ipfw/nat64/nat64lsn.c

d8caf56eSAndrey V. Elsukov/*-
4d846d26SWarner Losh * SPDX-License-Identifier: BSD-2-Clause
002cae78SAndrey V. Elsukov *
*4a77657cSAndrey V. Elsukov * Copyright (c) 2015-2020 Yandex LLC
d8caf56eSAndrey V. Elsukov * Copyright (c) 2015 Alexander V. Chernikov <melifaro@FreeBSD.org>
*4a77657cSAndrey V. Elsukov * Copyright (c) 2016-2020 Andrey V. Elsukov <ae@FreeBSD.org>
d8caf56eSAndrey V. Elsukov *
d8caf56eSAndrey V. Elsukov * Redistribution and use in source and binary forms, with or without
d8caf56eSAndrey V. Elsukov * modification, are permitted provided that the following conditions
d8caf56eSAndrey V. Elsukov * are met:
d8caf56eSAndrey V. Elsukov *
d8caf56eSAndrey V. Elsukov * 1. Redistributions of source code must retain the above copyright
d8caf56eSAndrey V. Elsukov *    notice, this list of conditions and the following disclaimer.
d8caf56eSAndrey V. Elsukov * 2. Redistributions in binary form must reproduce the above copyright
d8caf56eSAndrey V. Elsukov *    notice, this list of conditions and the following disclaimer in the
d8caf56eSAndrey V. Elsukov *    documentation and/or other materials provided with the distribution.
d8caf56eSAndrey V. Elsukov *
d8caf56eSAndrey V. Elsukov * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
d8caf56eSAndrey V. Elsukov * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
d8caf56eSAndrey V. Elsukov * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
d8caf56eSAndrey V. Elsukov * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
d8caf56eSAndrey V. Elsukov * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
d8caf56eSAndrey V. Elsukov * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
d8caf56eSAndrey V. Elsukov * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
d8caf56eSAndrey V. Elsukov * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
d8caf56eSAndrey V. Elsukov * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
d8caf56eSAndrey V. Elsukov * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
d8caf56eSAndrey V. Elsukov */
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov#include <sys/param.h>
d8caf56eSAndrey V. Elsukov#include <sys/systm.h>
d8caf56eSAndrey V. Elsukov#include <sys/counter.h>
d18c1f26SAndrey V. Elsukov#include <sys/ck.h>
d18c1f26SAndrey V. Elsukov#include <sys/epoch.h>
d8caf56eSAndrey V. Elsukov#include <sys/errno.h>
d18c1f26SAndrey V. Elsukov#include <sys/hash.h>
d8caf56eSAndrey V. Elsukov#include <sys/kernel.h>
d8caf56eSAndrey V. Elsukov#include <sys/lock.h>
d8caf56eSAndrey V. Elsukov#include <sys/malloc.h>
d8caf56eSAndrey V. Elsukov#include <sys/mbuf.h>
d8caf56eSAndrey V. Elsukov#include <sys/module.h>
d8caf56eSAndrey V. Elsukov#include <sys/rmlock.h>
d8caf56eSAndrey V. Elsukov#include <sys/socket.h>
d8caf56eSAndrey V. Elsukov#include <sys/syslog.h>
d8caf56eSAndrey V. Elsukov#include <sys/sysctl.h>
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov#include <net/if.h>
d8caf56eSAndrey V. Elsukov#include <net/if_var.h>
d8caf56eSAndrey V. Elsukov#include <net/if_pflog.h>
d8caf56eSAndrey V. Elsukov#include <net/pfil.h>
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov#include <netinet/in.h>
d8caf56eSAndrey V. Elsukov#include <netinet/ip.h>
d8caf56eSAndrey V. Elsukov#include <netinet/ip_var.h>
d8caf56eSAndrey V. Elsukov#include <netinet/ip_fw.h>
d8caf56eSAndrey V. Elsukov#include <netinet/ip6.h>
d8caf56eSAndrey V. Elsukov#include <netinet/icmp6.h>
d8caf56eSAndrey V. Elsukov#include <netinet/ip_icmp.h>
d8caf56eSAndrey V. Elsukov#include <netinet/tcp.h>
d8caf56eSAndrey V. Elsukov#include <netinet/udp.h>
d8caf56eSAndrey V. Elsukov#include <netinet6/in6_var.h>
d8caf56eSAndrey V. Elsukov#include <netinet6/ip6_var.h>
d8caf56eSAndrey V. Elsukov#include <netinet6/ip_fw_nat64.h>
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov#include <netpfil/ipfw/ip_fw_private.h>
d8caf56eSAndrey V. Elsukov#include <netpfil/pf/pf.h>
d8caf56eSAndrey V. Elsukov
782360deSAndrey V. Elsukov#include "nat64lsn.h"
782360deSAndrey V. Elsukov
d8caf56eSAndrey V. ElsukovMALLOC_DEFINE(M_NAT64LSN, "NAT64LSN", "NAT64LSN");
d8caf56eSAndrey V. Elsukov
e0b7b6d4SAndrey V. Elsukov#define	NAT64LSN_EPOCH_ENTER(et)  NET_EPOCH_ENTER(et)
e0b7b6d4SAndrey V. Elsukov#define	NAT64LSN_EPOCH_EXIT(et)   NET_EPOCH_EXIT(et)
e0b7b6d4SAndrey V. Elsukov#define	NAT64LSN_EPOCH_ASSERT()   NET_EPOCH_ASSERT()
2a4bd982SGleb Smirnoff#define	NAT64LSN_EPOCH_CALL(c, f) NET_EPOCH_CALL((f), (c))
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic uma_zone_t nat64lsn_host_zone;
d18c1f26SAndrey V. Elsukovstatic uma_zone_t nat64lsn_pgchunk_zone;
d18c1f26SAndrey V. Elsukovstatic uma_zone_t nat64lsn_pg_zone;
d18c1f26SAndrey V. Elsukovstatic uma_zone_t nat64lsn_aliaslink_zone;
d18c1f26SAndrey V. Elsukovstatic uma_zone_t nat64lsn_state_zone;
d18c1f26SAndrey V. Elsukovstatic uma_zone_t nat64lsn_job_zone;
d18c1f26SAndrey V. Elsukov
d8caf56eSAndrey V. Elsukovstatic void nat64lsn_periodic(void *data);
d8caf56eSAndrey V. Elsukov#define	PERIODIC_DELAY		4
d8caf56eSAndrey V. Elsukov#define	NAT64_LOOKUP(chain, cmd)	\
*4a77657cSAndrey V. Elsukov    (struct nat64lsn_instance *)SRV_OBJECT((chain), insntod(cmd, kidx)->kidx)
d8caf56eSAndrey V. Elsukov/*
d8caf56eSAndrey V. Elsukov * Delayed job queue, used to create new hosts
d8caf56eSAndrey V. Elsukov * and new portgroups
d8caf56eSAndrey V. Elsukov */
d8caf56eSAndrey V. Elsukovenum nat64lsn_jtype {
d8caf56eSAndrey V. Elsukov	JTYPE_NEWHOST = 1,
d8caf56eSAndrey V. Elsukov	JTYPE_NEWPORTGROUP,
d18c1f26SAndrey V. Elsukov	JTYPE_DESTROY,
d8caf56eSAndrey V. Elsukov};
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukovstruct nat64lsn_job_item {
d18c1f26SAndrey V. Elsukov	STAILQ_ENTRY(nat64lsn_job_item)	entries;
d8caf56eSAndrey V. Elsukov	enum nat64lsn_jtype	jtype;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	union {
d18c1f26SAndrey V. Elsukov		struct { /* used by JTYPE_NEWHOST, JTYPE_NEWPORTGROUP */
d6369c2dSAndrey V. Elsukov			struct mbuf		*m;
d18c1f26SAndrey V. Elsukov			struct nat64lsn_host	*host;
d18c1f26SAndrey V. Elsukov			struct nat64lsn_state	*state;
d18c1f26SAndrey V. Elsukov			uint32_t		src6_hval;
d18c1f26SAndrey V. Elsukov			uint32_t		state_hval;
d6369c2dSAndrey V. Elsukov			struct ipfw_flow_id	f_id;
d18c1f26SAndrey V. Elsukov			in_addr_t		faddr;
d18c1f26SAndrey V. Elsukov			uint16_t		port;
d18c1f26SAndrey V. Elsukov			uint8_t			proto;
d18c1f26SAndrey V. Elsukov			uint8_t			done;
d18c1f26SAndrey V. Elsukov		};
d18c1f26SAndrey V. Elsukov		struct { /* used by JTYPE_DESTROY */
d18c1f26SAndrey V. Elsukov			struct nat64lsn_hosts_slist	hosts;
d18c1f26SAndrey V. Elsukov			struct nat64lsn_pg_slist	portgroups;
d18c1f26SAndrey V. Elsukov			struct nat64lsn_pgchunk		*pgchunk;
d18c1f26SAndrey V. Elsukov			struct epoch_context		epoch_ctx;
d18c1f26SAndrey V. Elsukov		};
d18c1f26SAndrey V. Elsukov	};
d8caf56eSAndrey V. Elsukov};
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukovstatic struct mtx jmtx;
d8caf56eSAndrey V. Elsukov#define	JQUEUE_LOCK_INIT()	mtx_init(&jmtx, "qlock", NULL, MTX_DEF)
d8caf56eSAndrey V. Elsukov#define	JQUEUE_LOCK_DESTROY()	mtx_destroy(&jmtx)
d8caf56eSAndrey V. Elsukov#define	JQUEUE_LOCK()		mtx_lock(&jmtx)
d8caf56eSAndrey V. Elsukov#define	JQUEUE_UNLOCK()		mtx_unlock(&jmtx)
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic int nat64lsn_alloc_host(struct nat64lsn_cfg *cfg,
d18c1f26SAndrey V. Elsukov    struct nat64lsn_job_item *ji);
d18c1f26SAndrey V. Elsukovstatic int nat64lsn_alloc_pg(struct nat64lsn_cfg *cfg,
d18c1f26SAndrey V. Elsukov    struct nat64lsn_job_item *ji);
d18c1f26SAndrey V. Elsukovstatic struct nat64lsn_job_item *nat64lsn_create_job(
d18c1f26SAndrey V. Elsukov    struct nat64lsn_cfg *cfg, int jtype);
d8caf56eSAndrey V. Elsukovstatic void nat64lsn_enqueue_job(struct nat64lsn_cfg *cfg,
d8caf56eSAndrey V. Elsukov    struct nat64lsn_job_item *ji);
d18c1f26SAndrey V. Elsukovstatic void nat64lsn_job_destroy(epoch_context_t ctx);
d18c1f26SAndrey V. Elsukovstatic void nat64lsn_destroy_host(struct nat64lsn_host *host);
d18c1f26SAndrey V. Elsukovstatic void nat64lsn_destroy_pg(struct nat64lsn_pg *pg);
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukovstatic int nat64lsn_translate4(struct nat64lsn_cfg *cfg,
d18c1f26SAndrey V. Elsukov    const struct ipfw_flow_id *f_id, struct mbuf **mp);
d8caf56eSAndrey V. Elsukovstatic int nat64lsn_translate6(struct nat64lsn_cfg *cfg,
d18c1f26SAndrey V. Elsukov    struct ipfw_flow_id *f_id, struct mbuf **mp);
d18c1f26SAndrey V. Elsukovstatic int nat64lsn_translate6_internal(struct nat64lsn_cfg *cfg,
d18c1f26SAndrey V. Elsukov    struct mbuf **mp, struct nat64lsn_state *state, uint8_t flags);
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov#define	NAT64_BIT_TCP_FIN	0	/* FIN was seen */
d18c1f26SAndrey V. Elsukov#define	NAT64_BIT_TCP_SYN	1	/* First syn in->out */
d18c1f26SAndrey V. Elsukov#define	NAT64_BIT_TCP_ESTAB	2	/* Packet with Ack */
d18c1f26SAndrey V. Elsukov#define	NAT64_BIT_READY_IPV4	6	/* state is ready for translate4 */
d18c1f26SAndrey V. Elsukov#define	NAT64_BIT_STALE		7	/* state is going to be expired */
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov#define	NAT64_FLAG_FIN		(1 << NAT64_BIT_TCP_FIN)
d18c1f26SAndrey V. Elsukov#define	NAT64_FLAG_SYN		(1 << NAT64_BIT_TCP_SYN)
d18c1f26SAndrey V. Elsukov#define	NAT64_FLAG_ESTAB	(1 << NAT64_BIT_TCP_ESTAB)
d18c1f26SAndrey V. Elsukov#define	NAT64_FLAGS_TCP	(NAT64_FLAG_SYN|NAT64_FLAG_ESTAB|NAT64_FLAG_FIN)
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov#define	NAT64_FLAG_READY	(1 << NAT64_BIT_READY_IPV4)
d18c1f26SAndrey V. Elsukov#define	NAT64_FLAG_STALE	(1 << NAT64_BIT_STALE)
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukovstatic inline uint8_t
d8caf56eSAndrey V. Elsukovconvert_tcp_flags(uint8_t flags)
d8caf56eSAndrey V. Elsukov{
d8caf56eSAndrey V. Elsukov	uint8_t result;
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	result = flags & (TH_FIN|TH_SYN);
d8caf56eSAndrey V. Elsukov	result |= (flags & TH_RST) >> 2; /* Treat RST as FIN */
d8caf56eSAndrey V. Elsukov	result |= (flags & TH_ACK) >> 2; /* Treat ACK as estab */
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	return (result);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic void
d18c1f26SAndrey V. Elsukovnat64lsn_log(struct pfloghdr *plog, struct mbuf *m, sa_family_t family,
d18c1f26SAndrey V. Elsukov    struct nat64lsn_state *state)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	memset(plog, 0, sizeof(*plog));
*4a77657cSAndrey V. Elsukov	plog->length = PFLOG_REAL_HDRLEN;
d18c1f26SAndrey V. Elsukov	plog->af = family;
d18c1f26SAndrey V. Elsukov	plog->action = PF_NAT;
d18c1f26SAndrey V. Elsukov	plog->dir = PF_IN;
d18c1f26SAndrey V. Elsukov	plog->rulenr = htonl(state->ip_src);
d18c1f26SAndrey V. Elsukov	plog->subrulenr = htonl((uint32_t)(state->aport << 16) |
d18c1f26SAndrey V. Elsukov	    (state->proto << 8) | (state->ip_dst & 0xff));
d18c1f26SAndrey V. Elsukov	plog->ruleset[0] = '\0';
d18c1f26SAndrey V. Elsukov	strlcpy(plog->ifname, "NAT64LSN", sizeof(plog->ifname));
d18c1f26SAndrey V. Elsukov	ipfw_bpf_mtap2(plog, PFLOG_HDRLEN, m);
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov#define	HVAL(p, n, s)	jenkins_hash32((const uint32_t *)(p), (n), (s))
d18c1f26SAndrey V. Elsukov#define	HOST_HVAL(c, a)	HVAL((a),\
d18c1f26SAndrey V. Elsukov    sizeof(struct in6_addr) / sizeof(uint32_t), (c)->hash_seed)
d18c1f26SAndrey V. Elsukov#define	HOSTS(c, v)	((c)->hosts_hash[(v) & ((c)->hosts_hashsize - 1)])
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov#define	ALIASLINK_HVAL(c, f)	HVAL(&(f)->dst_ip6,\
d18c1f26SAndrey V. Elsukov    sizeof(struct in6_addr) * 2 / sizeof(uint32_t), (c)->hash_seed)
d18c1f26SAndrey V. Elsukov#define	ALIAS_BYHASH(c, v)	\
d18c1f26SAndrey V. Elsukov    ((c)->aliases[(v) & ((1 << (32 - (c)->plen4)) - 1)])
d18c1f26SAndrey V. Elsukovstatic struct nat64lsn_aliaslink*
d18c1f26SAndrey V. Elsukovnat64lsn_get_aliaslink(struct nat64lsn_cfg *cfg __unused,
d18c1f26SAndrey V. Elsukov    struct nat64lsn_host *host, const struct ipfw_flow_id *f_id __unused)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/*
d18c1f26SAndrey V. Elsukov	 * We can implement some different algorithms how
d18c1f26SAndrey V. Elsukov	 * select an alias address.
d18c1f26SAndrey V. Elsukov	 * XXX: for now we use first available.
d18c1f26SAndrey V. Elsukov	 */
d18c1f26SAndrey V. Elsukov	return (CK_SLIST_FIRST(&host->aliases));
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov
*4a77657cSAndrey V. Elsukovstatic struct nat64lsn_alias*
*4a77657cSAndrey V. Elsukovnat64lsn_get_alias(struct nat64lsn_cfg *cfg,
*4a77657cSAndrey V. Elsukov    const struct ipfw_flow_id *f_id __unused)
*4a77657cSAndrey V. Elsukov{
*4a77657cSAndrey V. Elsukov	static uint32_t idx = 0;
*4a77657cSAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov	/*
*4a77657cSAndrey V. Elsukov	 * We can choose alias by number of allocated PGs,
*4a77657cSAndrey V. Elsukov	 * not used yet by other hosts, or some static configured
*4a77657cSAndrey V. Elsukov	 * by user.
