 if (n == NULL) { 1092 NAT64STAT_INC(&cfg->stats, nomem); 1093 m_freem(m); 1094 return (NULL); 1095 } 1096 m_move_pkthdr(n, m); 1097 M_ALIGN(n, offset + plen + max_hdr); 1098 n->m_len = n->m_pkthdr.len = offset + plen; 1099 /* Adjust ip6_plen in outer header */ 1100 ip6->ip6_plen = htons(plen); 1101 /* Construct new inner IPv6 header */ 1102 eip6 = mtodo(n, offset + sizeof(struct icmp6_hdr)); 1103 eip6->ip6_src = ip6->ip6_dst; 1104 1105 /* Use the same prefix that we have in outer header */ 1106 eip6->ip6_dst = ip6->ip6_src; 1107 MPASS(cfg->flags & NAT64_PLATPFX); 1108 nat64_embed_ip4(&eip6->ip6_dst, cfg->plat_plen, ip.ip_dst.s_addr); 1109 1110 eip6->ip6_flow = htonl(ip.ip_tos << 20); 1111 eip6->ip6_vfc |= IPV6_VERSION; 1112 eip6->ip6_hlim = ip.ip_ttl; 1113 eip6->ip6_plen = htons(ntohs(ip.ip_len) - (ip.ip_hl << 2)); 1114 eip6->ip6_nxt = (ip.ip_p == IPPROTO_ICMP) ? IPPROTO_ICMPV6: ip.ip_p; 1115 m_copydata(m, hlen, len, (char *)(eip6 + 1)); 1116 /* 1117 * We need to translate source port in the inner ULP header, 1118 * and adjust ULP checksum. 1119 */ 1120 switch (ip.ip_p) { 1121 case IPPROTO_TCP: 1122 if (len < offsetof(struct tcphdr, th_sum)) 1123 break; 1124 tcp = TCP(eip6 + 1); 1125 if (icmpid != 0) { 1126 tcp->th_sum = cksum_adjust(tcp->th_sum, 1127 tcp->th_sport, icmpid); 1128 tcp->th_sport = icmpid; 1129 } 1130 tcp->th_sum = cksum_add(tcp->th_sum, 1131 ~nat64_cksum_convert(eip6, &ip)); 1132 break; 1133 case IPPROTO_UDP: 1134 if (len < offsetof(struct udphdr, uh_sum)) 1135 break; 1136 udp = UDP(eip6 + 1); 1137 if (icmpid != 0) { 1138 udp->uh_sum = cksum_adjust(udp->uh_sum, 1139 udp->uh_sport, icmpid); 1140 udp->uh_sport = icmpid; 1141 } 1142 udp->uh_sum = cksum_add(udp->uh_sum, 1143 ~nat64_cksum_convert(eip6, &ip)); 1144 break; 1145 case IPPROTO_ICMP: 1146 /* 1147 * Check if this is an ICMP error message for echo request 1148 * that we sent. I.e. ULP in the data containing invoking 1149 * packet is IPPROTO_ICMP and its type is ICMP_ECHO. 1150 */ 1151 icmp = (struct icmp *)(eip6 + 1); 1152 if (icmp->icmp_type != ICMP_ECHO) { 1153 m_freem(n); 1154 goto freeit; 1155 } 1156 /* 1157 * For our client this original datagram should looks 1158 * like it was ICMPv6 datagram with type ICMP6_ECHO_REQUEST. 1159 * Thus we need adjust icmp_cksum and convert type from 1160 * ICMP_ECHO to ICMP6_ECHO_REQUEST. 1161 */ 1162 nat64_icmp_handle_echo(eip6, ICMP6(icmp), icmpid, 1163 ICMP6_ECHO_REQUEST); 1164 } 1165 m_freem(m); 1166 /* Convert ICMPv4 into ICMPv6 header */ 1167 icmp = mtodo(n, offset); 1168 ICMP6(icmp)->icmp6_type = type; 1169 ICMP6(icmp)->icmp6_code = code; 1170 ICMP6(icmp)->icmp6_mtu = htonl(mtu); 1171 ICMP6(icmp)->icmp6_cksum = 0; 1172 ICMP6(icmp)->icmp6_cksum = cksum_add( 1173 ~in6_cksum_pseudo(ip6, plen, IPPROTO_ICMPV6, 0), 1174 in_cksum_skip(n, n->m_pkthdr.len, offset)); 1175 return (n); 1176 freeit: 1177 m_freem(m); 1178 