![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to ip_nat.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Apple XNU] / XNU / bsd / netinet|
Return to ip_nat.c CVS log | Up to [Apple XNU] / XNU / bsd / netinet |
1.1 root 1: /*
2: * Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
3: *
4: * @APPLE_LICENSE_HEADER_START@
5: *
6: * The contents of this file constitute Original Code as defined in and
7: * are subject to the Apple Public Source License Version 1.1 (the
8: * "License"). You may not use this file except in compliance with the
9: * License. Please obtain a copy of the License at
10: * http://www.apple.com/publicsource and read it before using this file.
11: *
12: * This Original Code and all software distributed under the License are
13: * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14: * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15: * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16: * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17: * License for the specific language governing rights and limitations
18: * under the License.
19: *
20: * @APPLE_LICENSE_HEADER_END@
21: */
22: /*
23: * Copyright (C) 1995-1997 by Darren Reed.
24: *
25: * Redistribution and use in source and binary forms are permitted
26: * provided that this notice is preserved and due credit is given
27: * to the original author and the contributors.
28: *
29: * Added redirect stuff and a LOT of bug fixes. ([email protected])
30: */
31: #if !defined(lint)
32: /* static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; */
33: #endif
34:
35: #include "opt_ipfilter.h"
36: #define __FreeBSD_version 300000 /* it's a hack, but close enough */
37:
38: #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
39: #define _KERNEL
40: #endif
41:
42: #if !defined(_KERNEL) && !defined(KERNEL)
43: # include <stdio.h>
44: # include <string.h>
45: # include <stdlib.h>
46: #endif
47: #include <sys/errno.h>
48: #include <sys/types.h>
49: #include <sys/param.h>
50: #include <sys/time.h>
51: #include <sys/file.h>
52: #if defined(KERNEL) && (__FreeBSD_version >= 220000)
53: # include <sys/filio.h>
54: # include <sys/fcntl.h>
55: #else
56: # include <sys/ioctl.h>
57: #endif
58: #include <sys/fcntl.h>
59: #include <sys/uio.h>
60: #ifndef linux
61: # include <sys/protosw.h>
62: #endif
63: #include <sys/socket.h>
64: #if defined(_KERNEL) && !defined(linux)
65: # include <sys/systm.h>
66: #endif
67: #if !defined(__SVR4) && !defined(__svr4__)
68: # ifndef linux
69: # include <sys/mbuf.h>
70: # endif
71: #else
72: # include <sys/filio.h>
73: # include <sys/byteorder.h>
74: # include <sys/dditypes.h>
75: # include <sys/stream.h>
76: # include <sys/kmem.h>
77: #endif
78: #if __FreeBSD_version >= 300000
79: # include <sys/queue.h>
80: # include <sys/malloc.h>
81: #endif
82: #include <net/if.h>
83: #if __FreeBSD_version >= 300000
84: # include <net/if_var.h>
85: #endif
86: #ifdef sun
87: #include <net/af.h>
88: #endif
89: #include <net/route.h>
90: #include <netinet/in.h>
91: #include <netinet/in_systm.h>
92: #include <netinet/ip.h>
93:
94: #ifdef __sgi
95: # ifdef IFF_DRVRLOCK /* IRIX6 */
96: #include <sys/hashing.h>
97: #include <netinet/in_var.h>
98: # endif
99: #endif
100:
101: #if RFC1825
102: #include <vpn/md5.h>
103: #include <vpn/ipsec.h>
104: extern struct ifnet vpnif;
105: #endif
