master
1/* $NetBSD: ip_nat.h,v 1.8 2022/05/07 04:38:09 mrg Exp $ */
2
3/*
4 * Copyright (C) 2012 by Darren Reed.
5 *
6 * See the IPFILTER.LICENCE file for details on licencing.
7 *
8 * @(#)ip_nat.h 1.5 2/4/96
9 * Id: ip_nat.h,v 1.1.1.2 2012/07/22 13:45:29 darrenr Exp
10 */
11
12#ifndef __IP_NAT_H__
13#define __IP_NAT_H__
14
15#ifndef SOLARIS
16# if (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
17# define SOLARIS 1
18# else
19# define SOLARIS 0
20# endif
21#endif
22
23#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
24#define SIOCADNAT _IOW('r', 60, struct ipfobj)
25#define SIOCRMNAT _IOW('r', 61, struct ipfobj)
26#define SIOCGNATS _IOWR('r', 62, struct ipfobj)
27#define SIOCGNATL _IOWR('r', 63, struct ipfobj)
28#define SIOCPURGENAT _IOWR('r', 100, struct ipfobj)
29#else
30#define SIOCADNAT _IOW(r, 60, struct ipfobj)
31#define SIOCRMNAT _IOW(r, 61, struct ipfobj)
32#define SIOCGNATS _IOWR(r, 62, struct ipfobj)
33#define SIOCGNATL _IOWR(r, 63, struct ipfobj)
34#define SIOCPURGENAT _IOWR(r, 100, struct ipfobj)
35#endif
36
37#undef LARGE_NAT /* define this if you're setting up a system to NAT
38 * LARGE numbers of networks/hosts - i.e. in the
39 * hundreds or thousands. In such a case, you should
40 * also change the RDR_SIZE and NAT_SIZE below to more
41 * appropriate sizes. The figures below were used for
42 * a setup with 1000-2000 networks to NAT.
43 */
44#ifndef NAT_SIZE
45# ifdef LARGE_NAT
46# define NAT_SIZE 2047
47# else
48# define NAT_SIZE 127
49# endif
50#endif
51#ifndef RDR_SIZE
52# ifdef LARGE_NAT
53# define RDR_SIZE 2047
54# else
55# define RDR_SIZE 127
56# endif
57#endif
58#ifndef HOSTMAP_SIZE
59# ifdef LARGE_NAT
60# define HOSTMAP_SIZE 8191
61# else
62# define HOSTMAP_SIZE 2047
63# endif
64#endif
65#ifndef NAT_TABLE_MAX
66/*
67 * This is newly introduced and for the sake of "least surprise", the numbers
68 * present aren't what we'd normally use for creating a proper hash table.
69 */
70# ifdef LARGE_NAT
71# define NAT_TABLE_MAX 180000
72# else
73# define NAT_TABLE_MAX 30000
74# endif
75#endif
76#ifndef NAT_TABLE_SZ
77# ifdef LARGE_NAT
78# define NAT_TABLE_SZ 16383
79# else
80# define NAT_TABLE_SZ 2047
81# endif
82#endif
83#ifndef APR_LABELLEN
84#define APR_LABELLEN 16
85#endif
86#define NAT_HW_CKSUM 0x80000000
87#define NAT_HW_CKSUM_PART 0x40000000
88
89#define DEF_NAT_AGE 1200 /* 10 minutes (600 seconds) */
90
91struct ipstate;
92struct ap_session;
93
94/*
95 * This structure is used in the active NAT table and represents an
96 * active NAT session.
97 *
98 * Generally nat_t structures have references from at least two places.
99 * The first place gives them a position in a linked list of NAT sessions
100 * per instace of IPFilter. In this linked list, nat_next always points to
101 * the next entry in the list and nat_pnext points to the pointer that
102 * introduces the structure. That may be either the top of the list pointer
103 * or simply the nat_next of the previous link in the list. The second place
104 * that a nat_t structure is generally referenced from is the NAT hash table.
105 * Two references from this table are required, one for supporting the of
106 * matching packets being transmitted and one for supporting the matching of
107 * packets being received. The hash table is comprised of buckets, each one
108 * having its own chain of nat_t structures. To support these chains,
109 * nat_hnext is used to point to the next member of the chain and nat_phnext
110 * points back to the pointer that is pointing to the nat_t in the chain,
111 * be it the bucket at the top or simply the previous nat_t chain entry.