NAT64STAT_INC(&cfg->stats, dropped); 1179 return (NULL); 1180 } 1181 1182 int 1183 nat64_getlasthdr(struct mbuf *m, int *offset) 1184 { 1185 struct ip6_hdr *ip6; 1186 struct ip6_hbh *hbh; 1187 int proto, hlen; 1188 1189 if (offset != NULL) 1190 hlen = *offset; 1191 else 1192 hlen = 0; 1193 1194 if (m->m_len < hlen + sizeof(*ip6)) 1195 return (-1); 1196 1197 ip6 = mtodo(m, hlen); 1198 hlen += sizeof(*ip6); 1199 proto = ip6->ip6_nxt; 1200 /* Skip extension headers */ 1201 while (proto == IPPROTO_HOPOPTS || proto == IPPROTO_ROUTING || 1202 proto == IPPROTO_DSTOPTS) { 1203 hbh = mtodo(m, hlen); 1204 /* 1205 * We expect mbuf has contigious data up to 1206 * upper level header. 1207 */ 1208 if (m->m_len < hlen) 1209 return (-1); 1210 /* 1211 * We doesn't support Jumbo payload option, 1212 * so return error. 1213 */ 1214 if (proto == IPPROTO_HOPOPTS && ip6->ip6_plen == 0) 1215 return (-1); 1216 proto = hbh->ip6h_nxt; 1217 hlen += (hbh->ip6h_len + 1) << 3; 1218 } 1219 if (offset != NULL) 1220 *offset = hlen; 1221 return (proto); 1222 } 1223 1224 int 1225 nat64_do_handle_ip4(struct mbuf *m, struct in6_addr *saddr, 1226 struct in6_addr *daddr, uint16_t lport, struct nat64_config *cfg, 1227 void *logdata) 1228 { 1229 struct nhop_object *nh; 1230 struct ip6_hdr ip6; 1231 struct sockaddr_in6 dst; 1232 struct ip *ip; 1233 struct mbufq mq; 1234 uint16_t ip_id, ip_off; 1235 uint16_t *csum; 1236 int plen, hlen; 1237 uint8_t proto; 1238 1239 ip = mtod(m, struct ip*); 1240 1241 if (*V_nat64ipstealth == 0 && ip->ip_ttl <= IPTTLDEC) { 1242 nat64_icmp_reflect(m, ICMP_TIMXCEED, 1243 ICMP_TIMXCEED_INTRANS, 0, &cfg->stats, logdata); 1244 return (NAT64RETURN); 1245 } 1246 1247 ip6.ip6_dst = *daddr; 1248 ip6.ip6_src = *saddr; 1249 1250 hlen = ip->ip_hl << 2; 1251 plen = ntohs(ip->ip_len) - hlen; 1252 proto = ip->ip_p; 1253 1254 /* Save ip_id and ip_off, both are in network byte order */ 1255 ip_id = ip->ip_id; 1256 ip_off = ip->ip_off & htons(IP_OFFMASK | IP_MF); 1257 1258 /* Fragment length must be multiple of 8 octets */ 1259 if ((ip->ip_off & htons(IP_MF)) != 0 && (plen & 0x7) != 0) { 1260 nat64_icmp_reflect(m, ICMP_PARAMPROB, 1261 ICMP_PARAMPROB_LENGTH, 0, &cfg->stats, logdata); 1262 return (NAT64RETURN); 1263 } 1264 /* Fragmented ICMP is unsupported */ 1265 if (proto == IPPROTO_ICMP && ip_off != 0) { 1266 DPRINTF(DP_DROPS, "dropped due to fragmented ICMP"); 1267 NAT64STAT_INC(&cfg->stats, dropped); 1268 return (NAT64MFREE); 1269 } 1270 1271 dst.sin6_addr = ip6.ip6_dst; 1272 nh = nat64_find_route6(&dst, m); 1273 if (nh == NULL) { 1274 NAT64STAT_INC(&cfg->stats, noroute6); 1275 nat64_icmp_reflect(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 1276 &cfg->stats, logdata); 1277 return (NAT64RETURN); 1278 } 1279 if (nh->nh_mtu < plen + sizeof(ip6) && 1280 (ip->ip_off & htons(IP_DF)) != 0) { 1281 nat64_icmp_reflect(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 