*4a77657cSAndrey V. Elsukov	 * XXX: for now we choose it using round robin.
*4a77657cSAndrey V. Elsukov	 */
*4a77657cSAndrey V. Elsukov	return (&ALIAS_BYHASH(cfg, idx++));
*4a77657cSAndrey V. Elsukov}
*4a77657cSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov#define	STATE_HVAL(c, d)	HVAL((d), 2, (c)->hash_seed)
d18c1f26SAndrey V. Elsukov#define	STATE_HASH(h, v)	\
d18c1f26SAndrey V. Elsukov    ((h)->states_hash[(v) & ((h)->states_hashsize - 1)])
d18c1f26SAndrey V. Elsukov#define	STATES_CHUNK(p, v)	\
d18c1f26SAndrey V. Elsukov    ((p)->chunks_count == 1 ? (p)->states : \
d18c1f26SAndrey V. Elsukov	((p)->states_chunk[CHUNK_BY_FADDR(p, v)]))
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov#ifdef __LP64__
d18c1f26SAndrey V. Elsukov#define	FREEMASK_FFSLL(pg, faddr)		\
d18c1f26SAndrey V. Elsukov    ffsll(*FREEMASK_CHUNK((pg), (faddr)))
d18c1f26SAndrey V. Elsukov#define	FREEMASK_BTR(pg, faddr, bit)	\
d18c1f26SAndrey V. Elsukov    ck_pr_btr_64(FREEMASK_CHUNK((pg), (faddr)), (bit))
d18c1f26SAndrey V. Elsukov#define	FREEMASK_BTS(pg, faddr, bit)	\
d18c1f26SAndrey V. Elsukov    ck_pr_bts_64(FREEMASK_CHUNK((pg), (faddr)), (bit))
d18c1f26SAndrey V. Elsukov#define	FREEMASK_ISSET(pg, faddr, bit)	\
d18c1f26SAndrey V. Elsukov    ISSET64(*FREEMASK_CHUNK((pg), (faddr)), (bit))
d18c1f26SAndrey V. Elsukov#define	FREEMASK_COPY(pg, n, out)	\
d18c1f26SAndrey V. Elsukov    (out) = ck_pr_load_64(FREEMASK_CHUNK((pg), (n)))
d18c1f26SAndrey V. Elsukov#else
d18c1f26SAndrey V. Elsukovstatic inline int
d18c1f26SAndrey V. Elsukovfreemask_ffsll(uint32_t *freemask)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	int i;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	if ((i = ffsl(freemask[0])) != 0)
d18c1f26SAndrey V. Elsukov		return (i);
d18c1f26SAndrey V. Elsukov	if ((i = ffsl(freemask[1])) != 0)
d18c1f26SAndrey V. Elsukov		return (i + 32);
d18c1f26SAndrey V. Elsukov	return (0);
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov#define	FREEMASK_FFSLL(pg, faddr)		\
d18c1f26SAndrey V. Elsukov    freemask_ffsll(FREEMASK_CHUNK((pg), (faddr)))
d18c1f26SAndrey V. Elsukov#define	FREEMASK_BTR(pg, faddr, bit)	\
d18c1f26SAndrey V. Elsukov    ck_pr_btr_32(FREEMASK_CHUNK((pg), (faddr)) + (bit) / 32, (bit) % 32)
d18c1f26SAndrey V. Elsukov#define	FREEMASK_BTS(pg, faddr, bit)	\
d18c1f26SAndrey V. Elsukov    ck_pr_bts_32(FREEMASK_CHUNK((pg), (faddr)) + (bit) / 32, (bit) % 32)
d18c1f26SAndrey V. Elsukov#define	FREEMASK_ISSET(pg, faddr, bit)	\
d18c1f26SAndrey V. Elsukov    ISSET32(*(FREEMASK_CHUNK((pg), (faddr)) + (bit) / 32), (bit) % 32)
d18c1f26SAndrey V. Elsukov#define	FREEMASK_COPY(pg, n, out)	\
d18c1f26SAndrey V. Elsukov    (out) = ck_pr_load_32(FREEMASK_CHUNK((pg), (n))) | \
d18c1f26SAndrey V. Elsukov	((uint64_t)ck_pr_load_32(FREEMASK_CHUNK((pg), (n)) + 1) << 32)
d18c1f26SAndrey V. Elsukov#endif /* !__LP64__ */
d18c1f26SAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov#define	NAT64LSN_TRY_PGCNT	36
d18c1f26SAndrey V. Elsukovstatic struct nat64lsn_pg*
d18c1f26SAndrey V. Elsukovnat64lsn_get_pg(uint32_t *chunkmask, uint32_t *pgmask,
*4a77657cSAndrey V. Elsukov    struct nat64lsn_pgchunk **chunks, uint32_t *pgidx, in_addr_t faddr)
d18c1f26SAndrey V. Elsukov{
*4a77657cSAndrey V. Elsukov	struct nat64lsn_pg *pg;
d18c1f26SAndrey V. Elsukov	uint32_t idx, oldidx;
d18c1f26SAndrey V. Elsukov	int cnt;
d18c1f26SAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov	/* First try last used PG. */
d18c1f26SAndrey V. Elsukov	idx = oldidx = ck_pr_load_32(pgidx);
*4a77657cSAndrey V. Elsukov	MPASS(idx < 1024);
*4a77657cSAndrey V. Elsukov	cnt = 0;
d18c1f26SAndrey V. Elsukov	do {
d18c1f26SAndrey V. Elsukov		ck_pr_fence_load();
*4a77657cSAndrey V. Elsukov		if (idx > 1023 || !ISSET32(*chunkmask, idx / 32)) {
*4a77657cSAndrey V. Elsukov			/* If it is first try, reset idx to first PG */
*4a77657cSAndrey V. Elsukov			idx = 0;
d18c1f26SAndrey V. Elsukov			/* Stop if idx is out of range */
*4a77657cSAndrey V. Elsukov			if (cnt > 0)
d18c1f26SAndrey V. Elsukov				break;
*4a77657cSAndrey V. Elsukov		}
*4a77657cSAndrey V. Elsukov		if (ISSET32(pgmask[idx / 32], idx % 32)) {
d18c1f26SAndrey V. Elsukov			pg = ck_pr_load_ptr(
d18c1f26SAndrey V. Elsukov			    &chunks[idx / 32]->pgptr[idx % 32]);
*4a77657cSAndrey V. Elsukov			ck_pr_fence_load();
*4a77657cSAndrey V. Elsukov			/*
*4a77657cSAndrey V. Elsukov			 * Make sure that pg did not become DEAD.
*4a77657cSAndrey V. Elsukov			 */
*4a77657cSAndrey V. Elsukov			if ((pg->flags & NAT64LSN_DEADPG) == 0 &&
*4a77657cSAndrey V. Elsukov			    FREEMASK_BITCOUNT(pg, faddr) > 0) {
*4a77657cSAndrey V. Elsukov				if (cnt > 0)
*4a77657cSAndrey V. Elsukov					ck_pr_cas_32(pgidx, oldidx, idx);
*4a77657cSAndrey V. Elsukov				return (pg);
*4a77657cSAndrey V. Elsukov			}
*4a77657cSAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov		idx++;
d18c1f26SAndrey V. Elsukov	} while (++cnt < NAT64LSN_TRY_PGCNT);
*4a77657cSAndrey V. Elsukov	if (oldidx != idx)
d18c1f26SAndrey V. Elsukov		ck_pr_cas_32(pgidx, oldidx, idx);
d18c1f26SAndrey V. Elsukov	return (NULL);
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic struct nat64lsn_state*
d18c1f26SAndrey V. Elsukovnat64lsn_get_state6to4(struct nat64lsn_cfg *cfg, struct nat64lsn_host *host,
d18c1f26SAndrey V. Elsukov    const struct ipfw_flow_id *f_id, uint32_t hval, in_addr_t faddr,
d18c1f26SAndrey V. Elsukov    uint16_t port, uint8_t proto)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_aliaslink *link;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_state *state;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_pg *pg;
d18c1f26SAndrey V. Elsukov	int i, offset;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	NAT64LSN_EPOCH_ASSERT();
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* Check that we already have state for given arguments */
d18c1f26SAndrey V. Elsukov	CK_SLIST_FOREACH(state, &STATE_HASH(host, hval), entries) {
d18c1f26SAndrey V. Elsukov		if (state->proto == proto && state->ip_dst == faddr &&
d18c1f26SAndrey V. Elsukov		    state->sport == port && state->dport == f_id->dst_port)
d18c1f26SAndrey V. Elsukov			return (state);
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	link = nat64lsn_get_aliaslink(cfg, host, f_id);
d18c1f26SAndrey V. Elsukov	if (link == NULL)
d18c1f26SAndrey V. Elsukov		return (NULL);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	switch (proto) {
d18c1f26SAndrey V. Elsukov	case IPPROTO_TCP:
*4a77657cSAndrey V. Elsukov		pg = nat64lsn_get_pg(&link->alias->tcp_chunkmask,
*4a77657cSAndrey V. Elsukov		    link->alias->tcp_pgmask, link->alias->tcp,
d18c1f26SAndrey V. Elsukov		    &link->alias->tcp_pgidx, faddr);
d18c1f26SAndrey V. Elsukov		break;
d18c1f26SAndrey V. Elsukov	case IPPROTO_UDP:
*4a77657cSAndrey V. Elsukov		pg = nat64lsn_get_pg(&link->alias->udp_chunkmask,
*4a77657cSAndrey V. Elsukov		    link->alias->udp_pgmask, link->alias->udp,
d18c1f26SAndrey V. Elsukov		    &link->alias->udp_pgidx, faddr);
d18c1f26SAndrey V. Elsukov		break;
d18c1f26SAndrey V. Elsukov	case IPPROTO_ICMP:
*4a77657cSAndrey V. Elsukov		pg = nat64lsn_get_pg(&link->alias->icmp_chunkmask,
*4a77657cSAndrey V. Elsukov		    link->alias->icmp_pgmask, link->alias->icmp,
d18c1f26SAndrey V. Elsukov		    &link->alias->icmp_pgidx, faddr);
d18c1f26SAndrey V. Elsukov		break;
d18c1f26SAndrey V. Elsukov	default:
d18c1f26SAndrey V. Elsukov		panic("%s: wrong proto %d", __func__, proto);
d18c1f26SAndrey V. Elsukov	}
*4a77657cSAndrey V. Elsukov	if (pg == NULL || (pg->flags & NAT64LSN_DEADPG) != 0)
d18c1f26SAndrey V. Elsukov		return (NULL);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* Check that PG has some free states */
d18c1f26SAndrey V. Elsukov	state = NULL;
d18c1f26SAndrey V. Elsukov	i = FREEMASK_BITCOUNT(pg, faddr);
d18c1f26SAndrey V. Elsukov	while (i-- > 0) {
d18c1f26SAndrey V. Elsukov		offset = FREEMASK_FFSLL(pg, faddr);
d18c1f26SAndrey V. Elsukov		if (offset == 0) {
d18c1f26SAndrey V. Elsukov			/*
d18c1f26SAndrey V. Elsukov			 * We lost the race.
d18c1f26SAndrey V. Elsukov			 * No more free states in this PG.
d18c1f26SAndrey V. Elsukov			 */
d18c1f26SAndrey V. Elsukov			break;
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov		/* Lets try to atomically grab the state */
d18c1f26SAndrey V. Elsukov		if (FREEMASK_BTR(pg, faddr, offset - 1)) {
d18c1f26SAndrey V. Elsukov			state = &STATES_CHUNK(pg, faddr)->state[offset - 1];
d18c1f26SAndrey V. Elsukov			/* Initialize */
d18c1f26SAndrey V. Elsukov			state->flags = proto != IPPROTO_TCP ? 0 :
d18c1f26SAndrey V. Elsukov			    convert_tcp_flags(f_id->_flags);
d18c1f26SAndrey V. Elsukov			state->proto = proto;
d18c1f26SAndrey V. Elsukov			state->aport = pg->base_port + offset - 1;
d18c1f26SAndrey V. Elsukov			state->dport = f_id->dst_port;
d18c1f26SAndrey V. Elsukov			state->sport = port;
d18c1f26SAndrey V. Elsukov			state->ip6_dst = f_id->dst_ip6;
d18c1f26SAndrey V. Elsukov			state->ip_dst = faddr;
d18c1f26SAndrey V. Elsukov			state->ip_src = link->alias->addr;
d18c1f26SAndrey V. Elsukov			state->hval = hval;
d18c1f26SAndrey V. Elsukov			state->host = host;
d18c1f26SAndrey V. Elsukov			SET_AGE(state->timestamp);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov			/* Insert new state into host's hash table */
d18c1f26SAndrey V. Elsukov			HOST_LOCK(host);
*4a77657cSAndrey V. Elsukov			SET_AGE(host->timestamp);
d18c1f26SAndrey V. Elsukov			CK_SLIST_INSERT_HEAD(&STATE_HASH(host, hval),
d18c1f26SAndrey V. Elsukov			    state, entries);
d18c1f26SAndrey V. Elsukov			host->states_count++;
d18c1f26SAndrey V. Elsukov			HOST_UNLOCK(host);
d18c1f26SAndrey V. Elsukov			NAT64STAT_INC(&cfg->base.stats, screated);
d18c1f26SAndrey V. Elsukov			/* Mark the state as ready for translate4 */
d18c1f26SAndrey V. Elsukov			ck_pr_fence_store();
d18c1f26SAndrey V. Elsukov			ck_pr_bts_32(&state->flags, NAT64_BIT_READY_IPV4);
d18c1f26SAndrey V. Elsukov			break;
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	return (state);
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov/*
d18c1f26SAndrey V. Elsukov * Inspects icmp packets to see if the message contains different
d18c1f26SAndrey V. Elsukov * packet header so we need to alter @addr and @port.
d18c1f26SAndrey V. Elsukov */
d18c1f26SAndrey V. Elsukovstatic int
d18c1f26SAndrey V. Elsukovinspect_icmp_mbuf(struct mbuf **mp, uint8_t *proto, uint32_t *addr,
d18c1f26SAndrey V. Elsukov    uint16_t *port)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct icmp *icmp;
d18c1f26SAndrey V. Elsukov	struct ip *ip;
d18c1f26SAndrey V. Elsukov	int off;
d18c1f26SAndrey V. Elsukov	uint8_t inner_proto;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	ip = mtod(*mp, struct ip *); /* Outer IP header */
d18c1f26SAndrey V. Elsukov	off = (ip->ip_hl << 2) + ICMP_MINLEN;
d18c1f26SAndrey V. Elsukov	if ((*mp)->m_len < off)
d18c1f26SAndrey V. Elsukov		*mp = m_pullup(*mp, off);
d18c1f26SAndrey V. Elsukov	if (*mp == NULL)
d18c1f26SAndrey V. Elsukov		return (ENOMEM);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	ip = mtod(*mp, struct ip *); /* Outer IP header */
d18c1f26SAndrey V. Elsukov	icmp = L3HDR(ip, struct icmp *);
d18c1f26SAndrey V. Elsukov	switch (icmp->icmp_type) {
d18c1f26SAndrey V. Elsukov	case ICMP_ECHO:
d18c1f26SAndrey V. Elsukov	case ICMP_ECHOREPLY:
d18c1f26SAndrey V. Elsukov		/* Use icmp ID as distinguisher */
d18c1f26SAndrey V. Elsukov		*port = ntohs(icmp->icmp_id);
d18c1f26SAndrey V. Elsukov		return (0);
d18c1f26SAndrey V. Elsukov	case ICMP_UNREACH:
d18c1f26SAndrey V. Elsukov	case ICMP_TIMXCEED:
d18c1f26SAndrey V. Elsukov		break;
d18c1f26SAndrey V. Elsukov	default:
d18c1f26SAndrey V. Elsukov		return (EOPNOTSUPP);
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	/*
d18c1f26SAndrey V. Elsukov	 * ICMP_UNREACH and ICMP_TIMXCEED contains IP header + 64 bits
d18c1f26SAndrey V. Elsukov	 * of ULP header.