106:
107: #ifndef linux
108: # include <netinet/ip_var.h>
109: #endif
110: #include <netinet/tcp.h>
111: #include <netinet/udp.h>
112: #include <netinet/ip_icmp.h>
113: #include "netinet/ip_compat.h"
114: #include <netinet/tcpip.h>
115: #include "netinet/ip_fil.h"
116: #include "netinet/ip_proxy.h"
117: #include "netinet/ip_nat.h"
118: #include "netinet/ip_frag.h"
119: #include "netinet/ip_state.h"
120: #ifndef MIN
121: #define MIN(a,b) (((a)<(b))?(a):(b))
122: #endif
123: #undef SOCKADDR_IN
124: #define SOCKADDR_IN struct sockaddr_in
125:
126: nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL;
127: static ipnat_t *nat_list = NULL;
128: u_long fr_defnatage = 1200, /* 10 minutes (600 seconds) */
129: fr_defnaticmpage = 6; /* 3 seconds */
130: static natstat_t nat_stats;
131: #if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
132: extern kmutex_t ipf_nat;
133: #endif
134:
135: static int nat_flushtable __P((void));
136: static int nat_clearlist __P((void));
137: static void nat_delete __P((struct nat *));
138: static int nat_ifpaddr __P((nat_t *, void *, struct in_addr *));
139:
140:
141: #define LONG_SUM(in) (((in) & 0xffff) + ((in) >> 16))
142:
143: #define CALC_SUMD(s1, s2, sd) { \
144: /* Do it twice */ \
145: (s1) = ((s1) & 0xffff) + ((s1) >> 16); \
146: (s1) = ((s1) & 0xffff) + ((s1) >> 16); \
147: /* Do it twice */ \
148: (s2) = ((s2) & 0xffff) + ((s2) >> 16); \
149: (s2) = ((s2) & 0xffff) + ((s2) >> 16); \
150: /* Because ~1 == -2, We really need ~1 == -1 */ \
151: if ((s1) > (s2)) (s2)--; \
152: (sd) = (s2) - (s1); \
153: (sd) = ((sd) & 0xffff) + ((sd) >> 16); }
154:
155: void fix_outcksum(sp, n)
156: u_short *sp;
157: u_32_t n;
158: {
159: register u_short sumshort;
160: register u_32_t sum1;
161:
162: if (!n)
163: return;
164: sum1 = (~ntohs(*sp)) & 0xffff;
165: sum1 += (n);
166: sum1 = (sum1 >> 16) + (sum1 & 0xffff);
167: /* Again */
168: sum1 = (sum1 >> 16) + (sum1 & 0xffff);
169: sumshort = ~(u_short)sum1;
170: *(sp) = htons(sumshort);
171: }
172:
173:
174: void fix_incksum(sp, n)
175: u_short *sp;
176: u_32_t n;
177: {
178: register u_short sumshort;
179: register u_32_t sum1;
180:
181: if (!n)
182: return;
183: #if sparc
184: sum1 = (~(*sp)) & 0xffff;
185: #else
186: sum1 = (~ntohs(*sp)) & 0xffff;
187: #endif
188: sum1 += ~(n) & 0xffff;
189: sum1 = (sum1 >> 16) + (sum1 & 0xffff);
190: /* Again */
191: sum1 = (sum1 >> 16) + (sum1 & 0xffff);
192: sumshort = ~(u_short)sum1;
193: *(sp) = htons(sumshort);
194: }
195:
196:
197: /*
198: * How the NAT is organised and works.
199: *
200: * Inside (interface y) NAT Outside (interface x)
201: * -------------------- -+- -------------------------------------
202: * Packet going | out, processsed by ip_natout() for x
203: * ------------> | ------------>
204: * src=10.1.1.1 | src=192.1.1.1
205: * |
206: * | in, processed by ip_natin() for x
207: * <------------ | <------------
208: * dst=10.1.1.1 | dst=192.1.1.1
209: * -------------------- -+- -------------------------------------
210: * ip_natout() - changes ip_src and if required, sport
211: * - creates a new mapping, if required.
212: * ip_natin() - changes ip_dst and if required, dport
213: *
214: * In the NAT table, internal source is recorded as "in" and externally
215: * seen as "out".
216: */
217:
218: /*
219: * Handle ioctls which manipulate the NAT.