1282 FRAGSZ(nh->nh_mtu) + sizeof(struct ip), &cfg->stats, logdata); 1283 return (NAT64RETURN); 1284 } 1285 1286 ip6.ip6_flow = htonl(ip->ip_tos << 20); 1287 ip6.ip6_vfc |= IPV6_VERSION; 1288 ip6.ip6_hlim = ip->ip_ttl; 1289 if (*V_nat64ipstealth == 0) 1290 ip6.ip6_hlim -= IPTTLDEC; 1291 ip6.ip6_plen = htons(plen); 1292 ip6.ip6_nxt = (proto == IPPROTO_ICMP) ? IPPROTO_ICMPV6: proto; 1293 1294 /* Handle delayed checksums if needed. */ 1295 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 1296 in_delayed_cksum(m); 1297 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 1298 } 1299 /* Convert checksums. */ 1300 switch (proto) { 1301 case IPPROTO_TCP: 1302 csum = &TCP(mtodo(m, hlen))->th_sum; 1303 if (lport != 0) { 1304 struct tcphdr *tcp = TCP(mtodo(m, hlen)); 1305 *csum = cksum_adjust(*csum, tcp->th_dport, lport); 1306 tcp->th_dport = lport; 1307 } 1308 *csum = cksum_add(*csum, ~nat64_cksum_convert(&ip6, ip)); 1309 break; 1310 case IPPROTO_UDP: 1311 csum = &UDP(mtodo(m, hlen))->uh_sum; 1312 if (lport != 0) { 1313 struct udphdr *udp = UDP(mtodo(m, hlen)); 1314 *csum = cksum_adjust(*csum, udp->uh_dport, lport); 1315 udp->uh_dport = lport; 1316 } 1317 *csum = cksum_add(*csum, ~nat64_cksum_convert(&ip6, ip)); 1318 break; 1319 case IPPROTO_ICMP: 1320 m = nat64_icmp_translate(m, &ip6, lport, hlen, cfg); 1321 if (m == NULL) /* stats already accounted */ 1322 return (NAT64RETURN); 1323 } 1324 1325 m_adj(m, hlen); 1326 mbufq_init(&mq, 255); 1327 nat64_fragment6(&cfg->stats, &ip6, &mq, m, nh->nh_mtu, ip_id, ip_off); 1328 while ((m = mbufq_dequeue(&mq)) != NULL) { 1329 if (V_nat64out->output(nh->nh_ifp, m, (struct sockaddr *)&dst, 1330 &cfg->stats, logdata) != 0) 1331 break; 1332 NAT64STAT_INC(&cfg->stats, opcnt46); 1333 } 1334 mbufq_drain(&mq); 1335 return (NAT64RETURN); 1336 } 1337 1338 int 1339 nat64_handle_icmp6(struct mbuf *m, int hlen, uint32_t aaddr, uint16_t aport, 1340 struct nat64_config *cfg, void *logdata) 1341 { 1342 struct ip ip; 1343 struct icmp6_hdr *icmp6; 1344 struct ip6_frag *ip6f; 1345 struct ip6_hdr *ip6, *ip6i; 1346 uint32_t mtu; 1347 int plen, proto; 1348 uint8_t type, code; 1349 1350 if (hlen == 0) { 1351 ip6 = mtod(m, struct ip6_hdr *); 1352 if (nat64_check_ip6(&ip6->ip6_src) != 0 || 1353 nat64_check_ip6(&ip6->ip6_dst) != 0) 1354 return (NAT64SKIP); 1355 1356 proto = nat64_getlasthdr(m, &hlen); 1357 if (proto != IPPROTO_ICMPV6) { 1358 DPRINTF(DP_DROPS, 1359 "dropped due to mbuf isn't contigious"); 1360 NAT64STAT_INC(&cfg->stats, dropped); 1361 return (NAT64MFREE); 1362 } 1363 } 1364 1365 /* 1366 * Translate ICMPv6 type and code to ICMPv4 (RFC7915). 1367 * NOTE: ICMPv6 echo handled by nat64_do_handle_ip6(). 