d18c1f26SAndrey V. Elsukov	 */
d18c1f26SAndrey V. Elsukov	if ((*mp)->m_pkthdr.len < off + sizeof(struct ip) + ICMP_MINLEN)
d18c1f26SAndrey V. Elsukov		return (EINVAL);
d18c1f26SAndrey V. Elsukov	if ((*mp)->m_len < off + sizeof(struct ip) + ICMP_MINLEN)
d18c1f26SAndrey V. Elsukov		*mp = m_pullup(*mp, off + sizeof(struct ip) + ICMP_MINLEN);
d18c1f26SAndrey V. Elsukov	if (*mp == NULL)
d18c1f26SAndrey V. Elsukov		return (ENOMEM);
d18c1f26SAndrey V. Elsukov	ip = mtodo(*mp, off); /* Inner IP header */
d18c1f26SAndrey V. Elsukov	inner_proto = ip->ip_p;
d18c1f26SAndrey V. Elsukov	off += ip->ip_hl << 2; /* Skip inner IP header */
d18c1f26SAndrey V. Elsukov	*addr = ntohl(ip->ip_src.s_addr);
d18c1f26SAndrey V. Elsukov	if ((*mp)->m_len < off + ICMP_MINLEN)
d18c1f26SAndrey V. Elsukov		*mp = m_pullup(*mp, off + ICMP_MINLEN);
d18c1f26SAndrey V. Elsukov	if (*mp == NULL)
d18c1f26SAndrey V. Elsukov		return (ENOMEM);
d18c1f26SAndrey V. Elsukov	switch (inner_proto) {
d18c1f26SAndrey V. Elsukov	case IPPROTO_TCP:
d18c1f26SAndrey V. Elsukov	case IPPROTO_UDP:
d18c1f26SAndrey V. Elsukov		/* Copy source port from the header */
d18c1f26SAndrey V. Elsukov		*port = ntohs(*((uint16_t *)mtodo(*mp, off)));
d18c1f26SAndrey V. Elsukov		*proto = inner_proto;
d18c1f26SAndrey V. Elsukov		return (0);
d18c1f26SAndrey V. Elsukov	case IPPROTO_ICMP:
d18c1f26SAndrey V. Elsukov		/*
d18c1f26SAndrey V. Elsukov		 * We will translate only ICMP errors for our ICMP
d18c1f26SAndrey V. Elsukov		 * echo requests.
d18c1f26SAndrey V. Elsukov		 */
d18c1f26SAndrey V. Elsukov		icmp = mtodo(*mp, off);
d18c1f26SAndrey V. Elsukov		if (icmp->icmp_type != ICMP_ECHO)
d18c1f26SAndrey V. Elsukov			return (EOPNOTSUPP);
d18c1f26SAndrey V. Elsukov		*port = ntohs(icmp->icmp_id);
d18c1f26SAndrey V. Elsukov		return (0);
d18c1f26SAndrey V. Elsukov	};
d18c1f26SAndrey V. Elsukov	return (EOPNOTSUPP);
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic struct nat64lsn_state*
d18c1f26SAndrey V. Elsukovnat64lsn_get_state4to6(struct nat64lsn_cfg *cfg, struct nat64lsn_alias *alias,
d18c1f26SAndrey V. Elsukov    in_addr_t faddr, uint16_t port, uint8_t proto)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_state *state;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_pg *pg;
d18c1f26SAndrey V. Elsukov	int chunk_idx, pg_idx, state_idx;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	NAT64LSN_EPOCH_ASSERT();
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	if (port < NAT64_MIN_PORT)
d18c1f26SAndrey V. Elsukov		return (NULL);
d18c1f26SAndrey V. Elsukov	/*
d18c1f26SAndrey V. Elsukov	 * Alias keeps 32 pgchunks for each protocol.
d18c1f26SAndrey V. Elsukov	 * Each pgchunk has 32 pointers to portgroup.
d18c1f26SAndrey V. Elsukov	 * Each portgroup has 64 states for ports.
d18c1f26SAndrey V. Elsukov	 */
d18c1f26SAndrey V. Elsukov	port -= NAT64_MIN_PORT;
d18c1f26SAndrey V. Elsukov	chunk_idx = port / 2048;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	port -= chunk_idx * 2048;
d18c1f26SAndrey V. Elsukov	pg_idx = port / 64;
d18c1f26SAndrey V. Elsukov	state_idx = port % 64;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/*
d18c1f26SAndrey V. Elsukov	 * First check in proto_chunkmask that we have allocated PG chunk.
d18c1f26SAndrey V. Elsukov	 * Then check in proto_pgmask that we have valid PG pointer.
d18c1f26SAndrey V. Elsukov	 */
d18c1f26SAndrey V. Elsukov	pg = NULL;
d18c1f26SAndrey V. Elsukov	switch (proto) {
d18c1f26SAndrey V. Elsukov	case IPPROTO_TCP:
d18c1f26SAndrey V. Elsukov		if (ISSET32(alias->tcp_chunkmask, chunk_idx) &&
d18c1f26SAndrey V. Elsukov		    ISSET32(alias->tcp_pgmask[chunk_idx], pg_idx)) {
d18c1f26SAndrey V. Elsukov			pg = alias->tcp[chunk_idx]->pgptr[pg_idx];
d18c1f26SAndrey V. Elsukov			break;
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov		return (NULL);
d18c1f26SAndrey V. Elsukov	case IPPROTO_UDP:
d18c1f26SAndrey V. Elsukov		if (ISSET32(alias->udp_chunkmask, chunk_idx) &&
d18c1f26SAndrey V. Elsukov		    ISSET32(alias->udp_pgmask[chunk_idx], pg_idx)) {
d18c1f26SAndrey V. Elsukov			pg = alias->udp[chunk_idx]->pgptr[pg_idx];
d18c1f26SAndrey V. Elsukov			break;
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov		return (NULL);
d18c1f26SAndrey V. Elsukov	case IPPROTO_ICMP:
d18c1f26SAndrey V. Elsukov		if (ISSET32(alias->icmp_chunkmask, chunk_idx) &&
d18c1f26SAndrey V. Elsukov		    ISSET32(alias->icmp_pgmask[chunk_idx], pg_idx)) {
d18c1f26SAndrey V. Elsukov			pg = alias->icmp[chunk_idx]->pgptr[pg_idx];
d18c1f26SAndrey V. Elsukov			break;
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov		return (NULL);
d18c1f26SAndrey V. Elsukov	default:
d18c1f26SAndrey V. Elsukov		panic("%s: wrong proto %d", __func__, proto);
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	if (pg == NULL)
d18c1f26SAndrey V. Elsukov		return (NULL);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	if (FREEMASK_ISSET(pg, faddr, state_idx))
d18c1f26SAndrey V. Elsukov		return (NULL);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	state = &STATES_CHUNK(pg, faddr)->state[state_idx];
d18c1f26SAndrey V. Elsukov	ck_pr_fence_load();
d18c1f26SAndrey V. Elsukov	if (ck_pr_load_32(&state->flags) & NAT64_FLAG_READY)
d18c1f26SAndrey V. Elsukov		return (state);
d18c1f26SAndrey V. Elsukov	return (NULL);
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov
f909db0bSAndrey V. Elsukov/*
f909db0bSAndrey V. Elsukov * Reassemble IPv4 fragments, make PULLUP if needed, get some ULP fields
f909db0bSAndrey V. Elsukov * that might be unknown until reassembling is completed.
f909db0bSAndrey V. Elsukov */
f909db0bSAndrey V. Elsukovstatic struct mbuf*
f909db0bSAndrey V. Elsukovnat64lsn_reassemble4(struct nat64lsn_cfg *cfg, struct mbuf *m,
f909db0bSAndrey V. Elsukov    uint16_t *port)
f909db0bSAndrey V. Elsukov{
f909db0bSAndrey V. Elsukov	struct ip *ip;
f909db0bSAndrey V. Elsukov	int len;
f909db0bSAndrey V. Elsukov
f909db0bSAndrey V. Elsukov	m = ip_reass(m);
f909db0bSAndrey V. Elsukov	if (m == NULL)
f909db0bSAndrey V. Elsukov		return (NULL);
f909db0bSAndrey V. Elsukov	/* IP header must be contigious after ip_reass() */
f909db0bSAndrey V. Elsukov	ip = mtod(m, struct ip *);
f909db0bSAndrey V. Elsukov	len = ip->ip_hl << 2;
f909db0bSAndrey V. Elsukov	switch (ip->ip_p) {
f909db0bSAndrey V. Elsukov	case IPPROTO_ICMP:
*4a77657cSAndrey V. Elsukov		len += ICMP_MINLEN;
f909db0bSAndrey V. Elsukov		break;
f909db0bSAndrey V. Elsukov	case IPPROTO_TCP:
f909db0bSAndrey V. Elsukov		len += sizeof(struct tcphdr);
f909db0bSAndrey V. Elsukov		break;
f909db0bSAndrey V. Elsukov	case IPPROTO_UDP:
f909db0bSAndrey V. Elsukov		len += sizeof(struct udphdr);
f909db0bSAndrey V. Elsukov		break;
f909db0bSAndrey V. Elsukov	default:
f909db0bSAndrey V. Elsukov		m_freem(m);
f909db0bSAndrey V. Elsukov		NAT64STAT_INC(&cfg->base.stats, noproto);
f909db0bSAndrey V. Elsukov		return (NULL);
f909db0bSAndrey V. Elsukov	}
f909db0bSAndrey V. Elsukov	if (m->m_len < len) {
f909db0bSAndrey V. Elsukov		m = m_pullup(m, len);
f909db0bSAndrey V. Elsukov		if (m == NULL) {
f909db0bSAndrey V. Elsukov			NAT64STAT_INC(&cfg->base.stats, nomem);
f909db0bSAndrey V. Elsukov			return (NULL);
f909db0bSAndrey V. Elsukov		}
f909db0bSAndrey V. Elsukov		ip = mtod(m, struct ip *);
f909db0bSAndrey V. Elsukov	}
f909db0bSAndrey V. Elsukov	switch (ip->ip_p) {
f909db0bSAndrey V. Elsukov	case IPPROTO_TCP:
f909db0bSAndrey V. Elsukov		*port = ntohs(L3HDR(ip, struct tcphdr *)->th_dport);
f909db0bSAndrey V. Elsukov		break;
f909db0bSAndrey V. Elsukov	case IPPROTO_UDP:
f909db0bSAndrey V. Elsukov		*port = ntohs(L3HDR(ip, struct udphdr *)->uh_dport);
f909db0bSAndrey V. Elsukov		break;
f909db0bSAndrey V. Elsukov	}
f909db0bSAndrey V. Elsukov	return (m);
f909db0bSAndrey V. Elsukov}
f909db0bSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic int
d18c1f26SAndrey V. Elsukovnat64lsn_translate4(struct nat64lsn_cfg *cfg,
d18c1f26SAndrey V. Elsukov    const struct ipfw_flow_id *f_id, struct mbuf **mp)
d8caf56eSAndrey V. Elsukov{
d8caf56eSAndrey V. Elsukov	struct pfloghdr loghdr, *logdata;
d8caf56eSAndrey V. Elsukov	struct in6_addr src6;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_state *state;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_alias *alias;
d18c1f26SAndrey V. Elsukov	uint32_t addr, flags;
d18c1f26SAndrey V. Elsukov	uint16_t port, ts;
d8caf56eSAndrey V. Elsukov	int ret;
d18c1f26SAndrey V. Elsukov	uint8_t proto;
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	addr = f_id->dst_ip;
d8caf56eSAndrey V. Elsukov	port = f_id->dst_port;
d18c1f26SAndrey V. Elsukov	proto = f_id->proto;
d8caf56eSAndrey V. Elsukov	if (addr < cfg->prefix4 || addr > cfg->pmask4) {
782360deSAndrey V. Elsukov		NAT64STAT_INC(&cfg->base.stats, nomatch4);
d8caf56eSAndrey V. Elsukov		return (cfg->nomatch_verdict);
d8caf56eSAndrey V. Elsukov	}
d8caf56eSAndrey V. Elsukov
f909db0bSAndrey V. Elsukov	/* Reassemble fragments if needed */
f909db0bSAndrey V. Elsukov	ret = ntohs(mtod(*mp, struct ip *)->ip_off);
f909db0bSAndrey V. Elsukov	if ((ret & (IP_MF | IP_OFFMASK)) != 0) {
f909db0bSAndrey V. Elsukov		*mp = nat64lsn_reassemble4(cfg, *mp, &port);
f909db0bSAndrey V. Elsukov		if (*mp == NULL)
f909db0bSAndrey V. Elsukov			return (IP_FW_DENY);
f909db0bSAndrey V. Elsukov	}
f909db0bSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* Check if protocol is supported */
d18c1f26SAndrey V. Elsukov	switch (proto) {
d18c1f26SAndrey V. Elsukov	case IPPROTO_ICMP:
d18c1f26SAndrey V. Elsukov		ret = inspect_icmp_mbuf(mp, &proto, &addr, &port);
d8caf56eSAndrey V. Elsukov		if (ret != 0) {
eed30257SAndrey V. Elsukov			if (ret == ENOMEM) {
782360deSAndrey V. Elsukov				NAT64STAT_INC(&cfg->base.stats, nomem);
eed30257SAndrey V. Elsukov				return (IP_FW_DENY);
eed30257SAndrey V. Elsukov			}
782360deSAndrey V. Elsukov			NAT64STAT_INC(&cfg->base.stats, noproto);
d8caf56eSAndrey V. Elsukov			return (cfg->nomatch_verdict);
d8caf56eSAndrey V. Elsukov		}
d8caf56eSAndrey V. Elsukov		if (addr < cfg->prefix4 || addr > cfg->pmask4) {
782360deSAndrey V. Elsukov			NAT64STAT_INC(&cfg->base.stats, nomatch4);
d8caf56eSAndrey V. Elsukov			return (cfg->nomatch_verdict);
d8caf56eSAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov		/* FALLTHROUGH */
d18c1f26SAndrey V. Elsukov	case IPPROTO_TCP:
d18c1f26SAndrey V. Elsukov	case IPPROTO_UDP:
d18c1f26SAndrey V. Elsukov		break;
d18c1f26SAndrey V. Elsukov	default:
d18c1f26SAndrey V. Elsukov		NAT64STAT_INC(&cfg->base.stats, noproto);
d18c1f26SAndrey V. Elsukov		return (cfg->nomatch_verdict);
d8caf56eSAndrey V. Elsukov	}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	alias = &ALIAS_BYHASH(cfg, addr);
d18c1f26SAndrey V. Elsukov	MPASS(addr == alias->addr);
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* Check that we have state for this port */
d18c1f26SAndrey V. Elsukov	state = nat64lsn_get_state4to6(cfg, alias, f_id->src_ip,
d18c1f26SAndrey V. Elsukov	    port, proto);
d18c1f26SAndrey V. Elsukov	if (state == NULL) {
782360deSAndrey V. Elsukov		NAT64STAT_INC(&cfg->base.stats, nomatch4);
d8caf56eSAndrey V. Elsukov		return (cfg->nomatch_verdict);
d8caf56eSAndrey V. Elsukov	}
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	/* TODO: Check flags to see if we need to do some static mapping */
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* Update some state fields if need */
d18c1f26SAndrey V. Elsukov	SET_AGE(ts);
d18c1f26SAndrey V. Elsukov	if (f_id->proto == IPPROTO_TCP)
d18c1f26SAndrey V. Elsukov		flags = convert_tcp_flags(f_id->_flags);
d8caf56eSAndrey V. Elsukov	else
d18c1f26SAndrey V. Elsukov		flags = 0;
d18c1f26SAndrey V. Elsukov	if (state->timestamp != ts)
d18c1f26SAndrey V. Elsukov		state->timestamp = ts;
d18c1f26SAndrey V. Elsukov	if ((state->flags & flags) != flags)
d18c1f26SAndrey V. Elsukov		state->flags |= flags;
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	port = htons(state->sport);
d18c1f26SAndrey V. Elsukov	src6 = state->ip6_dst;
d8caf56eSAndrey V. Elsukov
782360deSAndrey V. Elsukov	if (cfg->base.flags & NAT64_LOG) {
d8caf56eSAndrey V. Elsukov		logdata = &loghdr;
d18c1f26SAndrey V. Elsukov		nat64lsn_log(logdata, *mp, AF_INET, state);
d8caf56eSAndrey V. Elsukov	} else
d8caf56eSAndrey V. Elsukov		logdata = NULL;
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/*
d18c1f26SAndrey V. Elsukov	 * We already have src6 with embedded address, but it is possible,
d18c1f26SAndrey V. Elsukov	 * that src_ip is different than state->ip_dst, this is why we
d18c1f26SAndrey V. Elsukov	 * do embedding again.
d18c1f26SAndrey V. Elsukov	 */
b11efc1eSAndrey V. Elsukov	nat64_embed_ip4(&src6, cfg->base.plat_plen, htonl(f_id->src_ip));
d18c1f26SAndrey V. Elsukov	ret = nat64_do_handle_ip4(*mp, &src6, &state->host->addr, port,
782360deSAndrey V. Elsukov	    &cfg->base, logdata);
d8caf56eSAndrey V. Elsukov	if (ret == NAT64SKIP)
eed30257SAndrey V. Elsukov		return (cfg->nomatch_verdict);
d18c1f26SAndrey V. Elsukov	if (ret == NAT64RETURN)
d18c1f26SAndrey V. Elsukov		*mp = NULL;
d8caf56eSAndrey V. Elsukov	return (IP_FW_DENY);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov/*
d18c1f26SAndrey V. Elsukov * Check if particular state is stale and should be deleted.
d8caf56eSAndrey V. Elsukov * Return 1 if true, 0 otherwise.