112 */
113typedef struct nat {
114 ipfmutex_t nat_lock;
115 struct nat *nat_next;
116 struct nat **nat_pnext;
117 struct nat *nat_hnext[2];
118 struct nat **nat_phnext[2];
119 struct hostmap *nat_hm;
120 void *nat_data;
121 struct nat **nat_me;
122 struct ipstate *nat_state;
123 struct ap_session *nat_aps; /* proxy session */
124 frentry_t *nat_fr; /* filter rule ptr if appropriate */
125 struct ipnat *nat_ptr; /* pointer back to the rule */
126 void *nat_ifps[2];
127 void *nat_sync;
128 ipftqent_t nat_tqe;
129 int nat_mtu[2];
130 u_32_t nat_flags;
131 u_32_t nat_sumd[2]; /* ip checksum delta for data segment*/
132 u_32_t nat_ipsumd; /* ip checksum delta for ip header */
133 u_32_t nat_mssclamp; /* if != zero clamp MSS to this */
134 i6addr_t nat_odst6;
135 i6addr_t nat_osrc6;
136 i6addr_t nat_ndst6;
137 i6addr_t nat_nsrc6;
138 U_QUAD_T nat_pkts[2];
139 U_QUAD_T nat_bytes[2];
140 union {
141 udpinfo_t nat_unu;
142 tcpinfo_t nat_unt;
143 icmpinfo_t nat_uni;
144 greinfo_t nat_ugre;
145 } nat_unold, nat_unnew;
146 int nat_use;
147 int nat_pr[2]; /* protocol for NAT */
148 int nat_dir;
149 int nat_ref; /* reference count */
150 u_int nat_hv[2];
151 char nat_ifnames[2][LIFNAMSIZ];
152 int nat_rev; /* 0 = forward, 1 = reverse */
153 int nat_dlocal;
154 int nat_v[2]; /* 0 = old, 1 = new */
155 u_int nat_redir; /* copy of in_redir */
156} nat_t;
157
158#define nat_osrcip nat_osrc6.in4
159#define nat_odstip nat_odst6.in4
160#define nat_nsrcip nat_nsrc6.in4
161#define nat_ndstip nat_ndst6.in4
162#define nat_osrcaddr nat_osrc6.in4.s_addr
163#define nat_odstaddr nat_odst6.in4.s_addr
164#define nat_nsrcaddr nat_nsrc6.in4.s_addr
165#define nat_ndstaddr nat_ndst6.in4.s_addr
166#define nat_age nat_tqe.tqe_die
167#define nat_osport nat_unold.nat_unt.ts_sport
168#define nat_odport nat_unold.nat_unt.ts_dport
169#define nat_nsport nat_unnew.nat_unt.ts_sport
170#define nat_ndport nat_unnew.nat_unt.ts_dport
171#define nat_oicmpid nat_unold.nat_uni.ici_id
172#define nat_nicmpid nat_unnew.nat_uni.ici_id
173#define nat_type nat_unold.nat_uni.ici_type
174#define nat_oseq nat_unold.nat_uni.ici_seq
175#define nat_nseq nat_unnew.nat_uni.ici_seq
176#define nat_tcpstate nat_tqe.tqe_state
177#define nat_die nat_tqe.tqe_die
178#define nat_touched nat_tqe.tqe_touched
179
180/*
181 * Values for nat_dir
182 */
183#define NAT_INBOUND 0
184#define NAT_OUTBOUND 1
185#define NAT_ENCAPIN 2
186#define NAT_ENCAPOUT 3
187#define NAT_DIVERTIN 4
188#define NAT_DIVERTOUT 5
189
190/*
191 * Definitions for nat_flags
192 */
193#define NAT_TCP 0x0001 /* IPN_TCP */
194#define NAT_UDP 0x0002 /* IPN_UDP */
195#define NAT_ICMPERR 0x0004 /* IPN_ICMPERR */
196#define NAT_ICMPQUERY 0x0008 /* IPN_ICMPQUERY */
197#define NAT_SEARCH 0x0010
198#define NAT_SLAVE 0x0020 /* Slave connection for a proxy */
199#define NAT_NOTRULEPORT 0x0040 /* Don't use the port # in the NAT rule */
200
201#define NAT_TCPUDP (NAT_TCP|NAT_UDP)
202#define NAT_TCPUDPICMP (NAT_TCP|NAT_UDP|NAT_ICMPERR)
203#define NAT_TCPUDPICMPQ (NAT_TCP|NAT_UDP|NAT_ICMPQUERY)
204#define NAT_FROMRULE (NAT_TCP|NAT_UDP)
205
206/* 0x0100 reserved for FI_W_SPORT */
207/* 0x0200 reserved for FI_W_DPORT */
208/* 0x0400 reserved for FI_W_SADDR */
209/* 0x0800 reserved for FI_W_DADDR */
210/* 0x1000 reserved for FI_W_NEWFR */
211/* 0x2000 reserved for SI_CLONE */
212/* 0x4000 reserved for SI_CLONED */
213/* 0x8000 reserved for SI_IGNOREPKT */
214
215#define NAT_DEBUG 0x800000
216
217typedef struct nat_addr_s {
218 i6addr_t na_addr[2];
219 i6addr_t na_nextaddr;
220 int na_atype;
221 int na_function;
222} nat_addr_t;
223
224#define na_nextip na_nextaddr.in4.s_addr
225#define na_nextip6 na_nextaddr.in6
226#define na_num na_addr[0].iplookupnum
227#define na_type na_addr[0].iplookuptype
228#define na_subtype na_addr[0].iplookupsubtype
229#define na_ptr na_addr[1].iplookupptr
230#define na_func na_addr[1].iplookupfunc
231
232
233/*
234 * This structure represents an actual NAT rule, loaded by ipnat.