1368 */ 1369 icmp6 = mtodo(m, hlen); 1370 mtu = 0; 1371 switch (icmp6->icmp6_type) { 1372 case ICMP6_DST_UNREACH: 1373 type = ICMP_UNREACH; 1374 switch (icmp6->icmp6_code) { 1375 case ICMP6_DST_UNREACH_NOROUTE: 1376 case ICMP6_DST_UNREACH_BEYONDSCOPE: 1377 case ICMP6_DST_UNREACH_ADDR: 1378 code = ICMP_UNREACH_HOST; 1379 break; 1380 case ICMP6_DST_UNREACH_ADMIN: 1381 code = ICMP_UNREACH_HOST_PROHIB; 1382 break; 1383 case ICMP6_DST_UNREACH_NOPORT: 1384 code = ICMP_UNREACH_PORT; 1385 break; 1386 default: 1387 DPRINTF(DP_DROPS, "Unsupported ICMPv6 type %d," 1388 " code %d", icmp6->icmp6_type, 1389 icmp6->icmp6_code); 1390 NAT64STAT_INC(&cfg->stats, dropped); 1391 return (NAT64MFREE); 1392 } 1393 break; 1394 case ICMP6_PACKET_TOO_BIG: 1395 type = ICMP_UNREACH; 1396 code = ICMP_UNREACH_NEEDFRAG; 1397 mtu = ntohl(icmp6->icmp6_mtu); 1398 if (mtu < IPV6_MMTU) { 1399 DPRINTF(DP_DROPS, "Wrong MTU %d in ICMPv6 type %d," 1400 " code %d", mtu, icmp6->icmp6_type, 1401 icmp6->icmp6_code); 1402 NAT64STAT_INC(&cfg->stats, dropped); 1403 return (NAT64MFREE); 1404 } 1405 /* 1406 * Adjust MTU to reflect difference between 1407 * IPv6 an IPv4 headers. 1408 */ 1409 mtu -= sizeof(struct ip6_hdr) - sizeof(struct ip); 1410 break; 1411 case ICMP6_TIME_EXCEEDED: 1412 type = ICMP_TIMXCEED; 1413 code = icmp6->icmp6_code; 1414 break; 1415 case ICMP6_PARAM_PROB: 1416 switch (icmp6->icmp6_code) { 1417 case ICMP6_PARAMPROB_HEADER: 1418 type = ICMP_PARAMPROB; 1419 code = ICMP_PARAMPROB_ERRATPTR; 1420 mtu = ntohl(icmp6->icmp6_pptr); 1421 switch (mtu) { 1422 case 0: /* Version/Traffic Class */ 1423 case 1: /* Traffic Class/Flow Label */ 1424 break; 1425 case 4: /* Payload Length */ 1426 case 5: 1427 mtu = 2; 1428 break; 1429 case 6: /* Next Header */ 1430 mtu = 9; 1431 break; 1432 case 7: /* Hop Limit */ 1433 mtu = 8; 1434 break; 1435 default: 1436 if (mtu >= 8 && mtu <= 23) { 1437 mtu = 12; /* Source address */ 1438 break; 1439 } 1440 if (mtu >= 24 && mtu <= 39) { 1441 mtu = 16; /* Destination address */ 1442 break; 1443 } 1444 DPRINTF(DP_DROPS, "Unsupported ICMPv6 type %d," 1445 " code %d, pptr %d", icmp6->icmp6_type, 1446 icmp6->icmp6_code, mtu); 1447 NAT64STAT_INC(&cfg->stats, dropped); 1448 return (NAT64MFREE); 1449 } 1450 case ICMP6_PARAMPROB_NEXTHEADER: 1451 type = ICMP_UNREACH; 1452 code = ICMP_UNREACH_PROTOCOL; 1453 break; 1454 default: 1455 DPRINTF(DP_DROPS, "Unsupported ICMPv6 type %d," 1456 " code %d, pptr %d", icmp6->icmp6_type, 1457 icmp6->icmp6_code, ntohl(icmp6->icmp6_pptr)); 1458 NAT64STAT_INC(&cfg->stats, dropped); 1459 return (NAT64MFREE); 1460 } 1461 break; 1462 default: 1463 DPRINTF(DP_DROPS, "Unsupported ICMPv6 type %d, code %d", 1464 icmp6->icmp6_type, icmp6->icmp6_code); 1465 NAT64STAT_INC(&cfg->stats, dropped); 1466 return (NAT64MFREE); 1467 } 1468 1469 hlen += sizeof(struct icmp6_hdr); 1470 if (m->m_pkthdr.len < hlen + sizeof(struct ip6_hdr) + ICMP_MINLEN) { 1471 NAT64STAT_INC(&cfg->stats, dropped); 1472 DPRINTF(DP_DROPS, "Message is too short %d", 1473 m->m_pkthdr.len); 1474 return (NAT64MFREE); 1475 } 1476 /* 1477 * We need at least ICMP_MINLEN bytes of original datagram payload 1478 * to generate ICMP message. It is nice that ICMP_MINLEN is equal 1479 * to sizeof(struct ip6_frag). So, if embedded datagram had a fragment 1480 * header we will not have to do m_pullup() again. 