d8caf56eSAndrey V. Elsukov */
d8caf56eSAndrey V. Elsukovstatic int
d18c1f26SAndrey V. Elsukovnat64lsn_check_state(struct nat64lsn_cfg *cfg, struct nat64lsn_state *state)
d8caf56eSAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	int age, ttl;
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* State was marked as stale in previous pass. */
d18c1f26SAndrey V. Elsukov	if (ISSET32(state->flags, NAT64_BIT_STALE))
d18c1f26SAndrey V. Elsukov		return (1);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* State is not yet initialized, it is going to be READY */
d18c1f26SAndrey V. Elsukov	if (!ISSET32(state->flags, NAT64_BIT_READY_IPV4))
d18c1f26SAndrey V. Elsukov		return (0);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	age = GET_AGE(state->timestamp);
d18c1f26SAndrey V. Elsukov	switch (state->proto) {
d18c1f26SAndrey V. Elsukov	case IPPROTO_TCP:
d18c1f26SAndrey V. Elsukov		if (ISSET32(state->flags, NAT64_BIT_TCP_FIN))
d8caf56eSAndrey V. Elsukov			ttl = cfg->st_close_ttl;
d18c1f26SAndrey V. Elsukov		else if (ISSET32(state->flags, NAT64_BIT_TCP_ESTAB))
d8caf56eSAndrey V. Elsukov			ttl = cfg->st_estab_ttl;
d18c1f26SAndrey V. Elsukov		else if (ISSET32(state->flags, NAT64_BIT_TCP_SYN))
d8caf56eSAndrey V. Elsukov			ttl = cfg->st_syn_ttl;
d8caf56eSAndrey V. Elsukov		else
d8caf56eSAndrey V. Elsukov			ttl = cfg->st_syn_ttl;
d8caf56eSAndrey V. Elsukov		if (age > ttl)
d8caf56eSAndrey V. Elsukov			return (1);
d6369c2dSAndrey V. Elsukov		break;
d18c1f26SAndrey V. Elsukov	case IPPROTO_UDP:
d6369c2dSAndrey V. Elsukov		if (age > cfg->st_udp_ttl)
d18c1f26SAndrey V. Elsukov			return (1);
d6369c2dSAndrey V. Elsukov		break;
d18c1f26SAndrey V. Elsukov	case IPPROTO_ICMP:
d6369c2dSAndrey V. Elsukov		if (age > cfg->st_icmp_ttl)
d18c1f26SAndrey V. Elsukov			return (1);
d6369c2dSAndrey V. Elsukov		break;
d6369c2dSAndrey V. Elsukov	}
d6369c2dSAndrey V. Elsukov	return (0);
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov#define	PGCOUNT_ADD(alias, proto, value)			\
*4a77657cSAndrey V. Elsukov    switch (proto) {						\
*4a77657cSAndrey V. Elsukov    case IPPROTO_TCP: (alias)->tcp_pgcount += (value); break;	\
*4a77657cSAndrey V. Elsukov    case IPPROTO_UDP: (alias)->udp_pgcount += (value); break;	\
*4a77657cSAndrey V. Elsukov    case IPPROTO_ICMP: (alias)->icmp_pgcount += (value); break;	\
*4a77657cSAndrey V. Elsukov    }
*4a77657cSAndrey V. Elsukov#define	PGCOUNT_INC(alias, proto)	PGCOUNT_ADD(alias, proto, 1)
*4a77657cSAndrey V. Elsukov#define	PGCOUNT_DEC(alias, proto)	PGCOUNT_ADD(alias, proto, -1)
*4a77657cSAndrey V. Elsukov
*4a77657cSAndrey V. Elsukovstatic inline void
*4a77657cSAndrey V. Elsukovnat64lsn_state_cleanup(struct nat64lsn_state *state)
*4a77657cSAndrey V. Elsukov{
*4a77657cSAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov	/*
*4a77657cSAndrey V. Elsukov	 * Reset READY flag and wait until it become
*4a77657cSAndrey V. Elsukov	 * safe for translate4.
*4a77657cSAndrey V. Elsukov	 */
*4a77657cSAndrey V. Elsukov	ck_pr_btr_32(&state->flags, NAT64_BIT_READY_IPV4);
*4a77657cSAndrey V. Elsukov	/*
*4a77657cSAndrey V. Elsukov	 * And set STALE flag for deferred deletion in the
*4a77657cSAndrey V. Elsukov	 * next pass of nat64lsn_maintain_pg().
*4a77657cSAndrey V. Elsukov	 */
*4a77657cSAndrey V. Elsukov	ck_pr_bts_32(&state->flags, NAT64_BIT_STALE);
*4a77657cSAndrey V. Elsukov	ck_pr_fence_store();
*4a77657cSAndrey V. Elsukov}
*4a77657cSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic int
d18c1f26SAndrey V. Elsukovnat64lsn_maintain_pg(struct nat64lsn_cfg *cfg, struct nat64lsn_pg *pg)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_state *state;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_host *host;
d18c1f26SAndrey V. Elsukov	uint64_t freemask;
d18c1f26SAndrey V. Elsukov	int c, i, update_age;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	update_age = 0;
d18c1f26SAndrey V. Elsukov	for (c = 0; c < pg->chunks_count; c++) {
d18c1f26SAndrey V. Elsukov		FREEMASK_COPY(pg, c, freemask);
d18c1f26SAndrey V. Elsukov		for (i = 0; i < 64; i++) {
d18c1f26SAndrey V. Elsukov			if (ISSET64(freemask, i))
d18c1f26SAndrey V. Elsukov				continue;
d18c1f26SAndrey V. Elsukov			state = &STATES_CHUNK(pg, c)->state[i];
d18c1f26SAndrey V. Elsukov			if (nat64lsn_check_state(cfg, state) == 0) {
d18c1f26SAndrey V. Elsukov				update_age = 1;
d18c1f26SAndrey V. Elsukov				continue;
d18c1f26SAndrey V. Elsukov			}
d18c1f26SAndrey V. Elsukov			/*
d18c1f26SAndrey V. Elsukov			 * Expire state:
d18c1f26SAndrey V. Elsukov			 * 1. Mark as STALE and unlink from host's hash.
d18c1f26SAndrey V. Elsukov			 * 2. Set bit in freemask.
d18c1f26SAndrey V. Elsukov			 */
d18c1f26SAndrey V. Elsukov			if (ISSET32(state->flags, NAT64_BIT_STALE)) {
d18c1f26SAndrey V. Elsukov				/*
d18c1f26SAndrey V. Elsukov				 * State was marked as STALE in previous
d18c1f26SAndrey V. Elsukov				 * pass. Now it is safe to release it.
d18c1f26SAndrey V. Elsukov				 */
d18c1f26SAndrey V. Elsukov				state->flags = 0;
d18c1f26SAndrey V. Elsukov				ck_pr_fence_store();
d18c1f26SAndrey V. Elsukov				FREEMASK_BTS(pg, c, i);
d18c1f26SAndrey V. Elsukov				NAT64STAT_INC(&cfg->base.stats, sdeleted);
d18c1f26SAndrey V. Elsukov				continue;
d18c1f26SAndrey V. Elsukov			}
d18c1f26SAndrey V. Elsukov			MPASS(state->flags & NAT64_FLAG_READY);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov			host = state->host;
d18c1f26SAndrey V. Elsukov			HOST_LOCK(host);
d18c1f26SAndrey V. Elsukov			CK_SLIST_REMOVE(&STATE_HASH(host, state->hval),
d18c1f26SAndrey V. Elsukov			    state, nat64lsn_state, entries);
*4a77657cSAndrey V. Elsukov			/*
*4a77657cSAndrey V. Elsukov			 * Now translate6 will not use this state.
*4a77657cSAndrey V. Elsukov			 */
d18c1f26SAndrey V. Elsukov			host->states_count--;
d18c1f26SAndrey V. Elsukov			HOST_UNLOCK(host);
*4a77657cSAndrey V. Elsukov			nat64lsn_state_cleanup(state);
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/*
d18c1f26SAndrey V. Elsukov	 * We have some alive states, update timestamp.
d18c1f26SAndrey V. Elsukov	 */
d18c1f26SAndrey V. Elsukov	if (update_age)
d18c1f26SAndrey V. Elsukov		SET_AGE(pg->timestamp);
d18c1f26SAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	if (GET_AGE(pg->timestamp) < cfg->pg_delete_delay)
d8caf56eSAndrey V. Elsukov		return (0);
d18c1f26SAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	return (1);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic void
d18c1f26SAndrey V. Elsukovnat64lsn_expire_portgroups(struct nat64lsn_cfg *cfg,
d18c1f26SAndrey V. Elsukov    struct nat64lsn_pg_slist *portgroups)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_alias *alias;
*4a77657cSAndrey V. Elsukov	struct nat64lsn_pg *pg, *tpg;
d18c1f26SAndrey V. Elsukov	uint32_t *pgmask, *pgidx;
d18c1f26SAndrey V. Elsukov	int i, idx;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	for (i = 0; i < 1 << (32 - cfg->plen4); i++) {
d18c1f26SAndrey V. Elsukov		alias = &cfg->aliases[i];
d18c1f26SAndrey V. Elsukov		CK_SLIST_FOREACH_SAFE(pg, &alias->portgroups, entries, tpg) {
d18c1f26SAndrey V. Elsukov			if (nat64lsn_maintain_pg(cfg, pg) == 0)
d18c1f26SAndrey V. Elsukov				continue;
d18c1f26SAndrey V. Elsukov			/* Always keep first PG */
d18c1f26SAndrey V. Elsukov			if (pg->base_port == NAT64_MIN_PORT)
d18c1f26SAndrey V. Elsukov				continue;
d8caf56eSAndrey V. Elsukov			/*
*4a77657cSAndrey V. Elsukov			 * PG expires in two passes:
*4a77657cSAndrey V. Elsukov			 * 1. Reset bit in pgmask, mark it as DEAD.
*4a77657cSAndrey V. Elsukov			 * 2. Unlink it and schedule for deferred destroying.
d8caf56eSAndrey V. Elsukov			 */
d18c1f26SAndrey V. Elsukov			idx = (pg->base_port - NAT64_MIN_PORT) / 64;
d18c1f26SAndrey V. Elsukov			switch (pg->proto) {
d18c1f26SAndrey V. Elsukov			case IPPROTO_TCP:
d18c1f26SAndrey V. Elsukov				pgmask = alias->tcp_pgmask;
d18c1f26SAndrey V. Elsukov				pgidx = &alias->tcp_pgidx;
d18c1f26SAndrey V. Elsukov				break;
d18c1f26SAndrey V. Elsukov			case IPPROTO_UDP:
d18c1f26SAndrey V. Elsukov				pgmask = alias->udp_pgmask;
d18c1f26SAndrey V. Elsukov				pgidx = &alias->udp_pgidx;
d18c1f26SAndrey V. Elsukov				break;
d18c1f26SAndrey V. Elsukov			case IPPROTO_ICMP:
d18c1f26SAndrey V. Elsukov				pgmask = alias->icmp_pgmask;
d18c1f26SAndrey V. Elsukov				pgidx = &alias->icmp_pgidx;
d18c1f26SAndrey V. Elsukov				break;
d18c1f26SAndrey V. Elsukov			}
*4a77657cSAndrey V. Elsukov			if (pg->flags & NAT64LSN_DEADPG) {
d18c1f26SAndrey V. Elsukov				/* Unlink PG from alias's chain */
d18c1f26SAndrey V. Elsukov				ALIAS_LOCK(alias);
d18c1f26SAndrey V. Elsukov				CK_SLIST_REMOVE(&alias->portgroups, pg,
d18c1f26SAndrey V. Elsukov				    nat64lsn_pg, entries);
*4a77657cSAndrey V. Elsukov				PGCOUNT_DEC(alias, pg->proto);
d18c1f26SAndrey V. Elsukov				ALIAS_UNLOCK(alias);
*4a77657cSAndrey V. Elsukov				/*
*4a77657cSAndrey V. Elsukov				 * Link it to job's chain for deferred
*4a77657cSAndrey V. Elsukov				 * destroying.
*4a77657cSAndrey V. Elsukov				 */
d18c1f26SAndrey V. Elsukov				NAT64STAT_INC(&cfg->base.stats, spgdeleted);
d18c1f26SAndrey V. Elsukov				CK_SLIST_INSERT_HEAD(portgroups, pg, entries);
*4a77657cSAndrey V. Elsukov				continue;
*4a77657cSAndrey V. Elsukov			}
*4a77657cSAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov			/* Reset the corresponding bit in pgmask array. */
*4a77657cSAndrey V. Elsukov			ck_pr_btr_32(&pgmask[idx / 32], idx % 32);
*4a77657cSAndrey V. Elsukov			pg->flags |= NAT64LSN_DEADPG;
*4a77657cSAndrey V. Elsukov			ck_pr_fence_store();
*4a77657cSAndrey V. Elsukov			/* If last used PG points to this PG, reset it. */
*4a77657cSAndrey V. Elsukov			ck_pr_cas_32(pgidx, idx, 0);
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic void
d18c1f26SAndrey V. Elsukovnat64lsn_expire_hosts(struct nat64lsn_cfg *cfg,
d18c1f26SAndrey V. Elsukov    struct nat64lsn_hosts_slist *hosts)
d8caf56eSAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_host *host, *tmp;
d18c1f26SAndrey V. Elsukov	int i;
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	for (i = 0; i < cfg->hosts_hashsize; i++) {
d18c1f26SAndrey V. Elsukov		CK_SLIST_FOREACH_SAFE(host, &cfg->hosts_hash[i],
d18c1f26SAndrey V. Elsukov		    entries, tmp) {
d18c1f26SAndrey V. Elsukov			/* Is host was marked in previous call? */
d18c1f26SAndrey V. Elsukov			if (host->flags & NAT64LSN_DEADHOST) {
*4a77657cSAndrey V. Elsukov				if (host->states_count > 0 ||
*4a77657cSAndrey V. Elsukov				    GET_AGE(host->timestamp) <
*4a77657cSAndrey V. Elsukov				    cfg->host_delete_delay) {
d18c1f26SAndrey V. Elsukov					host->flags &= ~NAT64LSN_DEADHOST;
d18c1f26SAndrey V. Elsukov					continue;
d18c1f26SAndrey V. Elsukov				}
d18c1f26SAndrey V. Elsukov				/*
d18c1f26SAndrey V. Elsukov				 * Unlink host from hash table and schedule
d18c1f26SAndrey V. Elsukov				 * it for deferred destroying.
d18c1f26SAndrey V. Elsukov				 */
d18c1f26SAndrey V. Elsukov				CFG_LOCK(cfg);
d18c1f26SAndrey V. Elsukov				CK_SLIST_REMOVE(&cfg->hosts_hash[i], host,
d18c1f26SAndrey V. Elsukov				    nat64lsn_host, entries);
d18c1f26SAndrey V. Elsukov				cfg->hosts_count--;
d18c1f26SAndrey V. Elsukov				CFG_UNLOCK(cfg);
d18c1f26SAndrey V. Elsukov				CK_SLIST_INSERT_HEAD(hosts, host, entries);
d18c1f26SAndrey V. Elsukov				continue;
d18c1f26SAndrey V. Elsukov			}
*4a77657cSAndrey V. Elsukov			if (host->states_count > 0 ||
*4a77657cSAndrey V. Elsukov			    GET_AGE(host->timestamp) < cfg->host_delete_delay)
d18c1f26SAndrey V. Elsukov				continue;
d18c1f26SAndrey V. Elsukov			/* Mark host as going to be expired in next pass */
d18c1f26SAndrey V. Elsukov			host->flags |= NAT64LSN_DEADHOST;
d18c1f26SAndrey V. Elsukov			ck_pr_fence_store();
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov	}
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic struct nat64lsn_pgchunk*
d18c1f26SAndrey V. Elsukovnat64lsn_expire_pgchunk(struct nat64lsn_cfg *cfg)
d8caf56eSAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov#if 0
d18c1f26SAndrey V. Elsukov	struct nat64lsn_alias *alias;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_pgchunk *chunk;
d18c1f26SAndrey V. Elsukov	uint32_t pgmask;
d18c1f26SAndrey V. Elsukov	int i, c;
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	for (i = 0; i < 1 << (32 - cfg->plen4); i++) {
d18c1f26SAndrey V. Elsukov		alias = &cfg->aliases[i];
d18c1f26SAndrey V. Elsukov		if (GET_AGE(alias->timestamp) < cfg->pgchunk_delete_delay)
d6369c2dSAndrey V. Elsukov			continue;
d18c1f26SAndrey V. Elsukov		/* Always keep single chunk allocated */
d18c1f26SAndrey V. Elsukov		for (c = 1; c < 32; c++) {
d18c1f26SAndrey V. Elsukov			if ((alias->tcp_chunkmask & (1 << c)) == 0)
d18c1f26SAndrey V. Elsukov				break;
d18c1f26SAndrey V. Elsukov			chunk = ck_pr_load_ptr(&alias->tcp[c]);
d18c1f26SAndrey V. Elsukov			if (ck_pr_load_32(&alias->tcp_pgmask[c]) != 0)
d6369c2dSAndrey V. Elsukov				continue;
d18c1f26SAndrey V. Elsukov			ck_pr_btr_32(&alias->tcp_chunkmask, c);
d18c1f26SAndrey V. Elsukov			ck_pr_fence_load();
d18c1f26SAndrey V. Elsukov			if (ck_pr_load_32(&alias->tcp_pgmask[c]) != 0)
d18c1f26SAndrey V. Elsukov				continue;
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov#endif
d18c1f26SAndrey V. Elsukov	return (NULL);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov#if 0
d18c1f26SAndrey V. Elsukovstatic void
d18c1f26SAndrey V. Elsukovnat64lsn_maintain_hosts(struct nat64lsn_cfg *cfg)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_host *h;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_states_slist *hash;
d18c1f26SAndrey V. Elsukov	int i, j, hsize;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	for (i = 0; i < cfg->hosts_hashsize; i++) {
d18c1f26SAndrey V. Elsukov		CK_SLIST_FOREACH(h, &cfg->hosts_hash[i], entries) {
d18c1f26SAndrey V. Elsukov			 if (h->states_count / 2 < h->states_hashsize ||
d18c1f26SAndrey V. Elsukov			     h->states_hashsize >= NAT64LSN_MAX_HSIZE)
d18c1f26SAndrey V. Elsukov				 continue;
d18c1f26SAndrey V. Elsukov			 hsize = h->states_hashsize * 2;
d18c1f26SAndrey V. Elsukov			 hash = malloc(sizeof(*hash)* hsize, M_NOWAIT);
d18c1f26SAndrey V. Elsukov			 if (hash == NULL)
d18c1f26SAndrey V. Elsukov				 continue;
d18c1f26SAndrey V. Elsukov			 for (j = 0; j < hsize; j++)
d18c1f26SAndrey V. Elsukov				CK_SLIST_INIT(&hash[i]);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov			 ck_pr_bts_32(&h->flags, NAT64LSN_GROWHASH);
d6369c2dSAndrey V. Elsukov		}
d8caf56eSAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov#endif
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov/*
*4a77657cSAndrey V. Elsukov * This procedure is used to perform various maintance
d18c1f26SAndrey V. Elsukov * on dynamic hash list. Currently it is called every 4 seconds.