220: */
221: int nat_ioctl(data, cmd, mode)
222: #if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
223: u_long cmd;
224: #else
225: int cmd;
226: #endif
227: caddr_t data;
228: int mode;
229: {
230: register ipnat_t *nat, *n = NULL, **np = NULL;
231: ipnat_t natd;
232: int error = 0, ret;
233: #if defined(_KERNEL) && !SOLARIS
234: int s;
235: #endif
236:
237: nat = NULL; /* XXX gcc -Wuninitialized */
238:
239: /*
240: * For add/delete, look to see if the NAT entry is already present
241: */
242: SPL_NET(s);
243: MUTEX_ENTER(&ipf_nat);
244: if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {
245: IRCOPY(data, (char *)&natd, sizeof(natd));
246: nat = &natd;
247: nat->in_inip &= nat->in_inmsk;
248: nat->in_outip &= nat->in_outmsk;
249: for (np = &nat_list; (n = *np); np = &n->in_next)
250: if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags,
251: IPN_CMPSIZ))
252: break;
253: }
254:
255: switch (cmd)
256: {
257: case SIOCADNAT :
258: if (!(mode & FWRITE)) {
259: error = EPERM;
260: break;
261: }
262: if (n) {
263: error = EEXIST;
264: break;
265: }
266: KMALLOC(n, ipnat_t *, sizeof(*n));
267: if (n == NULL) {
268: error = ENOMEM;
269: break;
270: }
271: bcopy((char *)nat, (char *)n, sizeof(*n));
272: n->in_ifp = (void *)GETUNIT(n->in_ifname);
273: if (!n->in_ifp)
274: n->in_ifp = (void *)-1;
275: n->in_apr = ap_match(n->in_p, n->in_plabel);
276: n->in_next = *np;
277: n->in_use = 0;
278: n->in_space = ~(0xffffffff & ntohl(n->in_outmsk));
279: if (n->in_space) /* lose 2: broadcast + network address */
280: n->in_space -= 2;
281: else
282: n->in_space = 1; /* single IP# mapping */
283: if ((n->in_outmsk != 0xffffffff) && n->in_outmsk)
284: n->in_nip = ntohl(n->in_outip) + 1;
285: else
286: n->in_nip = ntohl(n->in_outip);
287: if (n->in_redir & NAT_MAP) {
288: n->in_pnext = ntohs(n->in_pmin);
289: /*
290: * Multiply by the number of ports made available.
291: */
292: if (ntohs(n->in_pmax) > ntohs(n->in_pmin))
293: n->in_space *= (ntohs(n->in_pmax) -
294: ntohs(n->in_pmin));
295: }
296: /* Otherwise, these fields are preset */
297: *np = n;
298: nat_stats.ns_rules++;
299: break;
300: case SIOCRMNAT :
301: if (!(mode & FWRITE)) {
302: error = EPERM;
303: break;
304: }
305: if (!n) {
306: error = ESRCH;
307: break;
308: }
309: *np = n->in_next;
310: if (!n->in_use) {
311: if (n->in_apr)
312: ap_free(n->in_apr);
313: KFREE(n);
314: nat_stats.ns_rules--;
315: } else {
316: n->in_flags |= IPN_DELETE;
317: n->in_next = NULL;
318: }
319: break;
320: case SIOCGNATS :
321: nat_stats.ns_table[0] = nat_table[0];
322: nat_stats.ns_table[1] = nat_table[1];
323: nat_stats.ns_list = nat_list;
324: IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats));
325: break;
326: case SIOCGNATL :
327: {
328: natlookup_t nl;
329:
330: IRCOPY((char *)data, (char *)&nl, sizeof(nl));
331:
332: if (nat_lookupredir(&nl)) {
333: IWCOPY((char *)&nl, (char *)data, sizeof(nl));
334: } else
335: error = ESRCH;
336: break;
337: }
338: case SIOCFLNAT :
339: if (!(mode & FWRITE)) {
340: error = EPERM;
341: break;
342: }
343: ret = nat_flushtable();
344: (void) ap_unload();
345: IWCOPY((caddr_t)&ret, data, sizeof(ret));
346: break;
347: case SIOCCNATL :
348: if (!(mode & FWRITE)) {
349: error = EPERM;
350: break;
351: }
352: ret = nat_clearlist();
353: IWCOPY((caddr_t)&ret, data, sizeof(ret));
354: break;
355: case FIONREAD :
356: #if IPFILTER_LOG
357: IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data,
358: sizeof(iplused[IPL_LOGNAT]));
359: #endif
360: break;
361: }
362: MUTEX_EXIT(&ipf_nat);
363: SPL_X(s);
364: return error;
365: }
366:
367:
368: /*
369: * Delete a nat entry from the various lists and table.
370: */
371: static void nat_delete(natd)
372: struct nat *natd;
373: {
374: register struct nat **natp, *nat;
375: struct ipnat *ipn;
376:
377: for (natp = natd->nat_hstart[0]; (nat = *natp);
378: natp = &nat->nat_hnext[0])
379: if (nat == natd) {
380: *natp = nat->nat_hnext[0];
381: break;
382: }
383:
384: for (natp = natd->nat_hstart[1]; (nat = *natp);
385: natp = &nat->nat_hnext[1])
386: if (nat == natd) {
387: *natp = nat->nat_hnext[1];
388: break;
389: }
390:
391: /*
392: * If there is an active reference from the nat entry to its parent
393: * rule, decrement the rule's reference count and free it too if no
394: * longer being used.