235 */
236typedef struct ipnat {
237 ipfmutex_t in_lock;
238 struct ipnat *in_next; /* NAT rule list next */
239 struct ipnat **in_pnext; /* prior rdr next ptr */
240 struct ipnat *in_rnext; /* rdr rule hash next */
241 struct ipnat **in_prnext; /* prior rdr next ptr */
242 struct ipnat *in_mnext; /* map rule hash next */
243 struct ipnat **in_pmnext; /* prior map next ptr */
244 struct ipftq *in_tqehead[2];
245 void *in_ifps[2];
246 void *in_apr;
247 char *in_comment;
248 mb_t *in_divmp;
249 void *in_pconf;
250 U_QUAD_T in_pkts[2];
251 U_QUAD_T in_bytes[2];
252 u_long in_space;
253 u_long in_hits;
254 int in_size;
255 int in_use;
256 u_int in_hv[2];
257 int in_flineno; /* conf. file line number */
258 int in_stepnext;
259 int in_dlocal;
260 u_short in_dpnext;
261 u_short in_spnext;
262 /* From here to the end is covered by IPN_CMPSIZ */
263 u_char in_v[2]; /* 0 = old, 1 = new */
264 u_32_t in_flags;
265 u_32_t in_mssclamp; /* if != 0 clamp MSS to this */
266 u_int in_age[2];
267 int in_redir; /* see below for values */
268 int in_pr[2]; /* protocol. */
269 nat_addr_t in_ndst;
270 nat_addr_t in_nsrc;
271 nat_addr_t in_osrc;
272 nat_addr_t in_odst;
273 frtuc_t in_tuc;
274 u_short in_ppip; /* ports per IP. */
275 u_short in_ippip; /* IP #'s per IP# */
276 u_short in_ndports[2];
277 u_short in_nsports[2];
278 int in_ifnames[2];
279 int in_plabel; /* proxy label. */
280 int in_pconfig; /* proxy label. */
281 ipftag_t in_tag;
282 int in_namelen;
283 char in_names[1];
284} ipnat_t;
285
286/*
287 * MAP-IN MAP-OUT RDR-IN RDR-OUT
288 * osrc X == src == src X
289 * odst X == dst == dst X
290 * nsrc == dst X X == dst
291 * ndst == src X X == src
292 */
293#define in_dpmin in_ndports[0] /* Also holds static redir port */
294#define in_dpmax in_ndports[1]
295#define in_spmin in_nsports[0] /* Also holds static redir port */
296#define in_spmax in_nsports[1]
297#define in_ndport in_ndports[0]
298#define in_nsport in_nsports[0]
299#define in_dipnext in_ndst.na_nextaddr.in4
300#define in_dipnext6 in_ndst.na_nextaddr
301#define in_dnip in_ndst.na_nextaddr.in4.s_addr
302#define in_dnip6 in_ndst.na_nextaddr
303#define in_sipnext in_nsrc.na_nextaddr.in4
304#define in_snip in_nsrc.na_nextaddr.in4.s_addr
305#define in_snip6 in_nsrc.na_nextaddr
306#define in_odstip in_odst.na_addr[0].in4
307#define in_odstip6 in_odst.na_addr[0]
308#define in_odstaddr in_odst.na_addr[0].in4.s_addr
309#define in_odstmsk in_odst.na_addr[1].in4.s_addr
310#define in_odstmsk6 in_odst.na_addr[1]
311#define in_odstatype in_odst.na_atype
312#define in_osrcip in_osrc.na_addr[0].in4
313#define in_osrcip6 in_osrc.na_addr[0]
314#define in_osrcaddr in_osrc.na_addr[0].in4.s_addr
315#define in_osrcmsk in_osrc.na_addr[1].in4.s_addr
316#define in_osrcmsk6 in_osrc.na_addr[1]
317#define in_osrcatype in_osrc.na_atype
318#define in_ndstip in_ndst.na_addr[0].in4
319#define in_ndstip6 in_ndst.na_addr[0]
320#define in_ndstaddr in_ndst.na_addr[0].in4.s_addr
321#define in_ndstmsk in_ndst.na_addr[1].in4.s_addr
322#define in_ndstmsk6 in_ndst.na_addr[1]
323#define in_ndstatype in_ndst.na_atype
324#define in_ndstafunc in_ndst.na_function
325#define in_nsrcip in_nsrc.na_addr[0].in4