d8caf56eSAndrey V. Elsukov */
d8caf56eSAndrey V. Elsukovstatic void
d8caf56eSAndrey V. Elsukovnat64lsn_periodic(void *data)
d8caf56eSAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_job_item *ji;
d8caf56eSAndrey V. Elsukov	struct nat64lsn_cfg *cfg;
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	cfg = (struct nat64lsn_cfg *) data;
d8caf56eSAndrey V. Elsukov	CURVNET_SET(cfg->vp);
d18c1f26SAndrey V. Elsukov	if (cfg->hosts_count > 0) {
d18c1f26SAndrey V. Elsukov		ji = uma_zalloc(nat64lsn_job_zone, M_NOWAIT);
d18c1f26SAndrey V. Elsukov		if (ji != NULL) {
d18c1f26SAndrey V. Elsukov			ji->jtype = JTYPE_DESTROY;
d18c1f26SAndrey V. Elsukov			CK_SLIST_INIT(&ji->hosts);
d18c1f26SAndrey V. Elsukov			CK_SLIST_INIT(&ji->portgroups);
d18c1f26SAndrey V. Elsukov			nat64lsn_expire_hosts(cfg, &ji->hosts);
d18c1f26SAndrey V. Elsukov			nat64lsn_expire_portgroups(cfg, &ji->portgroups);
d18c1f26SAndrey V. Elsukov			ji->pgchunk = nat64lsn_expire_pgchunk(cfg);
d18c1f26SAndrey V. Elsukov			NAT64LSN_EPOCH_CALL(&ji->epoch_ctx,
d18c1f26SAndrey V. Elsukov			    nat64lsn_job_destroy);
d18c1f26SAndrey V. Elsukov		} else
d18c1f26SAndrey V. Elsukov			NAT64STAT_INC(&cfg->base.stats, jnomem);
d18c1f26SAndrey V. Elsukov	}
d8caf56eSAndrey V. Elsukov	callout_schedule(&cfg->periodic, hz * PERIODIC_DELAY);
d8caf56eSAndrey V. Elsukov	CURVNET_RESTORE();
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov#define	ALLOC_ERROR(stage, type)	((stage) ? 10 * (type) + (stage): 0)
d18c1f26SAndrey V. Elsukov#define	HOST_ERROR(stage)		ALLOC_ERROR(stage, 1)
d18c1f26SAndrey V. Elsukov#define	PG_ERROR(stage)			ALLOC_ERROR(stage, 2)
d18c1f26SAndrey V. Elsukovstatic int
d18c1f26SAndrey V. Elsukovnat64lsn_alloc_host(struct nat64lsn_cfg *cfg, struct nat64lsn_job_item *ji)
d8caf56eSAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	char a[INET6_ADDRSTRLEN];
d18c1f26SAndrey V. Elsukov	struct nat64lsn_aliaslink *link;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_host *host;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_state *state;
d18c1f26SAndrey V. Elsukov	uint32_t hval, data[2];
d18c1f26SAndrey V. Elsukov	int i;
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* Check that host was not yet added. */
d18c1f26SAndrey V. Elsukov	NAT64LSN_EPOCH_ASSERT();
d18c1f26SAndrey V. Elsukov	CK_SLIST_FOREACH(host, &HOSTS(cfg, ji->src6_hval), entries) {
d18c1f26SAndrey V. Elsukov		if (IN6_ARE_ADDR_EQUAL(&ji->f_id.src_ip6, &host->addr)) {
d18c1f26SAndrey V. Elsukov			/* The host was allocated in previous call. */
d18c1f26SAndrey V. Elsukov			ji->host = host;
d18c1f26SAndrey V. Elsukov			goto get_state;
d18c1f26SAndrey V. Elsukov		}
d7a1cf06SAndrey V. Elsukov	}
d7a1cf06SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	host = ji->host = uma_zalloc(nat64lsn_host_zone, M_NOWAIT);
d18c1f26SAndrey V. Elsukov	if (ji->host == NULL)
d18c1f26SAndrey V. Elsukov		return (HOST_ERROR(1));
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	host->states_hashsize = NAT64LSN_HSIZE;
d18c1f26SAndrey V. Elsukov	host->states_hash = malloc(sizeof(struct nat64lsn_states_slist) *
d18c1f26SAndrey V. Elsukov	    host->states_hashsize, M_NAT64LSN, M_NOWAIT);
d18c1f26SAndrey V. Elsukov	if (host->states_hash == NULL) {
d18c1f26SAndrey V. Elsukov		uma_zfree(nat64lsn_host_zone, host);
d18c1f26SAndrey V. Elsukov		return (HOST_ERROR(2));
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	link = uma_zalloc(nat64lsn_aliaslink_zone, M_NOWAIT);
d18c1f26SAndrey V. Elsukov	if (link == NULL) {
d18c1f26SAndrey V. Elsukov		free(host->states_hash, M_NAT64LSN);
d18c1f26SAndrey V. Elsukov		uma_zfree(nat64lsn_host_zone, host);
d18c1f26SAndrey V. Elsukov		return (HOST_ERROR(3));
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* Initialize */
d18c1f26SAndrey V. Elsukov	HOST_LOCK_INIT(host);
d18c1f26SAndrey V. Elsukov	SET_AGE(host->timestamp);
d18c1f26SAndrey V. Elsukov	host->addr = ji->f_id.src_ip6;
d18c1f26SAndrey V. Elsukov	host->hval = ji->src6_hval;
d18c1f26SAndrey V. Elsukov	host->flags = 0;
d18c1f26SAndrey V. Elsukov	host->states_count = 0;
d18c1f26SAndrey V. Elsukov	CK_SLIST_INIT(&host->aliases);
d18c1f26SAndrey V. Elsukov	for (i = 0; i < host->states_hashsize; i++)
d18c1f26SAndrey V. Elsukov		CK_SLIST_INIT(&host->states_hash[i]);
d18c1f26SAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov	link->alias = nat64lsn_get_alias(cfg, &ji->f_id);
d18c1f26SAndrey V. Elsukov	CK_SLIST_INSERT_HEAD(&host->aliases, link, host_entries);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	ALIAS_LOCK(link->alias);
d18c1f26SAndrey V. Elsukov	CK_SLIST_INSERT_HEAD(&link->alias->hosts, link, alias_entries);
d18c1f26SAndrey V. Elsukov	link->alias->hosts_count++;
d18c1f26SAndrey V. Elsukov	ALIAS_UNLOCK(link->alias);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	CFG_LOCK(cfg);
d18c1f26SAndrey V. Elsukov	CK_SLIST_INSERT_HEAD(&HOSTS(cfg, ji->src6_hval), host, entries);
d18c1f26SAndrey V. Elsukov	cfg->hosts_count++;
d18c1f26SAndrey V. Elsukov	CFG_UNLOCK(cfg);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovget_state:
d18c1f26SAndrey V. Elsukov	data[0] = ji->faddr;
d18c1f26SAndrey V. Elsukov	data[1] = (ji->f_id.dst_port << 16) | ji->port;
d18c1f26SAndrey V. Elsukov	ji->state_hval = hval = STATE_HVAL(cfg, data);
d18c1f26SAndrey V. Elsukov	state = nat64lsn_get_state6to4(cfg, host, &ji->f_id, hval,
d18c1f26SAndrey V. Elsukov	    ji->faddr, ji->port, ji->proto);
d7a1cf06SAndrey V. Elsukov	/*
d18c1f26SAndrey V. Elsukov	 * We failed to obtain new state, used alias needs new PG.
d18c1f26SAndrey V. Elsukov	 * XXX: or another alias should be used.
d7a1cf06SAndrey V. Elsukov	 */
d18c1f26SAndrey V. Elsukov	if (state == NULL) {
d18c1f26SAndrey V. Elsukov		/* Try to allocate new PG */
d18c1f26SAndrey V. Elsukov		if (nat64lsn_alloc_pg(cfg, ji) != PG_ERROR(0))
d18c1f26SAndrey V. Elsukov			return (HOST_ERROR(4));
d18c1f26SAndrey V. Elsukov		/* We assume that nat64lsn_alloc_pg() got state */
d18c1f26SAndrey V. Elsukov	} else
d18c1f26SAndrey V. Elsukov		ji->state = state;
d7a1cf06SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	ji->done = 1;
d18c1f26SAndrey V. Elsukov	DPRINTF(DP_OBJ, "ALLOC HOST %s %p",
d18c1f26SAndrey V. Elsukov	    inet_ntop(AF_INET6, &host->addr, a, sizeof(a)), host);
d18c1f26SAndrey V. Elsukov	return (HOST_ERROR(0));
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic int
d18c1f26SAndrey V. Elsukovnat64lsn_find_pg_place(uint32_t *data)
d8caf56eSAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	int i;
d7a1cf06SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	for (i = 0; i < 32; i++) {
d18c1f26SAndrey V. Elsukov		if (~data[i] == 0)
d18c1f26SAndrey V. Elsukov			continue;
d18c1f26SAndrey V. Elsukov		return (i * 32 + ffs(~data[i]) - 1);
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	return (-1);
d6369c2dSAndrey V. Elsukov}
d6369c2dSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic int
d18c1f26SAndrey V. Elsukovnat64lsn_alloc_proto_pg(struct nat64lsn_cfg *cfg,
*4a77657cSAndrey V. Elsukov    struct nat64lsn_alias *alias, uint32_t *chunkmask, uint32_t *pgmask,
*4a77657cSAndrey V. Elsukov    struct nat64lsn_pgchunk **chunks, uint32_t *pgidx, uint8_t proto)
d6369c2dSAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_pg *pg;
d18c1f26SAndrey V. Elsukov	int i, pg_idx, chunk_idx;
d6369c2dSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* Find place in pgchunk where PG can be added */
d18c1f26SAndrey V. Elsukov	pg_idx = nat64lsn_find_pg_place(pgmask);
d18c1f26SAndrey V. Elsukov	if (pg_idx < 0)	/* no more PGs */
d18c1f26SAndrey V. Elsukov		return (PG_ERROR(1));
d18c1f26SAndrey V. Elsukov	/* Check that we have allocated pgchunk for given PG index */
d18c1f26SAndrey V. Elsukov	chunk_idx = pg_idx / 32;
d18c1f26SAndrey V. Elsukov	if (!ISSET32(*chunkmask, chunk_idx)) {
d18c1f26SAndrey V. Elsukov		chunks[chunk_idx] = uma_zalloc(nat64lsn_pgchunk_zone,
d18c1f26SAndrey V. Elsukov		    M_NOWAIT);
d18c1f26SAndrey V. Elsukov		if (chunks[chunk_idx] == NULL)
d18c1f26SAndrey V. Elsukov			return (PG_ERROR(2));
d18c1f26SAndrey V. Elsukov		ck_pr_bts_32(chunkmask, chunk_idx);
d18c1f26SAndrey V. Elsukov		ck_pr_fence_store();
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	/* Allocate PG and states chunks */
d6369c2dSAndrey V. Elsukov	pg = uma_zalloc(nat64lsn_pg_zone, M_NOWAIT);
d6369c2dSAndrey V. Elsukov	if (pg == NULL)
d18c1f26SAndrey V. Elsukov		return (PG_ERROR(3));
d18c1f26SAndrey V. Elsukov	pg->chunks_count = cfg->states_chunks;
d18c1f26SAndrey V. Elsukov	if (pg->chunks_count > 1) {
d18c1f26SAndrey V. Elsukov		pg->freemask_chunk = malloc(pg->chunks_count *
d18c1f26SAndrey V. Elsukov		    sizeof(uint64_t), M_NAT64LSN, M_NOWAIT);
d18c1f26SAndrey V. Elsukov		if (pg->freemask_chunk == NULL) {
d18c1f26SAndrey V. Elsukov			uma_zfree(nat64lsn_pg_zone, pg);
d18c1f26SAndrey V. Elsukov			return (PG_ERROR(4));
d6369c2dSAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov		pg->states_chunk = malloc(pg->chunks_count *
d18c1f26SAndrey V. Elsukov		    sizeof(struct nat64lsn_states_chunk *), M_NAT64LSN,
d18c1f26SAndrey V. Elsukov		    M_NOWAIT | M_ZERO);
d18c1f26SAndrey V. Elsukov		if (pg->states_chunk == NULL) {
d18c1f26SAndrey V. Elsukov			free(pg->freemask_chunk, M_NAT64LSN);
d18c1f26SAndrey V. Elsukov			uma_zfree(nat64lsn_pg_zone, pg);
d18c1f26SAndrey V. Elsukov			return (PG_ERROR(5));
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov		for (i = 0; i < pg->chunks_count; i++) {
d18c1f26SAndrey V. Elsukov			pg->states_chunk[i] = uma_zalloc(
d18c1f26SAndrey V. Elsukov			    nat64lsn_state_zone, M_NOWAIT);
d18c1f26SAndrey V. Elsukov			if (pg->states_chunk[i] == NULL)
d18c1f26SAndrey V. Elsukov				goto states_failed;
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov		memset(pg->freemask_chunk, 0xff,
d18c1f26SAndrey V. Elsukov		    sizeof(uint64_t) * pg->chunks_count);
d18c1f26SAndrey V. Elsukov	} else {
d18c1f26SAndrey V. Elsukov		pg->states = uma_zalloc(nat64lsn_state_zone, M_NOWAIT);
d18c1f26SAndrey V. Elsukov		if (pg->states == NULL) {
d18c1f26SAndrey V. Elsukov			uma_zfree(nat64lsn_pg_zone, pg);
d18c1f26SAndrey V. Elsukov			return (PG_ERROR(6));
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov		memset(&pg->freemask64, 0xff, sizeof(uint64_t));
d18c1f26SAndrey V. Elsukov	}
d6369c2dSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* Initialize PG and hook it to pgchunk */
d18c1f26SAndrey V. Elsukov	SET_AGE(pg->timestamp);
*4a77657cSAndrey V. Elsukov	pg->flags = 0;
d18c1f26SAndrey V. Elsukov	pg->proto = proto;
d18c1f26SAndrey V. Elsukov	pg->base_port = NAT64_MIN_PORT + 64 * pg_idx;
d18c1f26SAndrey V. Elsukov	ck_pr_store_ptr(&chunks[chunk_idx]->pgptr[pg_idx % 32], pg);
d18c1f26SAndrey V. Elsukov	ck_pr_fence_store();
*4a77657cSAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov	/* Set bit in pgmask and set index of last used PG */
*4a77657cSAndrey V. Elsukov	ck_pr_bts_32(&pgmask[chunk_idx], pg_idx % 32);
*4a77657cSAndrey V. Elsukov	ck_pr_store_32(pgidx, pg_idx);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	ALIAS_LOCK(alias);
d18c1f26SAndrey V. Elsukov	CK_SLIST_INSERT_HEAD(&alias->portgroups, pg, entries);
d18c1f26SAndrey V. Elsukov	SET_AGE(alias->timestamp);
*4a77657cSAndrey V. Elsukov	PGCOUNT_INC(alias, proto);
d18c1f26SAndrey V. Elsukov	ALIAS_UNLOCK(alias);
d18c1f26SAndrey V. Elsukov	NAT64STAT_INC(&cfg->base.stats, spgcreated);
d18c1f26SAndrey V. Elsukov	return (PG_ERROR(0));
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstates_failed:
d18c1f26SAndrey V. Elsukov	for (i = 0; i < pg->chunks_count; i++)
d18c1f26SAndrey V. Elsukov		uma_zfree(nat64lsn_state_zone, pg->states_chunk[i]);
d18c1f26SAndrey V. Elsukov	free(pg->freemask_chunk, M_NAT64LSN);
d18c1f26SAndrey V. Elsukov	free(pg->states_chunk, M_NAT64LSN);
d18c1f26SAndrey V. Elsukov	uma_zfree(nat64lsn_pg_zone, pg);
d18c1f26SAndrey V. Elsukov	return (PG_ERROR(7));
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic int
d18c1f26SAndrey V. Elsukovnat64lsn_alloc_pg(struct nat64lsn_cfg *cfg, struct nat64lsn_job_item *ji)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_aliaslink *link;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_alias *alias;
d18c1f26SAndrey V. Elsukov	int ret;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	link = nat64lsn_get_aliaslink(cfg, ji->host, &ji->f_id);
d18c1f26SAndrey V. Elsukov	if (link == NULL)
d18c1f26SAndrey V. Elsukov		return (PG_ERROR(1));
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/*
d18c1f26SAndrey V. Elsukov	 * TODO: check that we did not already allocated PG in
d18c1f26SAndrey V. Elsukov	 *	 previous call.