395: */
396: if ((ipn = natd->nat_ptr)) {
397: ipn->in_space++;
398: ipn->in_use--;
399: if (!ipn->in_use && (ipn->in_flags & IPN_DELETE)) {
400: if (ipn->in_apr)
401: ap_free(ipn->in_apr);
402: KFREE(ipn);
403: nat_stats.ns_rules--;
404: }
405: }
406:
407: /*
408: * If there's a fragment table entry too for this nat entry, then
409: * dereference that as well.
410: */
411: ipfr_forget((void *)natd);
412: KFREE(natd);
413: }
414:
415:
416: /*
417: * nat_flushtable - clear the NAT table of all mapping entries.
418: */
419: static int nat_flushtable()
420: {
421: register nat_t *nat, **natp;
422: register int j = 0;
423:
424: /*
425: * Everything will be deleted, so lets just make it the deletions
426: * quicker.
427: */
428: bzero((char *)nat_table[0], sizeof(nat_table[0]));
429: bzero((char *)nat_table[1], sizeof(nat_table[1]));
430:
431: for (natp = &nat_instances; (nat = *natp); ) {
432: *natp = nat->nat_next;
433: nat_delete(nat);
434: j++;
435: }
436:
437: return j;
438: }
439:
440:
441: /*
442: * nat_clearlist - delete all entries in the active NAT mapping list.
443: */
444: static int nat_clearlist()
445: {
446: register ipnat_t *n, **np = &nat_list;
447: int i = 0;
448:
449: while ((n = *np)) {
450: *np = n->in_next;
451: if (!n->in_use) {
452: if (n->in_apr)
453: ap_free(n->in_apr);
454: KFREE(n);
455: nat_stats.ns_rules--;
456: i++;
457: } else {
458: n->in_flags |= IPN_DELETE;
459: n->in_next = NULL;
460: }
461: }
462: nat_stats.ns_inuse = 0;
463: return i;
464: }
465:
466:
467: /*
468: * return the first IP Address associated with an interface
469: */
470: static int nat_ifpaddr(nat, ifptr, inp)
471: nat_t *nat;
472: void *ifptr;
473: struct in_addr *inp;
474: {
475: #if SOLARIS
476: ill_t *ill = ifptr;
477: #else
478: struct ifnet *ifp = ifptr;
479: #endif
480: struct in_addr in;
481:
482: #if SOLARIS
483: in.s_addr = ntohl(ill->ill_ipif->ipif_local_addr);
484: #else /* SOLARIS */
485: # if linux
486: ;
487: # else /* linux */
488: struct ifaddr *ifa;
489: struct sockaddr_in *sin;
490:
491: # if (__FreeBSD_version >= 300000)
492: ifa = TAILQ_FIRST(&ifp->if_addrhead);
493: # else
494: # if defined(__NetBSD__) || defined(__OpenBSD__)
495: ifa = ifp->if_addrlist.tqh_first;
496: # else
497: # if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
498: ifa = &((struct in_ifaddr *)ifp->in_ifaddr)->ia_ifa;
499: # else
500: ifa = ifp->if_addrlist;
501: # endif
502: # endif /* __NetBSD__ || __OpenBSD__ */
503: # endif /* __FreeBSD_version >= 300000 */
504: # if (BSD < 199306) && !(/*IRIX6*/defined(__sgi) && defined(IFF_DRVRLOCK))
505: sin = (SOCKADDR_IN *)&ifa->ifa_addr;
506: # else
507: sin = (SOCKADDR_IN *)ifa->ifa_addr;
508: while (sin && ifa &&
509: sin->sin_family != AF_INET) {
510: # if (__FreeBSD_version >= 300000)
511: ifa = TAILQ_NEXT(ifa, ifa_link);
512: # else
513: # if defined(__NetBSD__) || defined(__OpenBSD__)
514: ifa = ifa->ifa_list.tqe_next;
515: # else
516: ifa = ifa->ifa_next;
517: # endif
518: # endif /* __FreeBSD_version >= 300000 */
519: if (ifa)
520: sin = (SOCKADDR_IN *)ifa->ifa_addr;
521: }
522: if (!ifa)
523: sin = NULL;
524: if (!sin) {
525: KFREE(nat);
526: return -1;
527: }
528: # endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */
529: in = sin->sin_addr;
530: in.s_addr = ntohl(in.s_addr);
531: # endif /* linux */
532: #endif /* SOLARIS */
533: *inp = in;
534: return 0;
535: }
536:
537:
538: /*
539: * Create a new NAT table entry.