326#define in_nsrcip6 in_nsrc.na_addr[0]
327#define in_nsrcaddr in_nsrc.na_addr[0].in4.s_addr
328#define in_nsrcmsk in_nsrc.na_addr[1].in4.s_addr
329#define in_nsrcmsk6 in_nsrc.na_addr[1]
330#define in_nsrcatype in_nsrc.na_atype
331#define in_nsrcafunc in_nsrc.na_function
332#define in_scmp in_tuc.ftu_scmp
333#define in_dcmp in_tuc.ftu_dcmp
334#define in_stop in_tuc.ftu_stop
335#define in_dtop in_tuc.ftu_dtop
336#define in_osport in_tuc.ftu_sport
337#define in_odport in_tuc.ftu_dport
338#define in_ndstnum in_ndst.na_addr[0].iplookupnum
339#define in_ndsttype in_ndst.na_addr[0].iplookuptype
340#define in_ndstptr in_ndst.na_addr[1].iplookupptr
341#define in_ndstfunc in_ndst.na_addr[1].iplookupfunc
342#define in_nsrcnum in_nsrc.na_addr[0].iplookupnum
343#define in_nsrctype in_nsrc.na_addr[0].iplookuptype
344#define in_nsrcptr in_nsrc.na_addr[1].iplookupptr
345#define in_nsrcfunc in_nsrc.na_addr[1].iplookupfunc
346#define in_odstnum in_odst.na_addr[0].iplookupnum
347#define in_odsttype in_odst.na_addr[0].iplookuptype
348#define in_odstptr in_odst.na_addr[1].iplookupptr
349#define in_odstfunc in_odst.na_addr[1].iplookupfunc
350#define in_osrcnum in_osrc.na_addr[0].iplookupnum
351#define in_osrctype in_osrc.na_addr[0].iplookuptype
352#define in_osrcptr in_osrc.na_addr[1].iplookupptr
353#define in_osrcfunc in_osrc.na_addr[1].iplookupfunc
354#define in_icmpidmin in_nsports[0]
355#define in_icmpidmax in_nsports[1]
356
357/*
358 * Bit definitions for in_flags
359 */
360#define IPN_ANY 0x00000
361#define IPN_TCP 0x00001
362#define IPN_UDP 0x00002
363#define IPN_TCPUDP (IPN_TCP|IPN_UDP)
364#define IPN_ICMPERR 0x00004
365#define IPN_TCPUDPICMP (IPN_TCP|IPN_UDP|IPN_ICMPERR)
366#define IPN_ICMPQUERY 0x00008
367#define IPN_TCPUDPICMPQ (IPN_TCP|IPN_UDP|IPN_ICMPQUERY)
368#define IPN_RF (IPN_TCPUDP|IPN_DELETE|IPN_ICMPERR)
369#define IPN_AUTOPORTMAP 0x00010
370#define IPN_FILTER 0x00020
371#define IPN_SPLIT 0x00040
372#define IPN_ROUNDR 0x00080
373#define IPN_SIPRANGE 0x00100
374#define IPN_DIPRANGE 0x00200
375#define IPN_NOTSRC 0x00400
376#define IPN_NOTDST 0x00800
377#define IPN_NO 0x01000
378#define IPN_DYNSRCIP 0x02000 /* dynamic src IP# */
379#define IPN_DYNDSTIP 0x04000 /* dynamic dst IP# */
380#define IPN_DELETE 0x08000
381#define IPN_STICKY 0x10000
382#define IPN_FRAG 0x20000
383#define IPN_FIXEDSPORT 0x40000
384#define IPN_FIXEDDPORT 0x80000
385#define IPN_FINDFORWARD 0x100000
386#define IPN_IN 0x200000
387#define IPN_SEQUENTIAL 0x400000
388#define IPN_PURGE 0x800000
389#define IPN_PROXYRULE 0x1000000
390#define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_SIPRANGE|IPN_SPLIT|\
391 IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST|IPN_NO|\
392 IPN_FRAG|IPN_STICKY|IPN_FIXEDDPORT|IPN_ICMPQUERY|\
393 IPN_DIPRANGE|IPN_SEQUENTIAL|IPN_PURGE)
394
395/*
396 * Values for in_redir
397 */
398#define NAT_MAP 0x01
399#define NAT_REDIRECT 0x02
400#define NAT_BIMAP (NAT_MAP|NAT_REDIRECT)
401#define NAT_MAPBLK 0x04
402#define NAT_REWRITE 0x08
403#define NAT_ENCAP 0x10
404#define NAT_DIVERTUDP 0x20
405
406#define MAPBLK_MINPORT 1024 /* don't use reserved ports for src port */
407#define USABLE_PORTS (65536 - MAPBLK_MINPORT)
408