1481 * 1482 * What we have here: 1483 * Outer header: (IPv6iGW, v4mapPRefix+v4exthost) 1484 * Inner header: (v4mapPRefix+v4host, IPv6iHost) [sport, dport] 1485 * We need to translate it to: 1486 * 1487 * Outer header: (alias_host, v4exthost) 1488 * Inner header: (v4exthost, alias_host) [sport, alias_port] 1489 * 1490 * Assume caller function has checked if v4mapPRefix+v4host 1491 * matches configured prefix. 1492 * The only two things we should be provided with are mapping between 1493 * IPv6iHost <> alias_host and between dport and alias_port. 1494 */ 1495 if (m->m_len < hlen + sizeof(struct ip6_hdr) + ICMP_MINLEN) 1496 m = m_pullup(m, hlen + sizeof(struct ip6_hdr) + ICMP_MINLEN); 1497 if (m == NULL) { 1498 NAT64STAT_INC(&cfg->stats, nomem); 1499 return (NAT64RETURN); 1500 } 1501 ip6 = mtod(m, struct ip6_hdr *); 1502 ip6i = mtodo(m, hlen); 1503 ip6f = NULL; 1504 proto = ip6i->ip6_nxt; 1505 plen = ntohs(ip6i->ip6_plen); 1506 hlen += sizeof(struct ip6_hdr); 1507 if (proto == IPPROTO_FRAGMENT) { 1508 if (m->m_pkthdr.len < hlen + sizeof(struct ip6_frag) + 1509 ICMP_MINLEN) 1510 goto fail; 1511 ip6f = mtodo(m, hlen); 1512 proto = ip6f->ip6f_nxt; 1513 plen -= sizeof(struct ip6_frag); 1514 hlen += sizeof(struct ip6_frag); 1515 /* Ajust MTU to reflect frag header size */ 1516 if (type == ICMP_UNREACH && code == ICMP_UNREACH_NEEDFRAG) 1517 mtu -= sizeof(struct ip6_frag); 1518 } 1519 if (proto != IPPROTO_TCP && proto != IPPROTO_UDP) { 1520 DPRINTF(DP_DROPS, "Unsupported proto %d in the inner header", 1521 proto); 1522 goto fail; 1523 } 1524 if (nat64_check_ip6(&ip6i->ip6_src) != 0 || 1525 nat64_check_ip6(&ip6i->ip6_dst) != 0) { 1526 DPRINTF(DP_DROPS, "Inner addresses do not passes the check"); 1527 goto fail; 1528 } 1529 /* Check if outer dst is the same as inner src */ 1530 if (!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &ip6i->ip6_src)) { 1531 DPRINTF(DP_DROPS, "Inner src doesn't match outer dst"); 1532 goto fail; 1533 } 1534 1535 /* Now we need to make a fake IPv4 packet to generate ICMP message */ 1536 ip.ip_dst.s_addr = aaddr; 1537 ip.ip_src.s_addr = nat64_extract_ip4(&ip6i->ip6_src, cfg->plat_plen); 1538 if (ip.ip_src.s_addr == 0) 1539 goto fail; 1540 /* XXX: Make fake ulp header */ 1541 if (V_nat64out == &nat64_direct) /* init_ip4hdr will decrement it */ 1542 ip6i->ip6_hlim += IPV6_HLIMDEC; 1543 nat64_init_ip4hdr(ip6i, ip6f, plen, proto, &ip); 1544 m_adj(m, hlen - sizeof(struct ip)); 1545 bcopy(&ip, mtod(m, void *), sizeof(ip)); 1546 nat64_icmp_reflect(m, type, code, (uint16_t)mtu, &cfg->stats, 1547 logdata); 1548 return (NAT64RETURN); 1549 fail: 1550 /* 1551 * We must call m_freem() because mbuf pointer could be 1552 * changed with m_pullup(). 