540: */
541: nat_t *nat_new(np, ip, fin, flags, direction)
542: ipnat_t *np;
543: ip_t *ip;
544: fr_info_t *fin;
545: u_short flags;
546: int direction;
547: {
548: register u_32_t sum1, sum2, sumd, l;
549: u_short port = 0, sport = 0, dport = 0, nport = 0;
550: struct in_addr in;
551: tcphdr_t *tcp = NULL;
552: nat_t *nat, **natp;
553: u_short nflags;
554:
555: nflags = flags & np->in_flags;
556: if (flags & IPN_TCPUDP) {
557: tcp = (tcphdr_t *)fin->fin_dp;
558: sport = tcp->th_sport;
559: dport = tcp->th_dport;
560: }
561:
562: /* Give me a new nat */
563: KMALLOC(nat, nat_t *, sizeof(*nat));
564: if (nat == NULL)
565: return NULL;
566:
567: bzero((char *)nat, sizeof(*nat));
568: nat->nat_flags = flags;
569:
570: /*
571: * Search the current table for a match.
572: */
573: if (direction == NAT_OUTBOUND) {
574: /*
575: * If it's an outbound packet which doesn't match any existing
576: * record, then create a new port
577: */
578: l = 0;
579: do {
580: l++;
581: port = 0;
582: in.s_addr = np->in_nip;
583: if (!in.s_addr && (np->in_outmsk == 0xffffffff)) {
584: if ((l > 1) ||
585: nat_ifpaddr(nat, fin->fin_ifp, &in) == -1) {
586: KFREE(nat);
587: return NULL;
588: }
589: } else if (!in.s_addr && !np->in_outmsk) {
590: if (l > 1) {
591: KFREE(nat);
592: return NULL;
593: }
594: in.s_addr = ntohl(ip->ip_src.s_addr);
595: if (nflags & IPN_TCPUDP)
596: port = sport;
597: } else if (nflags & IPN_TCPUDP) {
598: port = htons(np->in_pnext++);
599: if (np->in_pnext >= ntohs(np->in_pmax)) {
600: np->in_pnext = ntohs(np->in_pmin);
601: np->in_space--;
602: if (np->in_outmsk != 0xffffffff)
603: np->in_nip++;
604: }
605: } else if (np->in_outmsk != 0xffffffff) {
606: np->in_space--;
607: np->in_nip++;
608: }
609:
610: if (!port && (flags & IPN_TCPUDP))
611: port = sport;
612: if ((np->in_nip & ntohl(np->in_outmsk)) >
613: ntohl(np->in_outip))
614: np->in_nip = ntohl(np->in_outip) + 1;
615: } while (nat_inlookup(fin->fin_ifp, flags, ip->ip_dst,
616: dport, in, port));
617:
618: /* Setup the NAT table */
619: nat->nat_inip = ip->ip_src;
620: nat->nat_outip.s_addr = htonl(in.s_addr);
621: nat->nat_oip = ip->ip_dst;
622:
623: sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) +
624: (ntohl(ip->ip_src.s_addr) >> 16) + ntohs(sport);
625:
626: sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16) + ntohs(port);
627:
628: if (flags & IPN_TCPUDP) {
629: nat->nat_inport = sport;
630: nat->nat_outport = port;
631: nat->nat_oport = dport;
632: }
633: } else {
634:
635: /*
636: * Otherwise, it's an inbound packet. Most likely, we don't
637: * want to rewrite source ports and source addresses. Instead,
638: * we want to rewrite to a fixed internal address and fixed
639: * internal port.