409#define IPN_CMPSIZ (sizeof(ipnat_t) - offsetof(ipnat_t, in_v))
410
411typedef struct natlookup {
412 i6addr_t nl_inipaddr;
413 i6addr_t nl_outipaddr;
414 i6addr_t nl_realipaddr;
415 int nl_v;
416 int nl_flags;
417 u_short nl_inport;
418 u_short nl_outport;
419 u_short nl_realport;
420} natlookup_t;
421
422#define nl_inip nl_inipaddr.in4
423#define nl_outip nl_outipaddr.in4
424#define nl_realip nl_realipaddr.in4
425#define nl_inip6 nl_inipaddr.in6
426#define nl_outip6 nl_outipaddr.in6
427#define nl_realip6 nl_realipaddr.in6
428
429
430typedef struct nat_save {
431 void *ipn_next;
432 struct nat ipn_nat;
433 struct ipnat ipn_ipnat;
434 struct frentry ipn_fr;
435 int ipn_dsize;
436 char ipn_data[4];
437} nat_save_t;
438
439#define ipn_rule ipn_nat.nat_fr
440
441typedef struct natget {
442 void *ng_ptr;
443 int ng_sz;
444} natget_t;
445
446
447/*
448 * This structure gets used to help NAT sessions keep the same NAT rule (and
449 * thus translation for IP address) when:
450 * (a) round-robin redirects are in use
451 * (b) different IP add
452 */
453typedef struct hostmap {
454 struct hostmap *hm_hnext;
455 struct hostmap **hm_phnext;
456 struct hostmap *hm_next;
457 struct hostmap **hm_pnext;
458 struct ipnat *hm_ipnat;
459 i6addr_t hm_osrcip6;
460 i6addr_t hm_odstip6;
461 i6addr_t hm_nsrcip6;
462 i6addr_t hm_ndstip6;
463 u_32_t hm_port;
464 int hm_ref;
465 int hm_hv;
466 int hm_v;
467} hostmap_t;
468
469#define hm_osrcip hm_osrcip6.in4
470#define hm_odstip hm_odstip6.in4
471#define hm_nsrcip hm_nsrcip6.in4
472#define hm_ndstip hm_ndstip6.in4
473#define hm_osrc6 hm_osrcip6.in6
474#define hm_odst6 hm_odstip6.in6
475#define hm_nsrc6 hm_nsrcip6.in6
476#define hm_ndst6 hm_ndstip6.in6
477
478
479/*
480 * Structure used to pass information in to nat_newmap and nat_newrdr.
481 */
482typedef struct natinfo {
483 ipnat_t *nai_np;
484 u_32_t nai_sum1;
485 u_32_t nai_sum2;
486 struct in_addr nai_ip; /* In host byte order */
487 u_short nai_port;
488 u_short nai_nport;
489 u_short nai_sport;
490 u_short nai_dport;
491} natinfo_t;
492
493
494typedef struct nat_stat_side {
495 u_int *ns_bucketlen;
496 nat_t **ns_table;
497 u_long ns_added;
498 u_long ns_appr_fail;
499 u_long ns_badnat;
500 u_long ns_badnatnew;
501 u_long ns_badnextaddr;
502 u_long ns_bucket_max;
503 u_long ns_clone_nomem;
504 u_long ns_decap_bad;
505 u_long ns_decap_fail;
506 u_long ns_decap_pullup;
507 u_long ns_divert_dup;
508 u_long ns_divert_exist;
509 u_long ns_drop;
510 u_long ns_encap_dup;
511 u_long ns_encap_pullup;
512 u_long ns_exhausted;
513 u_long ns_icmp_address;
514 u_long ns_icmp_basic;
515 u_long ns_icmp_mbuf;
516 u_long ns_icmp_notfound;
517 u_long ns_icmp_rebuild;
518 u_long ns_icmp_short;
519 u_long ns_icmp_size;
520 u_long ns_ifpaddrfail;
521 u_long ns_ignored;
522 u_long ns_insert_fail;
523 u_long ns_inuse;
524 u_long ns_log;
525 u_long ns_lookup_miss;
526 u_long ns_lookup_nowild;
527 u_long ns_new_ifpaddr;
528 u_long ns_memfail;
529 u_long ns_table_max;
530 u_long ns_translated;
531 u_long ns_unfinalised;
532 u_long ns_wrap;
533 u_long ns_xlate_null;
534 u_long ns_xlate_exists;
535 u_long ns_ipf_proxy_fail;
536 u_long ns_uncreate[2];
537} nat_stat_side_t;
538
539