d18c1f26SAndrey V. Elsukov	 */
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	ret = 0;
d18c1f26SAndrey V. Elsukov	alias = link->alias;
d18c1f26SAndrey V. Elsukov	/* Find place in pgchunk where PG can be added */
d18c1f26SAndrey V. Elsukov	switch (ji->proto) {
d18c1f26SAndrey V. Elsukov	case IPPROTO_TCP:
d18c1f26SAndrey V. Elsukov		ret = nat64lsn_alloc_proto_pg(cfg, alias,
d18c1f26SAndrey V. Elsukov		    &alias->tcp_chunkmask, alias->tcp_pgmask,
*4a77657cSAndrey V. Elsukov		    alias->tcp, &alias->tcp_pgidx, ji->proto);
d18c1f26SAndrey V. Elsukov		break;
d18c1f26SAndrey V. Elsukov	case IPPROTO_UDP:
d18c1f26SAndrey V. Elsukov		ret = nat64lsn_alloc_proto_pg(cfg, alias,
d18c1f26SAndrey V. Elsukov		    &alias->udp_chunkmask, alias->udp_pgmask,
*4a77657cSAndrey V. Elsukov		    alias->udp, &alias->udp_pgidx, ji->proto);
d18c1f26SAndrey V. Elsukov		break;
d18c1f26SAndrey V. Elsukov	case IPPROTO_ICMP:
d18c1f26SAndrey V. Elsukov		ret = nat64lsn_alloc_proto_pg(cfg, alias,
d18c1f26SAndrey V. Elsukov		    &alias->icmp_chunkmask, alias->icmp_pgmask,
*4a77657cSAndrey V. Elsukov		    alias->icmp, &alias->icmp_pgidx, ji->proto);
d18c1f26SAndrey V. Elsukov		break;
d18c1f26SAndrey V. Elsukov	default:
d18c1f26SAndrey V. Elsukov		panic("%s: wrong proto %d", __func__, ji->proto);
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	if (ret == PG_ERROR(1)) {
d18c1f26SAndrey V. Elsukov		/*
d18c1f26SAndrey V. Elsukov		 * PG_ERROR(1) means that alias lacks free PGs
d18c1f26SAndrey V. Elsukov		 * XXX: try next alias.
d18c1f26SAndrey V. Elsukov		 */
d18c1f26SAndrey V. Elsukov		printf("NAT64LSN: %s: failed to obtain PG\n",
d18c1f26SAndrey V. Elsukov		    __func__);
d18c1f26SAndrey V. Elsukov		return (ret);
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	if (ret == PG_ERROR(0)) {
d18c1f26SAndrey V. Elsukov		ji->state = nat64lsn_get_state6to4(cfg, ji->host, &ji->f_id,
d18c1f26SAndrey V. Elsukov		    ji->state_hval, ji->faddr, ji->port, ji->proto);
d18c1f26SAndrey V. Elsukov		if (ji->state == NULL)
d18c1f26SAndrey V. Elsukov			ret = PG_ERROR(8);
d18c1f26SAndrey V. Elsukov		else
d18c1f26SAndrey V. Elsukov			ji->done = 1;
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	return (ret);
d6369c2dSAndrey V. Elsukov}
d6369c2dSAndrey V. Elsukov
d6369c2dSAndrey V. Elsukovstatic void
d6369c2dSAndrey V. Elsukovnat64lsn_do_request(void *data)
d6369c2dSAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct epoch_tracker et;
d6369c2dSAndrey V. Elsukov	struct nat64lsn_job_head jhead;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_job_item *ji, *ji2;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_cfg *cfg;
d18c1f26SAndrey V. Elsukov	int jcount;
d18c1f26SAndrey V. Elsukov	uint8_t flags;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	cfg = (struct nat64lsn_cfg *)data;
d18c1f26SAndrey V. Elsukov	if (cfg->jlen == 0)
d18c1f26SAndrey V. Elsukov		return;
d6369c2dSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	CURVNET_SET(cfg->vp);
d18c1f26SAndrey V. Elsukov	STAILQ_INIT(&jhead);
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	/* Grab queue */
d8caf56eSAndrey V. Elsukov	JQUEUE_LOCK();
d18c1f26SAndrey V. Elsukov	STAILQ_SWAP(&jhead, &cfg->jhead, nat64lsn_job_item);
d8caf56eSAndrey V. Elsukov	jcount = cfg->jlen;
d8caf56eSAndrey V. Elsukov	cfg->jlen = 0;
d8caf56eSAndrey V. Elsukov	JQUEUE_UNLOCK();
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* TODO: check if we need to resize hash */
d8caf56eSAndrey V. Elsukov
782360deSAndrey V. Elsukov	NAT64STAT_INC(&cfg->base.stats, jcalls);
d8caf56eSAndrey V. Elsukov	DPRINTF(DP_JQUEUE, "count=%d", jcount);
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	/*
d8caf56eSAndrey V. Elsukov	 * TODO:
d8caf56eSAndrey V. Elsukov	 * What we should do here is to build a hash
d8caf56eSAndrey V. Elsukov	 * to ensure we don't have lots of duplicate requests.
d8caf56eSAndrey V. Elsukov	 * Skip this for now.
d8caf56eSAndrey V. Elsukov	 *
d8caf56eSAndrey V. Elsukov	 * TODO: Limit per-call number of items
d8caf56eSAndrey V. Elsukov	 */
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	NAT64LSN_EPOCH_ENTER(et);
d18c1f26SAndrey V. Elsukov	STAILQ_FOREACH(ji, &jhead, entries) {
d8caf56eSAndrey V. Elsukov		switch (ji->jtype) {
d8caf56eSAndrey V. Elsukov		case JTYPE_NEWHOST:
d18c1f26SAndrey V. Elsukov			if (nat64lsn_alloc_host(cfg, ji) != HOST_ERROR(0))
d18c1f26SAndrey V. Elsukov				NAT64STAT_INC(&cfg->base.stats, jhostfails);
d8caf56eSAndrey V. Elsukov			break;
d8caf56eSAndrey V. Elsukov		case JTYPE_NEWPORTGROUP:
d18c1f26SAndrey V. Elsukov			if (nat64lsn_alloc_pg(cfg, ji) != PG_ERROR(0))
d18c1f26SAndrey V. Elsukov				NAT64STAT_INC(&cfg->base.stats, jportfails);
d8caf56eSAndrey V. Elsukov			break;
d8caf56eSAndrey V. Elsukov		default:
d18c1f26SAndrey V. Elsukov			continue;
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov		if (ji->done != 0) {
d18c1f26SAndrey V. Elsukov			flags = ji->proto != IPPROTO_TCP ? 0 :
d18c1f26SAndrey V. Elsukov			    convert_tcp_flags(ji->f_id._flags);
d18c1f26SAndrey V. Elsukov			nat64lsn_translate6_internal(cfg, &ji->m,
d18c1f26SAndrey V. Elsukov			    ji->state, flags);
d18c1f26SAndrey V. Elsukov			NAT64STAT_INC(&cfg->base.stats, jreinjected);
d8caf56eSAndrey V. Elsukov		}
d8caf56eSAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	NAT64LSN_EPOCH_EXIT(et);
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	ji = STAILQ_FIRST(&jhead);
d18c1f26SAndrey V. Elsukov	while (ji != NULL) {
d18c1f26SAndrey V. Elsukov		ji2 = STAILQ_NEXT(ji, entries);
d8caf56eSAndrey V. Elsukov		/*
d18c1f26SAndrey V. Elsukov		 * In any case we must free mbuf if
d18c1f26SAndrey V. Elsukov		 * translator did not consumed it.
d8caf56eSAndrey V. Elsukov		 */
d18c1f26SAndrey V. Elsukov		m_freem(ji->m);
d18c1f26SAndrey V. Elsukov		uma_zfree(nat64lsn_job_zone, ji);
d18c1f26SAndrey V. Elsukov		ji = ji2;
d8caf56eSAndrey V. Elsukov	}
d8caf56eSAndrey V. Elsukov	CURVNET_RESTORE();
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic struct nat64lsn_job_item *
d18c1f26SAndrey V. Elsukovnat64lsn_create_job(struct nat64lsn_cfg *cfg, int jtype)
d8caf56eSAndrey V. Elsukov{
d8caf56eSAndrey V. Elsukov	struct nat64lsn_job_item *ji;
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	/*
d18c1f26SAndrey V. Elsukov	 * Do not try to lock possibly contested mutex if we're near the
d18c1f26SAndrey V. Elsukov	 * limit. Drop packet instead.
d8caf56eSAndrey V. Elsukov	 */
d18c1f26SAndrey V. Elsukov	ji = NULL;
d18c1f26SAndrey V. Elsukov	if (cfg->jlen >= cfg->jmaxlen)
782360deSAndrey V. Elsukov		NAT64STAT_INC(&cfg->base.stats, jmaxlen);
d18c1f26SAndrey V. Elsukov	else {
d18c1f26SAndrey V. Elsukov		ji = uma_zalloc(nat64lsn_job_zone, M_NOWAIT);
d18c1f26SAndrey V. Elsukov		if (ji == NULL)
d6369c2dSAndrey V. Elsukov			NAT64STAT_INC(&cfg->base.stats, jnomem);
d8caf56eSAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	if (ji == NULL) {
d18c1f26SAndrey V. Elsukov		NAT64STAT_INC(&cfg->base.stats, dropped);
d18c1f26SAndrey V. Elsukov		DPRINTF(DP_DROPS, "failed to create job");
d18c1f26SAndrey V. Elsukov	} else {
d6369c2dSAndrey V. Elsukov		ji->jtype = jtype;
d18c1f26SAndrey V. Elsukov		ji->done = 0;
d6369c2dSAndrey V. Elsukov	}
d8caf56eSAndrey V. Elsukov	return (ji);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic void
d8caf56eSAndrey V. Elsukovnat64lsn_enqueue_job(struct nat64lsn_cfg *cfg, struct nat64lsn_job_item *ji)
d8caf56eSAndrey V. Elsukov{
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	JQUEUE_LOCK();
d18c1f26SAndrey V. Elsukov	STAILQ_INSERT_TAIL(&cfg->jhead, ji, entries);
d6369c2dSAndrey V. Elsukov	NAT64STAT_INC(&cfg->base.stats, jrequests);
d18c1f26SAndrey V. Elsukov	cfg->jlen++;
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	if (callout_pending(&cfg->jcallout) == 0)
d8caf56eSAndrey V. Elsukov		callout_reset(&cfg->jcallout, 1, nat64lsn_do_request, cfg);
d8caf56eSAndrey V. Elsukov	JQUEUE_UNLOCK();
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov/*
*4a77657cSAndrey V. Elsukov * This function is used to clean up the result of less likely possible
*4a77657cSAndrey V. Elsukov * race condition, when host object was deleted, but some translation
*4a77657cSAndrey V. Elsukov * state was created before it is destroyed.
*4a77657cSAndrey V. Elsukov *
*4a77657cSAndrey V. Elsukov * Since the state expiration removes state from host's hash table,
*4a77657cSAndrey V. Elsukov * we need to be sure, that there will not any states, that are linked
*4a77657cSAndrey V. Elsukov * with this host entry.
*4a77657cSAndrey V. Elsukov */
*4a77657cSAndrey V. Elsukovstatic void
*4a77657cSAndrey V. Elsukovnat64lsn_host_cleanup(struct nat64lsn_host *host)
*4a77657cSAndrey V. Elsukov{
*4a77657cSAndrey V. Elsukov	struct nat64lsn_state *state, *ts;
*4a77657cSAndrey V. Elsukov	int i;
*4a77657cSAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov	printf("NAT64LSN: %s: race condition has been detected for host %p\n",
*4a77657cSAndrey V. Elsukov	    __func__, host);
*4a77657cSAndrey V. Elsukov	for (i = 0; i < host->states_hashsize; i++) {
*4a77657cSAndrey V. Elsukov		CK_SLIST_FOREACH_SAFE(state, &host->states_hash[i],
*4a77657cSAndrey V. Elsukov		    entries, ts) {
*4a77657cSAndrey V. Elsukov			/*
*4a77657cSAndrey V. Elsukov			 * We can remove the state without lock,
*4a77657cSAndrey V. Elsukov			 * because this host entry is unlinked and will
*4a77657cSAndrey V. Elsukov			 * be destroyed.
*4a77657cSAndrey V. Elsukov			 */
*4a77657cSAndrey V. Elsukov			CK_SLIST_REMOVE(&host->states_hash[i], state,
*4a77657cSAndrey V. Elsukov			    nat64lsn_state, entries);
*4a77657cSAndrey V. Elsukov			host->states_count--;
*4a77657cSAndrey V. Elsukov			nat64lsn_state_cleanup(state);
*4a77657cSAndrey V. Elsukov		}
*4a77657cSAndrey V. Elsukov	}
*4a77657cSAndrey V. Elsukov	MPASS(host->states_count == 0);
*4a77657cSAndrey V. Elsukov}
*4a77657cSAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov/*
*4a77657cSAndrey V. Elsukov * This function is used to clean up the result of less likely possible
*4a77657cSAndrey V. Elsukov * race condition, when portgroup was deleted, but some translation state
*4a77657cSAndrey V. Elsukov * was created before it is destroyed.
*4a77657cSAndrey V. Elsukov *
*4a77657cSAndrey V. Elsukov * Since states entries are accessible via host's hash table, we need
*4a77657cSAndrey V. Elsukov * to be sure, that there will not any states from this PG, that are
*4a77657cSAndrey V. Elsukov * linked with any host entries.
*4a77657cSAndrey V. Elsukov */
*4a77657cSAndrey V. Elsukovstatic void
*4a77657cSAndrey V. Elsukovnat64lsn_pg_cleanup(struct nat64lsn_pg *pg)
*4a77657cSAndrey V. Elsukov{
*4a77657cSAndrey V. Elsukov	struct nat64lsn_state *state;
*4a77657cSAndrey V. Elsukov	uint64_t usedmask;
*4a77657cSAndrey V. Elsukov	int c, i;
*4a77657cSAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov	printf("NAT64LSN: %s: race condition has been detected for pg %p\n",
*4a77657cSAndrey V. Elsukov	    __func__, pg);
*4a77657cSAndrey V. Elsukov	for (c = 0; c < pg->chunks_count; c++) {
*4a77657cSAndrey V. Elsukov		/*
*4a77657cSAndrey V. Elsukov		 * Use inverted freemask to find what state was created.
*4a77657cSAndrey V. Elsukov		 */
*4a77657cSAndrey V. Elsukov		usedmask = ~(*FREEMASK_CHUNK(pg, c));
*4a77657cSAndrey V. Elsukov		if (usedmask == 0)
*4a77657cSAndrey V. Elsukov			continue;
*4a77657cSAndrey V. Elsukov		for (i = 0; i < 64; i++) {
*4a77657cSAndrey V. Elsukov			if (!ISSET64(usedmask, i))
*4a77657cSAndrey V. Elsukov				continue;
*4a77657cSAndrey V. Elsukov			state = &STATES_CHUNK(pg, c)->state[i];
*4a77657cSAndrey V. Elsukov			/*
*4a77657cSAndrey V. Elsukov			 * If we have STALE bit, this means that state
*4a77657cSAndrey V. Elsukov			 * is already unlinked from host's hash table.
*4a77657cSAndrey V. Elsukov			 * Thus we can just reset the bit in mask and
*4a77657cSAndrey V. Elsukov			 * schedule destroying in the next epoch call.
*4a77657cSAndrey V. Elsukov			 */
*4a77657cSAndrey V. Elsukov			if (ISSET32(state->flags, NAT64_BIT_STALE)) {
*4a77657cSAndrey V. Elsukov				FREEMASK_BTS(pg, c, i);
*4a77657cSAndrey V. Elsukov				continue;
*4a77657cSAndrey V. Elsukov			}
*4a77657cSAndrey V. Elsukov			/*
*4a77657cSAndrey V. Elsukov			 * There is  small window, when we have bit
*4a77657cSAndrey V. Elsukov			 * grabbed from freemask, but state is not yet
*4a77657cSAndrey V. Elsukov			 * linked into host's hash table.