1553 */ 1554 m_freem(m); 1555 NAT64STAT_INC(&cfg->stats, dropped); 1556 return (NAT64RETURN); 1557 } 1558 1559 int 1560 nat64_do_handle_ip6(struct mbuf *m, uint32_t aaddr, uint16_t aport, 1561 struct nat64_config *cfg, void *logdata) 1562 { 1563 struct ip ip; 1564 struct nhop_object *nh; 1565 struct sockaddr_in dst; 1566 struct ip6_frag *frag; 1567 struct ip6_hdr *ip6; 1568 struct icmp6_hdr *icmp6; 1569 uint16_t *csum; 1570 int plen, hlen, proto; 1571 1572 /* 1573 * XXX: we expect ipfw_chk() did m_pullup() up to upper level 1574 * protocol's headers. Also we skip some checks, that ip6_input(), 1575 * ip6_forward(), ip6_fastfwd() and ipfw_chk() already did. 1576 */ 1577 ip6 = mtod(m, struct ip6_hdr *); 1578 if (nat64_check_ip6(&ip6->ip6_src) != 0 || 1579 nat64_check_ip6(&ip6->ip6_dst) != 0) { 1580 return (NAT64SKIP); 1581 } 1582 1583 /* Starting from this point we must not return zero */ 1584 ip.ip_src.s_addr = aaddr; 1585 if (nat64_check_ip4(ip.ip_src.s_addr) != 0) { 1586 DPRINTF(DP_GENERIC | DP_DROPS, "invalid source address: %08x", 1587 ip.ip_src.s_addr); 1588 NAT64STAT_INC(&cfg->stats, dropped); 1589 return (NAT64MFREE); 1590 } 1591 1592 ip.ip_dst.s_addr = nat64_extract_ip4(&ip6->ip6_dst, cfg->plat_plen); 1593 if (ip.ip_dst.s_addr == 0) { 1594 NAT64STAT_INC(&cfg->stats, dropped); 1595 return (NAT64MFREE); 1596 } 1597 1598 if (*V_nat64ip6stealth == 0 && ip6->ip6_hlim <= IPV6_HLIMDEC) { 1599 nat64_icmp6_reflect(m, ICMP6_TIME_EXCEEDED, 1600 ICMP6_TIME_EXCEED_TRANSIT, 0, &cfg->stats, logdata); 1601 return (NAT64RETURN); 1602 } 1603 1604 hlen = 0; 1605 plen = ntohs(ip6->ip6_plen); 1606 proto = nat64_getlasthdr(m, &hlen); 1607 if (proto < 0) { 1608 DPRINTF(DP_DROPS, "dropped due to mbuf isn't contigious"); 1609 NAT64STAT_INC(&cfg->stats, dropped); 1610 return (NAT64MFREE); 1611 } 1612 frag = NULL; 1613 if (proto == IPPROTO_FRAGMENT) { 1614 /* ipfw_chk should m_pullup up to frag header */ 1615 if (m->m_len < hlen + sizeof(*frag)) { 1616 DPRINTF(DP_DROPS, 1617 "dropped due to mbuf isn't contigious"); 1618 NAT64STAT_INC(&cfg->stats, dropped); 1619 return (NAT64MFREE); 1620 } 1621 frag = mtodo(m, hlen); 1622 proto = frag->ip6f_nxt; 1623 hlen += sizeof(*frag); 1624 /* Fragmented ICMPv6 is unsupported */ 1625 if (proto == IPPROTO_ICMPV6) { 1626 DPRINTF(DP_DROPS, "dropped due to fragmented ICMPv6"); 1627 NAT64STAT_INC(&cfg->stats, dropped); 1628 return (NAT64MFREE); 1629 } 1630 /* Fragment length must be multiple of 8 octets */ 1631 if ((frag->ip6f_offlg & IP6F_MORE_FRAG) != 0 && 1632 ((plen + sizeof(struct ip6_hdr) - hlen) & 0x7) != 0) { 1633 nat64_icmp6_reflect(m, ICMP6_PARAM_PROB, 1634 ICMP6_PARAMPROB_HEADER, 1635 offsetof(struct ip6_hdr, ip6_plen), &cfg->stats, 1636 logdata); 1637 return (NAT64RETURN); 1638 } 1639 } 1640 plen -= hlen - sizeof(struct