540typedef struct natstat {
541 nat_t *ns_instances;
542 ipnat_t *ns_list;
543 hostmap_t *ns_maplist;
544 hostmap_t **ns_maptable;
545 u_int ns_active;
546 u_long ns_addtrpnt;
547 u_long ns_divert_build;
548 u_long ns_expire;
549 u_long ns_flush_all;
550 u_long ns_flush_closing;
551 u_long ns_flush_queue;
552 u_long ns_flush_state;
553 u_long ns_flush_timeout;
554 u_long ns_hm_new;
555 u_long ns_hm_newfail;
556 u_long ns_hm_addref;
557 u_long ns_hm_nullnp;
558 u_long ns_log_ok;
559 u_long ns_log_fail;
560 u_int ns_hostmap_sz;
561 u_int ns_nattab_sz;
562 u_int ns_nattab_max;
563 u_int ns_orphans;
564 u_int ns_rules;
565 u_int ns_rules_map;
566 u_int ns_rules_rdr;
567 u_int ns_rultab_sz;
568 u_int ns_rdrtab_sz;
569 u_32_t ns_ticks;
570 u_int ns_trpntab_sz;
571 u_int ns_wilds;
572 u_long ns_proto[256];
573 nat_stat_side_t ns_side[2];
574 nat_stat_side_t ns_side6[2];
575} natstat_t;
576
577typedef struct natlog {
578 i6addr_t nl_osrcip;
579 i6addr_t nl_odstip;
580 i6addr_t nl_nsrcip;
581 i6addr_t nl_ndstip;
582 u_short nl_osrcport;
583 u_short nl_odstport;
584 u_short nl_nsrcport;
585 u_short nl_ndstport;
586 int nl_action;
587 int nl_type;
588 int nl_rule;
589 U_QUAD_T nl_pkts[2];
590 U_QUAD_T nl_bytes[2];
591 u_char nl_p[2];
592 u_char nl_v[2];
593 u_char nl_ifnames[2][LIFNAMSIZ];
594} natlog_t;
595
596
597#define NL_NEW 0
598#define NL_CLONE 1
599#define NL_PURGE 0xfffc
600#define NL_DESTROY 0xfffd
601#define NL_FLUSH 0xfffe
602#define NL_EXPIRE 0xffff
603
604#define NAT_HASH_FN(_k,_l,_m) (((_k) + ((_k) >> 12) + _l) % (_m))
605#define NAT_HASH_FN6(_k,_l,_m) ((((u_32_t *)(_k))[3] \
606 + (((u_32_t *)(_k))[3] >> 12) \
607 + (((u_32_t *)(_k))[2]) \
608 + (((u_32_t *)(_k))[2] >> 12) \
609 + (((u_32_t *)(_k))[1]) \
610 + (((u_32_t *)(_k))[1] >> 12) \
611 + (((u_32_t *)(_k))[0]) \
612 + (((u_32_t *)(_k))[0] >> 12) \
613 + _l) % (_m))
614
615#define LONG_SUM(_i) (((_i) & 0xffff) + ((_i) >> 16))
616#define LONG_SUM6(_i) (LONG_SUM(ntohl(((u_32_t *)(_i))[0])) + \
617 LONG_SUM(ntohl(((u_32_t *)(_i))[1])) + \
618 LONG_SUM(ntohl(((u_32_t *)(_i))[2])) + \
619 LONG_SUM(ntohl(((u_32_t *)(_i))[3])))
620
621#define CALC_SUMD(s1, s2, sd) { \
622 (s1) = ((s1) & 0xffff) + ((s1) >> 16); \
623 (s2) = ((s2) & 0xffff) + ((s2) >> 16); \
624 /* Do it twice */ \
625 (s1) = ((s1) & 0xffff) + ((s1) >> 16); \
626 (s2) = ((s2) & 0xffff) + ((s2) >> 16); \
627 /* Because ~1 == -2, We really need ~1 == -1 */ \
628 if ((s1) > (s2)) (s2)--; \
629 (sd) = (s2) - (s1); \
630 (sd) = ((sd) & 0xffff) + ((sd) >> 16); }
631
632#define NAT_SYSSPACE 0x80000000
633#define NAT_LOCKHELD 0x40000000
634
635/*
636 * This is present in ip_nat.h because it needs to be shared between
637 * ip_nat.c and ip_nat6.c
638 */
639typedef struct ipf_nat_softc_s {
640 ipfmutex_t ipf_nat_new;
641 ipfmutex_t ipf_nat_io;
642 int ipf_nat_doflush;
643 int ipf_nat_logging;
644 int ipf_nat_lock;
645 int ipf_nat_inited;
646 int ipf_nat_table_wm_high;
647 int ipf_nat_table_wm_low;
648 u_int ipf_nat_table_max;
649 u_int ipf_nat_table_sz;
650 u_int ipf_nat_maprules_sz;
651 u_int ipf_nat_rdrrules_sz;
652 u_int ipf_nat_hostmap_sz;
653 u_int ipf_nat_maxbucket;
654 u_int ipf_nat_last_force_flush;