*4a77657cSAndrey V. Elsukov			 * Check for READY flag, it is set just after
*4a77657cSAndrey V. Elsukov			 * linking. If it is not set, defer cleanup
*4a77657cSAndrey V. Elsukov			 * for next call.
*4a77657cSAndrey V. Elsukov			 */
*4a77657cSAndrey V. Elsukov			if (ISSET32(state->flags, NAT64_BIT_READY_IPV4)) {
*4a77657cSAndrey V. Elsukov				struct nat64lsn_host *host;
*4a77657cSAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov				host = state->host;
*4a77657cSAndrey V. Elsukov				HOST_LOCK(host);
*4a77657cSAndrey V. Elsukov				CK_SLIST_REMOVE(&STATE_HASH(host,
*4a77657cSAndrey V. Elsukov				    state->hval), state, nat64lsn_state,
*4a77657cSAndrey V. Elsukov				    entries);
*4a77657cSAndrey V. Elsukov				host->states_count--;
*4a77657cSAndrey V. Elsukov				HOST_UNLOCK(host);
*4a77657cSAndrey V. Elsukov				nat64lsn_state_cleanup(state);
*4a77657cSAndrey V. Elsukov			}
*4a77657cSAndrey V. Elsukov		}
*4a77657cSAndrey V. Elsukov	}
*4a77657cSAndrey V. Elsukov}
*4a77657cSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic void
d18c1f26SAndrey V. Elsukovnat64lsn_job_destroy(epoch_context_t ctx)
d7a1cf06SAndrey V. Elsukov{
*4a77657cSAndrey V. Elsukov	struct nat64lsn_hosts_slist hosts;
*4a77657cSAndrey V. Elsukov	struct nat64lsn_pg_slist portgroups;
d7a1cf06SAndrey V. Elsukov	struct nat64lsn_job_item *ji;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_host *host;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_pg *pg;
d18c1f26SAndrey V. Elsukov	int i;
d7a1cf06SAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov	CK_SLIST_INIT(&hosts);
*4a77657cSAndrey V. Elsukov	CK_SLIST_INIT(&portgroups);
d18c1f26SAndrey V. Elsukov	ji = __containerof(ctx, struct nat64lsn_job_item, epoch_ctx);
d18c1f26SAndrey V. Elsukov	MPASS(ji->jtype == JTYPE_DESTROY);
d18c1f26SAndrey V. Elsukov	while (!CK_SLIST_EMPTY(&ji->hosts)) {
d18c1f26SAndrey V. Elsukov		host = CK_SLIST_FIRST(&ji->hosts);
d18c1f26SAndrey V. Elsukov		CK_SLIST_REMOVE_HEAD(&ji->hosts, entries);
d18c1f26SAndrey V. Elsukov		if (host->states_count > 0) {
d18c1f26SAndrey V. Elsukov			/*
*4a77657cSAndrey V. Elsukov			 * The state has been created during host deletion.
d18c1f26SAndrey V. Elsukov			 */
d18c1f26SAndrey V. Elsukov			printf("NAT64LSN: %s: destroying host with %d "
d18c1f26SAndrey V. Elsukov			    "states\n", __func__, host->states_count);
*4a77657cSAndrey V. Elsukov			/*
*4a77657cSAndrey V. Elsukov			 * We need to cleanup these states to avoid
*4a77657cSAndrey V. Elsukov			 * possible access to already deleted host in
*4a77657cSAndrey V. Elsukov			 * the state expiration code.
*4a77657cSAndrey V. Elsukov			 */
*4a77657cSAndrey V. Elsukov			nat64lsn_host_cleanup(host);
*4a77657cSAndrey V. Elsukov			CK_SLIST_INSERT_HEAD(&hosts, host, entries);
*4a77657cSAndrey V. Elsukov			/*
*4a77657cSAndrey V. Elsukov			 * Keep host entry for next deferred destroying.
*4a77657cSAndrey V. Elsukov			 * In the next epoch its states will be not
*4a77657cSAndrey V. Elsukov			 * accessible.
*4a77657cSAndrey V. Elsukov			 */
*4a77657cSAndrey V. Elsukov			continue;
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov		nat64lsn_destroy_host(host);
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	while (!CK_SLIST_EMPTY(&ji->portgroups)) {
d18c1f26SAndrey V. Elsukov		pg = CK_SLIST_FIRST(&ji->portgroups);
d18c1f26SAndrey V. Elsukov		CK_SLIST_REMOVE_HEAD(&ji->portgroups, entries);
d18c1f26SAndrey V. Elsukov		for (i = 0; i < pg->chunks_count; i++) {
d18c1f26SAndrey V. Elsukov			if (FREEMASK_BITCOUNT(pg, i) != 64) {
d18c1f26SAndrey V. Elsukov				/*
*4a77657cSAndrey V. Elsukov				 * A state has been created during
d18c1f26SAndrey V. Elsukov				 * PG deletion.
d18c1f26SAndrey V. Elsukov				 */
d18c1f26SAndrey V. Elsukov				printf("NAT64LSN: %s: destroying PG %p "
d18c1f26SAndrey V. Elsukov				    "with non-empty chunk %d\n", __func__,
d18c1f26SAndrey V. Elsukov				    pg, i);
*4a77657cSAndrey V. Elsukov				nat64lsn_pg_cleanup(pg);
*4a77657cSAndrey V. Elsukov				CK_SLIST_INSERT_HEAD(&portgroups,
*4a77657cSAndrey V. Elsukov				    pg, entries);
*4a77657cSAndrey V. Elsukov				i = -1;
*4a77657cSAndrey V. Elsukov				break;
d18c1f26SAndrey V. Elsukov			}
d18c1f26SAndrey V. Elsukov		}
*4a77657cSAndrey V. Elsukov		if (i != -1)
d18c1f26SAndrey V. Elsukov			nat64lsn_destroy_pg(pg);
d18c1f26SAndrey V. Elsukov	}
*4a77657cSAndrey V. Elsukov	if (CK_SLIST_EMPTY(&hosts) &&
*4a77657cSAndrey V. Elsukov	    CK_SLIST_EMPTY(&portgroups)) {
d18c1f26SAndrey V. Elsukov		uma_zfree(nat64lsn_pgchunk_zone, ji->pgchunk);
d18c1f26SAndrey V. Elsukov		uma_zfree(nat64lsn_job_zone, ji);
*4a77657cSAndrey V. Elsukov		return;
*4a77657cSAndrey V. Elsukov	}
*4a77657cSAndrey V. Elsukov
*4a77657cSAndrey V. Elsukov	/* Schedule job item again */
*4a77657cSAndrey V. Elsukov	CK_SLIST_MOVE(&ji->hosts, &hosts, entries);
*4a77657cSAndrey V. Elsukov	CK_SLIST_MOVE(&ji->portgroups, &portgroups, entries);
*4a77657cSAndrey V. Elsukov	NAT64LSN_EPOCH_CALL(&ji->epoch_ctx, nat64lsn_job_destroy);
d18c1f26SAndrey V. Elsukov}
d7a1cf06SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic int
d18c1f26SAndrey V. Elsukovnat64lsn_request_host(struct nat64lsn_cfg *cfg,
d18c1f26SAndrey V. Elsukov    const struct ipfw_flow_id *f_id, struct mbuf **mp, uint32_t hval,
d18c1f26SAndrey V. Elsukov    in_addr_t faddr, uint16_t port, uint8_t proto)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_job_item *ji;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	ji = nat64lsn_create_job(cfg, JTYPE_NEWHOST);
d18c1f26SAndrey V. Elsukov	if (ji != NULL) {
d18c1f26SAndrey V. Elsukov		ji->m = *mp;
d18c1f26SAndrey V. Elsukov		ji->f_id = *f_id;
d18c1f26SAndrey V. Elsukov		ji->faddr = faddr;
d18c1f26SAndrey V. Elsukov		ji->port = port;
d18c1f26SAndrey V. Elsukov		ji->proto = proto;
d18c1f26SAndrey V. Elsukov		ji->src6_hval = hval;
d18c1f26SAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov		nat64lsn_enqueue_job(cfg, ji);
782360deSAndrey V. Elsukov		NAT64STAT_INC(&cfg->base.stats, jhostsreq);
d18c1f26SAndrey V. Elsukov		*mp = NULL;
d8caf56eSAndrey V. Elsukov	}
eed30257SAndrey V. Elsukov	return (IP_FW_DENY);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic int
d18c1f26SAndrey V. Elsukovnat64lsn_request_pg(struct nat64lsn_cfg *cfg, struct nat64lsn_host *host,
d18c1f26SAndrey V. Elsukov    const struct ipfw_flow_id *f_id, struct mbuf **mp, uint32_t hval,
d18c1f26SAndrey V. Elsukov    in_addr_t faddr, uint16_t port, uint8_t proto)
d8caf56eSAndrey V. Elsukov{
d8caf56eSAndrey V. Elsukov	struct nat64lsn_job_item *ji;
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	ji = nat64lsn_create_job(cfg, JTYPE_NEWPORTGROUP);
d18c1f26SAndrey V. Elsukov	if (ji != NULL) {
d18c1f26SAndrey V. Elsukov		ji->m = *mp;
d18c1f26SAndrey V. Elsukov		ji->f_id = *f_id;
d18c1f26SAndrey V. Elsukov		ji->faddr = faddr;
d18c1f26SAndrey V. Elsukov		ji->port = port;
d18c1f26SAndrey V. Elsukov		ji->proto = proto;
d18c1f26SAndrey V. Elsukov		ji->state_hval = hval;
d18c1f26SAndrey V. Elsukov		ji->host = host;
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov		nat64lsn_enqueue_job(cfg, ji);
782360deSAndrey V. Elsukov		NAT64STAT_INC(&cfg->base.stats, jportreq);
d18c1f26SAndrey V. Elsukov		*mp = NULL;
d8caf56eSAndrey V. Elsukov	}
eed30257SAndrey V. Elsukov	return (IP_FW_DENY);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic int
d18c1f26SAndrey V. Elsukovnat64lsn_translate6_internal(struct nat64lsn_cfg *cfg, struct mbuf **mp,
d18c1f26SAndrey V. Elsukov    struct nat64lsn_state *state, uint8_t flags)
d8caf56eSAndrey V. Elsukov{
d8caf56eSAndrey V. Elsukov	struct pfloghdr loghdr, *logdata;
d18c1f26SAndrey V. Elsukov	int ret;
d18c1f26SAndrey V. Elsukov	uint16_t ts;
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* Update timestamp and flags if needed */
d18c1f26SAndrey V. Elsukov	SET_AGE(ts);
d18c1f26SAndrey V. Elsukov	if (state->timestamp != ts)
d18c1f26SAndrey V. Elsukov		state->timestamp = ts;
d18c1f26SAndrey V. Elsukov	if ((state->flags & flags) != 0)
d18c1f26SAndrey V. Elsukov		state->flags |= flags;
d8caf56eSAndrey V. Elsukov
782360deSAndrey V. Elsukov	if (cfg->base.flags & NAT64_LOG) {
d8caf56eSAndrey V. Elsukov		logdata = &loghdr;
d18c1f26SAndrey V. Elsukov		nat64lsn_log(logdata, *mp, AF_INET6, state);
d8caf56eSAndrey V. Elsukov	} else
d8caf56eSAndrey V. Elsukov		logdata = NULL;
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	ret = nat64_do_handle_ip6(*mp, htonl(state->ip_src),
d18c1f26SAndrey V. Elsukov	    htons(state->aport), &cfg->base, logdata);
d18c1f26SAndrey V. Elsukov	if (ret == NAT64SKIP)
eed30257SAndrey V. Elsukov		return (cfg->nomatch_verdict);
d18c1f26SAndrey V. Elsukov	if (ret == NAT64RETURN)
d18c1f26SAndrey V. Elsukov		*mp = NULL;
d8caf56eSAndrey V. Elsukov	return (IP_FW_DENY);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic int
d18c1f26SAndrey V. Elsukovnat64lsn_translate6(struct nat64lsn_cfg *cfg, struct ipfw_flow_id *f_id,
d18c1f26SAndrey V. Elsukov    struct mbuf **mp)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_state *state;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_host *host;
d18c1f26SAndrey V. Elsukov	struct icmp6_hdr *icmp6;
d18c1f26SAndrey V. Elsukov	uint32_t addr, hval, data[2];
d18c1f26SAndrey V. Elsukov	int offset, proto;
d18c1f26SAndrey V. Elsukov	uint16_t port;
d18c1f26SAndrey V. Elsukov	uint8_t flags;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* Check if protocol is supported */
d18c1f26SAndrey V. Elsukov	port = f_id->src_port;
d18c1f26SAndrey V. Elsukov	proto = f_id->proto;
d18c1f26SAndrey V. Elsukov	switch (f_id->proto) {
d18c1f26SAndrey V. Elsukov	case IPPROTO_ICMPV6:
d18c1f26SAndrey V. Elsukov		/*
d18c1f26SAndrey V. Elsukov		 * For ICMPv6 echo reply/request we use icmp6_id as
d18c1f26SAndrey V. Elsukov		 * local port.
d18c1f26SAndrey V. Elsukov		 */
d18c1f26SAndrey V. Elsukov		offset = 0;
d18c1f26SAndrey V. Elsukov		proto = nat64_getlasthdr(*mp, &offset);
d18c1f26SAndrey V. Elsukov		if (proto < 0) {
d18c1f26SAndrey V. Elsukov			NAT64STAT_INC(&cfg->base.stats, dropped);
d18c1f26SAndrey V. Elsukov			DPRINTF(DP_DROPS, "mbuf isn't contigious");
d18c1f26SAndrey V. Elsukov			return (IP_FW_DENY);
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov		if (proto == IPPROTO_ICMPV6) {
d18c1f26SAndrey V. Elsukov			icmp6 = mtodo(*mp, offset);
d18c1f26SAndrey V. Elsukov			if (icmp6->icmp6_type == ICMP6_ECHO_REQUEST ||
d18c1f26SAndrey V. Elsukov			    icmp6->icmp6_type == ICMP6_ECHO_REPLY)
d18c1f26SAndrey V. Elsukov				port = ntohs(icmp6->icmp6_id);
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov		proto = IPPROTO_ICMP;
d18c1f26SAndrey V. Elsukov		/* FALLTHROUGH */
d18c1f26SAndrey V. Elsukov	case IPPROTO_TCP:
d18c1f26SAndrey V. Elsukov	case IPPROTO_UDP:
d18c1f26SAndrey V. Elsukov		break;
d18c1f26SAndrey V. Elsukov	default:
d18c1f26SAndrey V. Elsukov		NAT64STAT_INC(&cfg->base.stats, noproto);
d18c1f26SAndrey V. Elsukov		return (cfg->nomatch_verdict);
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* Extract IPv4 from destination IPv6 address */
d18c1f26SAndrey V. Elsukov	addr = nat64_extract_ip4(&f_id->dst_ip6, cfg->base.plat_plen);
d18c1f26SAndrey V. Elsukov	if (addr == 0 || nat64_check_private_ip4(&cfg->base, addr) != 0) {
d18c1f26SAndrey V. Elsukov		char a[INET_ADDRSTRLEN];
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov		NAT64STAT_INC(&cfg->base.stats, dropped);
d18c1f26SAndrey V. Elsukov		DPRINTF(DP_DROPS, "dropped due to embedded IPv4 address %s",
d18c1f26SAndrey V. Elsukov		    inet_ntop(AF_INET, &addr, a, sizeof(a)));
d18c1f26SAndrey V. Elsukov		return (IP_FW_DENY); /* XXX: add extra stats? */
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* Try to find host */
d18c1f26SAndrey V. Elsukov	hval = HOST_HVAL(cfg, &f_id->src_ip6);
d18c1f26SAndrey V. Elsukov	CK_SLIST_FOREACH(host, &HOSTS(cfg, hval), entries) {
d18c1f26SAndrey V. Elsukov		if (IN6_ARE_ADDR_EQUAL(&f_id->src_ip6, &host->addr))
d18c1f26SAndrey V. Elsukov			break;
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	/* We use IPv4 address in host byte order */
d18c1f26SAndrey V. Elsukov	addr = ntohl(addr);
d18c1f26SAndrey V. Elsukov	if (host == NULL)
d18c1f26SAndrey V. Elsukov		return (nat64lsn_request_host(cfg, f_id, mp,
d18c1f26SAndrey V. Elsukov		    hval, addr, port, proto));
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	flags = proto != IPPROTO_TCP ? 0 : convert_tcp_flags(f_id->_flags);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	data[0] = addr;
d18c1f26SAndrey V. Elsukov	data[1] = (f_id->dst_port << 16) | port;
d18c1f26SAndrey V. Elsukov	hval = STATE_HVAL(cfg, data);
d18c1f26SAndrey V. Elsukov	state = nat64lsn_get_state6to4(cfg, host, f_id, hval, addr,
d18c1f26SAndrey V. Elsukov	    port, proto);
d18c1f26SAndrey V. Elsukov	if (state == NULL)
d18c1f26SAndrey V. Elsukov		return (nat64lsn_request_pg(cfg, host, f_id, mp, hval, addr,
d18c1f26SAndrey V. Elsukov		    port, proto));
d18c1f26SAndrey V. Elsukov	return (nat64lsn_translate6_internal(cfg, mp, state, flags));
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov/*
d8caf56eSAndrey V. Elsukov * Main dataplane entry point.