640: */
641: in.s_addr = ntohl(np->in_inip);
642: if (!(nport = np->in_pnext))
643: nport = dport;
644:
645: nat->nat_inip.s_addr = htonl(in.s_addr);
646: nat->nat_outip = ip->ip_dst;
647: nat->nat_oip = ip->ip_src;
648:
649: sum1 = (ntohl(ip->ip_dst.s_addr) & 0xffff) +
650: (ntohl(ip->ip_dst.s_addr) >> 16) + ntohs(dport);
651:
652: sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16) + ntohs(nport);
653:
654: if (flags & IPN_TCPUDP) {
655: nat->nat_inport = nport;
656: nat->nat_outport = dport;
657: nat->nat_oport = sport;
658: }
659: }
660:
661: /* Do it twice */
662: sum1 = (sum1 & 0xffff) + (sum1 >> 16);
663: sum1 = (sum1 & 0xffff) + (sum1 >> 16);
664:
665: /* Do it twice */
666: sum2 = (sum2 & 0xffff) + (sum2 >> 16);
667: sum2 = (sum2 & 0xffff) + (sum2 >> 16);
668:
669: if (sum1 > sum2)
670: sum2--; /* Because ~1 == -2, We really need ~1 == -1 */
671: sumd = sum2 - sum1;
672: sumd = (sumd & 0xffff) + (sumd >> 16);
673: nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16);
674:
675: if ((flags & IPN_TCPUDP) && ((sport != port) || (dport != nport))) {
676: if (direction == NAT_OUTBOUND)
677: sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) +
678: (ntohl(ip->ip_src.s_addr) >> 16);
679: else
680: sum1 = (ntohl(ip->ip_dst.s_addr) & 0xffff) +
681: (ntohl(ip->ip_dst.s_addr) >> 16);
682:
683: sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16);
684:
685: /* Do it twice */
686: sum1 = (sum1 & 0xffff) + (sum1 >> 16);
687: sum1 = (sum1 & 0xffff) + (sum1 >> 16);
688:
689: /* Do it twice */
690: sum2 = (sum2 & 0xffff) + (sum2 >> 16);
691: sum2 = (sum2 & 0xffff) + (sum2 >> 16);
692:
693: if (sum1 > sum2)
694: sum2--; /* Because ~1 == -2, We really need ~1 == -1 */
695: sumd = sum2 - sum1;
696: sumd = (sumd & 0xffff) + (sumd >> 16);
697: nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16);
698: } else
699: nat->nat_ipsumd = nat->nat_sumd;
700:
701: in.s_addr = htonl(in.s_addr);
702: nat->nat_next = nat_instances;
703: nat_instances = nat;
704: natp = &nat_table[0][nat->nat_inip.s_addr % NAT_SIZE];
705: nat->nat_hstart[0] = natp;
706: nat->nat_hnext[0] = *natp;
707: *natp = nat;
708: natp = &nat_table[1][nat->nat_outip.s_addr % NAT_SIZE];
709: nat->nat_hstart[1] = natp;
710: nat->nat_hnext[1] = *natp;
711: *natp = nat;
712: nat->nat_ptr = np;
713: nat->nat_bytes = 0;
714: nat->nat_pkts = 0;
715: nat->nat_ifp = fin->fin_ifp;
716: nat->nat_dir = direction;
717: if (direction == NAT_OUTBOUND) {
718: if (flags & IPN_TCPUDP)
719: tcp->th_sport = port;
720: } else {
721: if (flags & IPN_TCPUDP)
722: tcp->th_dport = nport;
723: }
724: nat_stats.ns_added++;
725: nat_stats.ns_inuse++;
726: np->in_use++;
727: return nat;
728: }
729:
730:
731: nat_t *nat_icmpinlookup(ip, fin)
732: ip_t *ip;
733: fr_info_t *fin;
734: {
735: icmphdr_t *icmp;
736: tcphdr_t *tcp = NULL;
737: ip_t *oip;
738: int flags = 0, type;
739:
740: icmp = (icmphdr_t *)fin->fin_dp;
741: /*
742: * Does it at least have the return (basic) IP header ?
743: * Only a basic IP header (no options) should be with an ICMP error
744: * header.
745: */
746: if ((ip->ip_hl != 5) || (ip->ip_len < sizeof(*icmp) + sizeof(ip_t)))
747: return NULL;
748: type = icmp->icmp_type;
749: /*
750: * If it's not an error type, then return.