655 u_int ipf_nat_defage;
656 u_int ipf_nat_defipage;
657 u_int ipf_nat_deficmpage;
658 ipf_v4_masktab_t ipf_nat_map_mask;
659 ipf_v6_masktab_t ipf_nat6_map_mask;
660 ipf_v4_masktab_t ipf_nat_rdr_mask;
661 ipf_v6_masktab_t ipf_nat6_rdr_mask;
662 nat_t **ipf_nat_table[2];
663 nat_t *ipf_nat_instances;
664 ipnat_t *ipf_nat_list;
665 ipnat_t **ipf_nat_list_tail;
666 ipnat_t **ipf_nat_map_rules;
667 ipnat_t **ipf_nat_rdr_rules;
668 ipftq_t *ipf_nat_utqe;
669 hostmap_t **ipf_hm_maptable ;
670 hostmap_t *ipf_hm_maplist ;
671 ipftuneable_t *ipf_nat_tune;
672 ipftq_t ipf_nat_udptq;
673 ipftq_t ipf_nat_udpacktq;
674 ipftq_t ipf_nat_icmptq;
675 ipftq_t ipf_nat_icmpacktq;
676 ipftq_t ipf_nat_iptq;
677 ipftq_t ipf_nat_pending;
678 ipftq_t ipf_nat_tcptq[IPF_TCP_NSTATES];
679 natstat_t ipf_nat_stats;
680} ipf_nat_softc_t ;
681
682#define ipf_nat_map_max ipf_nat_map_mask.imt4_max
683#define ipf_nat_rdr_max ipf_nat_rdr_mask.imt4_max
684#define ipf_nat6_map_max ipf_nat6_map_mask.imt6_max
685#define ipf_nat6_rdr_max ipf_nat6_rdr_mask.imt6_max
686#define ipf_nat_map_active_masks ipf_nat_map_mask.imt4_active
687#define ipf_nat_rdr_active_masks ipf_nat_rdr_mask.imt4_active
688#define ipf_nat6_map_active_masks ipf_nat6_map_mask.imt6_active
689#define ipf_nat6_rdr_active_masks ipf_nat6_rdr_mask.imt6_active
690
691extern frentry_t ipfnatblock;
692
693extern void ipf_fix_datacksum(u_short *, u_32_t);
694extern void ipf_fix_incksum(int, u_short *, u_32_t, u_32_t);
695extern void ipf_fix_outcksum(int, u_short *, u_32_t, u_32_t);
696
697extern int ipf_nat_checkin(fr_info_t *, u_32_t *);
698extern int ipf_nat_checkout(fr_info_t *, u_32_t *);
699extern void ipf_nat_delete(ipf_main_softc_t *, struct nat *, int);
700extern void ipf_nat_deref(ipf_main_softc_t *, nat_t **);
701extern void ipf_nat_expire(ipf_main_softc_t *);
702extern int ipf_nat_hashtab_add(ipf_main_softc_t *,
703 ipf_nat_softc_t *, nat_t *);
704extern void ipf_nat_hostmapdel(ipf_main_softc_t *, hostmap_t **);
705extern int ipf_nat_hostmap_rehash(ipf_main_softc_t *,
706 ipftuneable_t *, ipftuneval_t *);
707extern nat_t *ipf_nat_icmperrorlookup(fr_info_t *, int);
708extern nat_t *ipf_nat_icmperror(fr_info_t *, u_int *, int);
709#if defined(__OpenBSD__)
710extern void ipf_nat_ifdetach(void *);
711#endif
712extern int ipf_nat_init(void);
713extern nat_t *ipf_nat_inlookup(fr_info_t *, u_int, u_int,
714 struct in_addr, struct in_addr);
715extern int ipf_nat_in(fr_info_t *, nat_t *, int, u_32_t);
716extern int ipf_nat_insert(ipf_main_softc_t *, ipf_nat_softc_t *,
717 nat_t *);
718extern int ipf_nat_ioctl(ipf_main_softc_t *, void *, ioctlcmd_t,
719 int, int, void *);
720extern void ipf_nat_log(ipf_main_softc_t *, ipf_nat_softc_t *,
721 struct nat *, u_int);
722extern nat_t *ipf_nat_lookupredir(ipf_main_softc_t *, natlookup_t *);
723extern nat_t *ipf_nat_maplookup(void *, u_int, struct in_addr,
724 struct in_addr);
725extern nat_t *ipf_nat_add(fr_info_t *, ipnat_t *, nat_t **,
726 u_int, int);
727extern int ipf_nat_out(fr_info_t *, nat_t *, int, u_32_t);
728extern nat_t *ipf_nat_outlookup(fr_info_t *, u_int, u_int,
729 struct in_addr, struct in_addr);
730extern u_short *ipf_nat_proto(fr_info_t *, nat_t *, u_int);