ip6_hdr); 1641 if (plen < 0 || m->m_pkthdr.len < plen + hlen) { 1642 DPRINTF(DP_DROPS, "plen %d, pkthdr.len %d, hlen %d", 1643 plen, m->m_pkthdr.len, hlen); 1644 NAT64STAT_INC(&cfg->stats, dropped); 1645 return (NAT64MFREE); 1646 } 1647 1648 icmp6 = NULL; /* Make gcc happy */ 1649 if (proto == IPPROTO_ICMPV6) { 1650 icmp6 = mtodo(m, hlen); 1651 if (icmp6->icmp6_type != ICMP6_ECHO_REQUEST && 1652 icmp6->icmp6_type != ICMP6_ECHO_REPLY) 1653 return (nat64_handle_icmp6(m, hlen, aaddr, aport, 1654 cfg, logdata)); 1655 } 1656 dst.sin_addr.s_addr = ip.ip_dst.s_addr; 1657 nh = nat64_find_route4(&dst, m); 1658 if (nh == NULL) { 1659 NAT64STAT_INC(&cfg->stats, noroute4); 1660 nat64_icmp6_reflect(m, ICMP6_DST_UNREACH, 1661 ICMP6_DST_UNREACH_NOROUTE, 0, &cfg->stats, logdata); 1662 return (NAT64RETURN); 1663 } 1664 if (nh->nh_mtu < plen + sizeof(ip)) { 1665 nat64_icmp6_reflect(m, ICMP6_PACKET_TOO_BIG, 0, nh->nh_mtu, 1666 &cfg->stats, logdata); 1667 return (NAT64RETURN); 1668 } 1669 nat64_init_ip4hdr(ip6, frag, plen, proto, &ip); 1670 1671 /* Handle delayed checksums if needed. */ 1672 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) { 1673 in6_delayed_cksum(m, plen, hlen); 1674 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6; 1675 } 1676 /* Convert checksums. */ 1677 switch (proto) { 1678 case IPPROTO_TCP: 1679 csum = &TCP(mtodo(m, hlen))->th_sum; 1680 if (aport != 0) { 1681 struct tcphdr *tcp = TCP(mtodo(m, hlen)); 1682 *csum = cksum_adjust(*csum, tcp->th_sport, aport); 1683 tcp->th_sport = aport; 1684 } 1685 *csum = cksum_add(*csum, nat64_cksum_convert(ip6, &ip)); 1686 break; 1687 case IPPROTO_UDP: 1688 csum = &UDP(mtodo(m, hlen))->uh_sum; 1689 if (aport != 0) { 1690 struct udphdr *udp = UDP(mtodo(m, hlen)); 1691 *csum = cksum_adjust(*csum, udp->uh_sport, aport); 1692 udp->uh_sport = aport; 1693 } 1694 *csum = cksum_add(*csum, nat64_cksum_convert(ip6, &ip)); 1695 break; 1696 case IPPROTO_ICMPV6: 1697 /* Checksum in ICMPv6 covers pseudo header */ 1698 csum = &icmp6->icmp6_cksum; 1699 *csum = cksum_add(*csum, in6_cksum_pseudo(ip6, plen, 1700 IPPROTO_ICMPV6, 0)); 1701 /* Convert ICMPv6 types to ICMP */ 1702 proto = *(uint16_t *)icmp6; /* save old word for cksum_adjust */ 1703 if (icmp6->icmp6_type == ICMP6_ECHO_REQUEST) 1704 icmp6->icmp6_type = ICMP_ECHO; 1705 else /* ICMP6_ECHO_REPLY */ 1706 icmp6->icmp6_type = ICMP_ECHOREPLY; 1707 *csum = cksum_adjust(*csum, (uint16_t)proto, 1708 *(uint16_t *)icmp6); 1709 if (aport != 0) { 1710 uint16_t old_id = icmp6->icmp6_id; 1711 icmp6->icmp6_id = aport; 1712 *csum = cksum_adjust(*csum, old_id, aport); 1713 } 1714 break; 1715 }; 1716 1717 m_adj(m, hlen - sizeof(ip)); 1718 bcopy(&ip, mtod(m, void *), sizeof(ip)); 1719 if (V_nat64out->output(nh->nh_ifp, m, (struct sockaddr *)&dst, 1720 &cfg->stats, logdata) == 0) 1721 NAT64STAT_INC(&cfg->stats, opcnt64); 1722 return (NAT64RETURN); 1723 } 1724