751: */
752: if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) &&
753: (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) &&
754: (type != ICMP_PARAMPROB))
755: return NULL;
756:
757: oip = (ip_t *)((char *)fin->fin_dp + 8);
758: if (oip->ip_p == IPPROTO_TCP)
759: flags = IPN_TCP;
760: else if (oip->ip_p == IPPROTO_UDP)
761: flags = IPN_UDP;
762: if (flags & IPN_TCPUDP) {
763: tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2));
764: return nat_inlookup(fin->fin_ifp, flags, oip->ip_dst,
765: tcp->th_dport, oip->ip_src, tcp->th_sport);
766: }
767: return nat_inlookup(fin->fin_ifp, 0, oip->ip_src, 0, oip->ip_dst, 0);
768: }
769:
770:
771: /*
772: * This should *ONLY* be used for incoming packets to make sure a NAT'd ICMP
773: * packet gets correctly recognised.
774: */
775: nat_t *nat_icmpin(ip, fin, nflags)
776: ip_t *ip;
777: fr_info_t *fin;
778: int *nflags;
779: {
780: icmphdr_t *icmp;
781: nat_t *nat;
782: ip_t *oip;
783: int flags = 0;
784:
785: if (!(nat = nat_icmpinlookup(ip, fin)))
786: return NULL;
787:
788: *nflags = IPN_ICMPERR;
789: icmp = (icmphdr_t *)fin->fin_dp;
790: oip = (ip_t *)((char *)icmp + 8);
791: if (oip->ip_p == IPPROTO_TCP)
792: flags = IPN_TCP;
793: else if (oip->ip_p == IPPROTO_UDP)
794: flags = IPN_UDP;
795: /*
796: * Need to adjust ICMP header to include the real IP#'s and
797: * port #'s. Only apply a checksum change relative to the
798: * IP address change is it will be modified again in ip_natout
799: * for both address and port. Two checksum changes are
800: * necessary for the two header address changes. Be careful
801: * to only modify the checksum once for the port # and twice
802: * for the IP#.
803: */
804: if (flags & IPN_TCPUDP) {
805: tcphdr_t *tcp = (tcphdr_t *)(oip + 1);
806: u_32_t sum1, sum2, sumd;
807: struct in_addr in;
808:
809: if (nat->nat_dir == NAT_OUTBOUND) {
810: sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr));
811: in = nat->nat_outip;
812: oip->ip_src = in;
813: tcp->th_sport = nat->nat_outport;
814: } else {
815: sum1 = LONG_SUM(ntohl(oip->ip_dst.s_addr));
816: in = nat->nat_inip;
817: oip->ip_dst = in;
818: tcp->th_dport = nat->nat_inport;
819: }
820:
821: sum2 = LONG_SUM(in.s_addr);
822:
823: CALC_SUMD(sum1, sum2, sumd);
824: sumd = (sumd & 0xffff) + (sumd >> 16);
825:
826: if (nat->nat_dir == NAT_OUTBOUND) {
827: fix_incksum(&oip->ip_sum, sumd);
828: fix_incksum(&icmp->icmp_cksum, sumd);
829: } else {
830: fix_outcksum(&oip->ip_sum, sumd);
831: fix_outcksum(&icmp->icmp_cksum, sumd);
832: }
833:
834: /*
835: * TCP checksum doesn't make it into the 1st eight
836: * bytes but UDP does.
837: */
838: if (ip->ip_p == IPPROTO_UDP) {
839: udphdr_t *udp = (udphdr_t *)tcp;
840:
841: if (udp->uh_sum) {
842: if (nat->nat_dir == NAT_OUTBOUND)
843: fix_incksum(&udp->uh_sum,
844: nat->nat_sumd);
845: else
846: fix_outcksum(&udp->uh_sum,
847: nat->nat_sumd);
848: }
849: }
850: } else
851: ip->ip_dst = nat->nat_outip;
852: nat->nat_age = fr_defnaticmpage;
853: return nat;
854: }
855:
856:
857: /*
858: * NB: these lookups don't lock access to the list, it assume it has already
859: * been done!
860: */
861: /*
862: * Lookup a nat entry based on the mapped destination ip address/port and
863: * real source address/port. We use this lookup when receiving a packet,
864: * we're looking for a table entry, based on the destination address.