d8caf56eSAndrey V. Elsukov */
d8caf56eSAndrey V. Elsukovint
d8caf56eSAndrey V. Elsukovipfw_nat64lsn(struct ip_fw_chain *ch, struct ip_fw_args *args,
d8caf56eSAndrey V. Elsukov    ipfw_insn *cmd, int *done)
d8caf56eSAndrey V. Elsukov{
*4a77657cSAndrey V. Elsukov	struct nat64lsn_instance *i;
d18c1f26SAndrey V. Elsukov	ipfw_insn *icmd;
d8caf56eSAndrey V. Elsukov	int ret;
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	IPFW_RLOCK_ASSERT(ch);
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	*done = 0;	/* continue the search in case of failure */
*4a77657cSAndrey V. Elsukov	icmd = cmd + F_LEN(cmd);
d8caf56eSAndrey V. Elsukov	if (cmd->opcode != O_EXTERNAL_ACTION ||
*4a77657cSAndrey V. Elsukov	    insntod(cmd, kidx)->kidx != V_nat64lsn_eid ||
d8caf56eSAndrey V. Elsukov	    icmd->opcode != O_EXTERNAL_INSTANCE ||
*4a77657cSAndrey V. Elsukov	    (i = NAT64_LOOKUP(ch, icmd)) == NULL)
d18c1f26SAndrey V. Elsukov		return (IP_FW_DENY);
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	*done = 1;	/* terminate the search */
d18c1f26SAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	switch (args->f_id.addr_type) {
d8caf56eSAndrey V. Elsukov	case 4:
*4a77657cSAndrey V. Elsukov		ret = nat64lsn_translate4(i->cfg, &args->f_id, &args->m);
d8caf56eSAndrey V. Elsukov		break;
d8caf56eSAndrey V. Elsukov	case 6:
d18c1f26SAndrey V. Elsukov		/*
d18c1f26SAndrey V. Elsukov		 * Check that destination IPv6 address matches our prefix6.
d18c1f26SAndrey V. Elsukov		 */
*4a77657cSAndrey V. Elsukov		if ((i->cfg->base.flags & NAT64LSN_ANYPREFIX) == 0 &&
*4a77657cSAndrey V. Elsukov		    memcmp(&args->f_id.dst_ip6, &i->cfg->base.plat_prefix,
*4a77657cSAndrey V. Elsukov		    i->cfg->base.plat_plen / 8) != 0) {
*4a77657cSAndrey V. Elsukov			ret = i->cfg->nomatch_verdict;
d18c1f26SAndrey V. Elsukov			break;
d18c1f26SAndrey V. Elsukov		}
*4a77657cSAndrey V. Elsukov		ret = nat64lsn_translate6(i->cfg, &args->f_id, &args->m);
d8caf56eSAndrey V. Elsukov		break;
d8caf56eSAndrey V. Elsukov	default:
*4a77657cSAndrey V. Elsukov		ret = i->cfg->nomatch_verdict;
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	if (ret != IP_FW_PASS && args->m != NULL) {
d18c1f26SAndrey V. Elsukov		m_freem(args->m);
d18c1f26SAndrey V. Elsukov		args->m = NULL;
d8caf56eSAndrey V. Elsukov	}
d8caf56eSAndrey V. Elsukov	return (ret);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukovstatic int
d18c1f26SAndrey V. Elsukovnat64lsn_state_ctor(void *mem, int size, void *arg, int flags)
d8caf56eSAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_states_chunk *chunk;
d18c1f26SAndrey V. Elsukov	int i;
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	chunk = (struct nat64lsn_states_chunk *)mem;
d18c1f26SAndrey V. Elsukov	for (i = 0; i < 64; i++)
d18c1f26SAndrey V. Elsukov		chunk->state[i].flags = 0;
d8caf56eSAndrey V. Elsukov	return (0);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukovvoid
d8caf56eSAndrey V. Elsukovnat64lsn_init_internal(void)
d8caf56eSAndrey V. Elsukov{
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	nat64lsn_host_zone = uma_zcreate("NAT64LSN hosts",
d18c1f26SAndrey V. Elsukov	    sizeof(struct nat64lsn_host), NULL, NULL, NULL, NULL,
d6369c2dSAndrey V. Elsukov	    UMA_ALIGN_PTR, 0);
d18c1f26SAndrey V. Elsukov	nat64lsn_pgchunk_zone = uma_zcreate("NAT64LSN portgroup chunks",
d18c1f26SAndrey V. Elsukov	    sizeof(struct nat64lsn_pgchunk), NULL, NULL, NULL, NULL,
d18c1f26SAndrey V. Elsukov	    UMA_ALIGN_PTR, 0);
d18c1f26SAndrey V. Elsukov	nat64lsn_pg_zone = uma_zcreate("NAT64LSN portgroups",
d18c1f26SAndrey V. Elsukov	    sizeof(struct nat64lsn_pg), NULL, NULL, NULL, NULL,
d18c1f26SAndrey V. Elsukov	    UMA_ALIGN_PTR, 0);
d18c1f26SAndrey V. Elsukov	nat64lsn_aliaslink_zone = uma_zcreate("NAT64LSN links",
d18c1f26SAndrey V. Elsukov	    sizeof(struct nat64lsn_aliaslink), NULL, NULL, NULL, NULL,
d18c1f26SAndrey V. Elsukov	    UMA_ALIGN_PTR, 0);
d18c1f26SAndrey V. Elsukov	nat64lsn_state_zone = uma_zcreate("NAT64LSN states",
d18c1f26SAndrey V. Elsukov	    sizeof(struct nat64lsn_states_chunk), nat64lsn_state_ctor,
d18c1f26SAndrey V. Elsukov	    NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
d18c1f26SAndrey V. Elsukov	nat64lsn_job_zone = uma_zcreate("NAT64LSN jobs",
d18c1f26SAndrey V. Elsukov	    sizeof(struct nat64lsn_job_item), NULL, NULL, NULL, NULL,
d18c1f26SAndrey V. Elsukov	    UMA_ALIGN_PTR, 0);
d18c1f26SAndrey V. Elsukov	JQUEUE_LOCK_INIT();
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukovvoid
d8caf56eSAndrey V. Elsukovnat64lsn_uninit_internal(void)
d8caf56eSAndrey V. Elsukov{
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	/* XXX: epoch_task drain */
d8caf56eSAndrey V. Elsukov	JQUEUE_LOCK_DESTROY();
d8caf56eSAndrey V. Elsukov	uma_zdestroy(nat64lsn_host_zone);
d18c1f26SAndrey V. Elsukov	uma_zdestroy(nat64lsn_pgchunk_zone);
d8caf56eSAndrey V. Elsukov	uma_zdestroy(nat64lsn_pg_zone);
d18c1f26SAndrey V. Elsukov	uma_zdestroy(nat64lsn_aliaslink_zone);
d18c1f26SAndrey V. Elsukov	uma_zdestroy(nat64lsn_state_zone);
d18c1f26SAndrey V. Elsukov	uma_zdestroy(nat64lsn_job_zone);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukovvoid
d8caf56eSAndrey V. Elsukovnat64lsn_start_instance(struct nat64lsn_cfg *cfg)
d8caf56eSAndrey V. Elsukov{
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	CALLOUT_LOCK(cfg);
d8caf56eSAndrey V. Elsukov	callout_reset(&cfg->periodic, hz * PERIODIC_DELAY,
d8caf56eSAndrey V. Elsukov	    nat64lsn_periodic, cfg);
d18c1f26SAndrey V. Elsukov	CALLOUT_UNLOCK(cfg);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukovstruct nat64lsn_cfg *
*4a77657cSAndrey V. Elsukovnat64lsn_init_config(struct ip_fw_chain *ch, in_addr_t prefix, int plen)
d8caf56eSAndrey V. Elsukov{
d8caf56eSAndrey V. Elsukov	struct nat64lsn_cfg *cfg;
d18c1f26SAndrey V. Elsukov	struct nat64lsn_alias *alias;
d18c1f26SAndrey V. Elsukov	int i, naddr;
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	cfg = malloc(sizeof(struct nat64lsn_cfg), M_NAT64LSN,
d18c1f26SAndrey V. Elsukov	    M_WAITOK | M_ZERO);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	CFG_LOCK_INIT(cfg);
d18c1f26SAndrey V. Elsukov	CALLOUT_LOCK_INIT(cfg);
d18c1f26SAndrey V. Elsukov	STAILQ_INIT(&cfg->jhead);
d8caf56eSAndrey V. Elsukov	cfg->vp = curvnet;
782360deSAndrey V. Elsukov	COUNTER_ARRAY_ALLOC(cfg->base.stats.cnt, NAT64STATS, M_WAITOK);
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	cfg->hash_seed = arc4random();
d18c1f26SAndrey V. Elsukov	cfg->hosts_hashsize = NAT64LSN_HOSTS_HSIZE;
d18c1f26SAndrey V. Elsukov	cfg->hosts_hash = malloc(sizeof(struct nat64lsn_hosts_slist) *
d18c1f26SAndrey V. Elsukov	    cfg->hosts_hashsize, M_NAT64LSN, M_WAITOK | M_ZERO);
d18c1f26SAndrey V. Elsukov	for (i = 0; i < cfg->hosts_hashsize; i++)
d18c1f26SAndrey V. Elsukov		CK_SLIST_INIT(&cfg->hosts_hash[i]);
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	naddr = 1 << (32 - plen);
d18c1f26SAndrey V. Elsukov	cfg->prefix4 = prefix;
d18c1f26SAndrey V. Elsukov	cfg->pmask4 = prefix | (naddr - 1);
d18c1f26SAndrey V. Elsukov	cfg->plen4 = plen;
d18c1f26SAndrey V. Elsukov	cfg->aliases = malloc(sizeof(struct nat64lsn_alias) * naddr,
d18c1f26SAndrey V. Elsukov	    M_NAT64LSN, M_WAITOK | M_ZERO);
d18c1f26SAndrey V. Elsukov	for (i = 0; i < naddr; i++) {
d18c1f26SAndrey V. Elsukov		alias = &cfg->aliases[i];
d18c1f26SAndrey V. Elsukov		alias->addr = prefix + i; /* host byte order */
d18c1f26SAndrey V. Elsukov		CK_SLIST_INIT(&alias->hosts);
d18c1f26SAndrey V. Elsukov		ALIAS_LOCK_INIT(alias);
d18c1f26SAndrey V. Elsukov	}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	callout_init_mtx(&cfg->periodic, &cfg->periodic_lock, 0);
d8caf56eSAndrey V. Elsukov	callout_init(&cfg->jcallout, CALLOUT_MPSAFE);
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukov	return (cfg);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic void
d18c1f26SAndrey V. Elsukovnat64lsn_destroy_pg(struct nat64lsn_pg *pg)
d8caf56eSAndrey V. Elsukov{
d8caf56eSAndrey V. Elsukov	int i;
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	if (pg->chunks_count == 1) {
d18c1f26SAndrey V. Elsukov		uma_zfree(nat64lsn_state_zone, pg->states);
d18c1f26SAndrey V. Elsukov	} else {
d18c1f26SAndrey V. Elsukov		for (i = 0; i < pg->chunks_count; i++)
d18c1f26SAndrey V. Elsukov			uma_zfree(nat64lsn_state_zone, pg->states_chunk[i]);
d18c1f26SAndrey V. Elsukov		free(pg->states_chunk, M_NAT64LSN);
d18c1f26SAndrey V. Elsukov		free(pg->freemask_chunk, M_NAT64LSN);
d8caf56eSAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	uma_zfree(nat64lsn_pg_zone, pg);
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic void
d18c1f26SAndrey V. Elsukovnat64lsn_destroy_alias(struct nat64lsn_cfg *cfg,
d18c1f26SAndrey V. Elsukov    struct nat64lsn_alias *alias)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_pg *pg;
d18c1f26SAndrey V. Elsukov	int i;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	while (!CK_SLIST_EMPTY(&alias->portgroups)) {
d18c1f26SAndrey V. Elsukov		pg = CK_SLIST_FIRST(&alias->portgroups);
d18c1f26SAndrey V. Elsukov		CK_SLIST_REMOVE_HEAD(&alias->portgroups, entries);
d18c1f26SAndrey V. Elsukov		nat64lsn_destroy_pg(pg);
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	for (i = 0; i < 32; i++) {
d18c1f26SAndrey V. Elsukov		if (ISSET32(alias->tcp_chunkmask, i))
d18c1f26SAndrey V. Elsukov			uma_zfree(nat64lsn_pgchunk_zone, alias->tcp[i]);
d18c1f26SAndrey V. Elsukov		if (ISSET32(alias->udp_chunkmask, i))
d18c1f26SAndrey V. Elsukov			uma_zfree(nat64lsn_pgchunk_zone, alias->udp[i]);
d18c1f26SAndrey V. Elsukov		if (ISSET32(alias->icmp_chunkmask, i))
d18c1f26SAndrey V. Elsukov			uma_zfree(nat64lsn_pgchunk_zone, alias->icmp[i]);
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	ALIAS_LOCK_DESTROY(alias);
d18c1f26SAndrey V. Elsukov}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukovstatic void
d18c1f26SAndrey V. Elsukovnat64lsn_destroy_host(struct nat64lsn_host *host)
d18c1f26SAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_aliaslink *link;
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	while (!CK_SLIST_EMPTY(&host->aliases)) {
d18c1f26SAndrey V. Elsukov		link = CK_SLIST_FIRST(&host->aliases);
d18c1f26SAndrey V. Elsukov		CK_SLIST_REMOVE_HEAD(&host->aliases, host_entries);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov		ALIAS_LOCK(link->alias);
d18c1f26SAndrey V. Elsukov		CK_SLIST_REMOVE(&link->alias->hosts, link,
d18c1f26SAndrey V. Elsukov		    nat64lsn_aliaslink, alias_entries);
d18c1f26SAndrey V. Elsukov		link->alias->hosts_count--;
d18c1f26SAndrey V. Elsukov		ALIAS_UNLOCK(link->alias);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov		uma_zfree(nat64lsn_aliaslink_zone, link);
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov	HOST_LOCK_DESTROY(host);
d18c1f26SAndrey V. Elsukov	free(host->states_hash, M_NAT64LSN);
d18c1f26SAndrey V. Elsukov	uma_zfree(nat64lsn_host_zone, host);
d8caf56eSAndrey V. Elsukov}
d8caf56eSAndrey V. Elsukov
d8caf56eSAndrey V. Elsukovvoid
*4a77657cSAndrey V. Elsukovnat64lsn_destroy_config(struct nat64lsn_cfg *cfg)
d8caf56eSAndrey V. Elsukov{
d18c1f26SAndrey V. Elsukov	struct nat64lsn_host *host;
d18c1f26SAndrey V. Elsukov	int i;
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	CALLOUT_LOCK(cfg);
d6369c2dSAndrey V. Elsukov	callout_drain(&cfg->periodic);
d18c1f26SAndrey V. Elsukov	CALLOUT_UNLOCK(cfg);
d18c1f26SAndrey V. Elsukov	callout_drain(&cfg->jcallout);
d8caf56eSAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	for (i = 0; i < cfg->hosts_hashsize; i++) {
d18c1f26SAndrey V. Elsukov		while (!CK_SLIST_EMPTY(&cfg->hosts_hash[i])) {
d18c1f26SAndrey V. Elsukov			host = CK_SLIST_FIRST(&cfg->hosts_hash[i]);
d18c1f26SAndrey V. Elsukov			CK_SLIST_REMOVE_HEAD(&cfg->hosts_hash[i], entries);
d18c1f26SAndrey V. Elsukov			nat64lsn_destroy_host(host);
d18c1f26SAndrey V. Elsukov		}
d18c1f26SAndrey V. Elsukov	}
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	for (i = 0; i < (1 << (32 - cfg->plen4)); i++)
d18c1f26SAndrey V. Elsukov		nat64lsn_destroy_alias(cfg, &cfg->aliases[i]);
d18c1f26SAndrey V. Elsukov
d18c1f26SAndrey V. Elsukov	CALLOUT_LOCK_DESTROY(cfg);
d18c1f26SAndrey V. Elsukov	CFG_LOCK_DESTROY(cfg);
782360deSAndrey V. Elsukov	COUNTER_ARRAY_FREE(cfg->base.stats.cnt, NAT64STATS);
d18c1f26SAndrey V. Elsukov	free(cfg->hosts_hash, M_NAT64LSN);
d18c1f26SAndrey V. Elsukov	free(cfg->aliases, M_NAT64LSN);
d18c1f26SAndrey V. Elsukov	free(cfg, M_NAT64LSN);
d8caf56eSAndrey V. Elsukov}
*4a77657cSAndrey V. Elsukov