731extern void ipf_nat_rule_deref(ipf_main_softc_t *, ipnat_t **);
732extern void ipf_nat_setqueue(ipf_main_softc_t *, ipf_nat_softc_t *,
733 nat_t *);
734extern void ipf_nat_setpending(ipf_main_softc_t *, nat_t *);
735extern nat_t *ipf_nat_tnlookup(fr_info_t *, int);
736extern void ipf_nat_update(fr_info_t *, nat_t *);
737extern frentry_t *ipf_nat_ipfin(fr_info_t *, u_32_t *);
738extern frentry_t *ipf_nat_ipfout(fr_info_t *, u_32_t *);
739extern int ipf_nat_in(fr_info_t *, nat_t *, int, u_32_t);
740extern int ipf_nat_out(fr_info_t *, nat_t *, int, u_32_t);
741extern int ipf_nat_rehash(ipf_main_softc_t *, ipftuneable_t *,
742 ipftuneval_t *);
743extern int ipf_nat_rehash_rules(ipf_main_softc_t *, ipftuneable_t *,
744 ipftuneval_t *);
745extern int ipf_nat_settimeout(struct ipf_main_softc_s *,
746 ipftuneable_t *, ipftuneval_t *);
747extern void ipf_nat_sync(ipf_main_softc_t *, void *);
748
749extern nat_t *ipf_nat_clone(fr_info_t *, nat_t *);
750extern void ipf_nat_delmap(ipf_nat_softc_t *, ipnat_t *);
751extern void ipf_nat_delrdr(ipf_nat_softc_t *, ipnat_t *);
752extern int ipf_nat_wildok(nat_t *, int, int, int, int);
753extern void ipf_nat_setlock(void *, int);
754extern void ipf_nat_load(void);
755extern void *ipf_nat_soft_create(ipf_main_softc_t *);
756extern int ipf_nat_soft_init(ipf_main_softc_t *, void *);
757extern void ipf_nat_soft_destroy(ipf_main_softc_t *, void *);
758extern int ipf_nat_soft_fini(ipf_main_softc_t *, void *);
759extern int ipf_nat_main_load(void);
760extern int ipf_nat_main_unload(void);
761extern ipftq_t *ipf_nat_add_tq(ipf_main_softc_t *, int);
762extern void ipf_nat_uncreate(fr_info_t *);
763
764#ifdef USE_INET6
765extern nat_t *ipf_nat6_add(fr_info_t *, ipnat_t *, nat_t **,
766 u_int, int);
767extern void ipf_nat6_addrdr(ipf_nat_softc_t *, ipnat_t *);
768extern void ipf_nat6_addmap(ipf_nat_softc_t *, ipnat_t *);
769extern int ipf_nat6_checkout(fr_info_t *, u_32_t *);
770extern int ipf_nat6_checkin(fr_info_t *, u_32_t *);
771extern void ipf_nat6_delmap(ipf_nat_softc_t *, ipnat_t *);
772extern void ipf_nat6_delrdr(ipf_nat_softc_t *, ipnat_t *);
773extern int ipf_nat6_finalise(fr_info_t *, nat_t *);
774extern nat_t *ipf_nat6_icmperror(fr_info_t *, u_int *, int);
775extern nat_t *ipf_nat6_icmperrorlookup(fr_info_t *, int);
776extern nat_t *ipf_nat6_inlookup(fr_info_t *, u_int, u_int,
777 struct in6_addr *, struct in6_addr *);
778extern u_32_t ipf_nat6_ip6subtract(i6addr_t *, i6addr_t *);
779extern frentry_t *ipf_nat6_ipfin(fr_info_t *, u_32_t *);
780extern frentry_t *ipf_nat6_ipfout(fr_info_t *, u_32_t *);
781extern nat_t *ipf_nat6_lookupredir(ipf_main_softc_t *, natlookup_t *);
782extern int ipf_nat6_newmap(fr_info_t *, nat_t *, natinfo_t *);
783extern int ipf_nat6_newrdr(fr_info_t *, nat_t *, natinfo_t *);
784extern nat_t *ipf_nat6_outlookup(fr_info_t *, u_int, u_int,
785 struct in6_addr *, struct in6_addr *);
786extern int ipf_nat6_newrewrite(fr_info_t *, nat_t *, natinfo_t *);
787extern int ipf_nat6_newdivert(fr_info_t *, nat_t *, natinfo_t *);
788extern int ipf_nat6_ruleaddrinit(ipf_main_softc_t *, ipf_nat_softc_t *, ipnat_t *);
789
790#endif
791
792
793#endif /* __IP_NAT_H__ */