865: * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
866: */
867: #ifdef __STDC__
868: nat_t *nat_inlookup(void *ifp, int flags, struct in_addr src, u_short sport, struct in_addr mapdst, u_short mapdport)
869: #else
870: nat_t *nat_inlookup(ifp, flags, src, sport, mapdst, mapdport)
871: void *ifp;
872: register int flags;
873: struct in_addr src , mapdst;
874: u_short sport, mapdport;
875: #endif
876: {
877: register nat_t *nat;
878:
879: flags &= IPN_TCPUDP;
880:
881: nat = nat_table[1][mapdst.s_addr % NAT_SIZE];
882: for (; nat; nat = nat->nat_hnext[1])
883: if ((!ifp || ifp == nat->nat_ifp) &&
884: nat->nat_oip.s_addr == src.s_addr &&
885: nat->nat_outip.s_addr == mapdst.s_addr &&
886: flags == nat->nat_flags && (!flags ||
887: (nat->nat_oport == sport &&
888: nat->nat_outport == mapdport)))
889: return nat;
890: return NULL;
891: }
892:
893:
894: /*
895: * Lookup a nat entry based on the source 'real' ip address/port and
896: * destination address/port. We use this lookup when sending a packet out,
897: * we're looking for a table entry, based on the source address.
898: * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
899: */
900: #ifdef __STDC__
901: nat_t *nat_outlookup(void *ifp, int flags, struct in_addr src, u_short sport, struct in_addr dst, u_short dport)
902: #else
903: nat_t *nat_outlookup(ifp, flags, src, sport, dst, dport)
904: void *ifp;
905: register int flags;
906: struct in_addr src , dst;
907: u_short sport, dport;
908: #endif
909: {
910: register nat_t *nat;
911:
912: flags &= IPN_TCPUDP;
913:
914: nat = nat_table[0][src.s_addr % NAT_SIZE];
915: for (; nat; nat = nat->nat_hnext[0]) {
916: if ((!ifp || ifp == nat->nat_ifp) &&
917: nat->nat_inip.s_addr == src.s_addr &&
918: nat->nat_oip.s_addr == dst.s_addr &&
919: flags == nat->nat_flags && (!flags ||
920: (nat->nat_inport == sport && nat->nat_oport == dport)))
921: return nat;
922: }
923: return NULL;
924: }
925:
926:
927: /*
928: * Lookup a nat entry based on the mapped source ip address/port and
929: * real destination address/port. We use this lookup when sending a packet
930: * out, we're looking for a table entry, based on the source address.
931: */
932: #ifdef __STDC__
933: nat_t *nat_lookupmapip(void *ifp, int flags, struct in_addr mapsrc, u_short mapsport, struct in_addr dst, u_short dport)
934: #else
935: nat_t *nat_lookupmapip(ifp, flags, mapsrc, mapsport, dst, dport)
936: void *ifp;
937: register int flags;
938: struct in_addr mapsrc , dst;
939: u_short mapsport, dport;
940: #endif
941: {
942: register nat_t *nat;
943:
944: flags &= IPN_TCPUDP;
945:
946: nat = nat_table[1][mapsrc.s_addr % NAT_SIZE];
947: for (; nat; nat = nat->nat_hnext[0])
948: if ((!ifp || ifp == nat->nat_ifp) &&
949: nat->nat_oip.s_addr == dst.s_addr &&
950: nat->nat_outip.s_addr == mapsrc.s_addr &&
951: flags == nat->nat_flags && (!flags ||
952: (nat->nat_outport == mapsport &&
953: nat->nat_oport == dport)))
954: return nat;
955: return NULL;
956: }
957:
958:
959: /*
960: * Lookup the NAT tables to search for a matching redirect
961: */
962: nat_t *nat_lookupredir(np)
963: register natlookup_t *np;
964: {
965: nat_t *nat;
966:
967: /*
968: * If nl_inip is non null, this is a lookup based on the real
969: * ip address. Else, we use the fake.
970: */
971: if ((nat = nat_outlookup(NULL, np->nl_flags, np->nl_inip,
972: np->nl_inport, np->nl_outip,
973: np->nl_outport))) {
974: np->nl_realip = nat->nat_outip;
975: np->nl_realport = nat->nat_outport;
976: }
977: return nat;
978: }
979:
980:
981: /*
982: * Packets going out on the external interface go through this.
983: * Here, the source address requires alteration, if anything.
984: */
985: int ip_natout(ip, hlen, fin)
986: ip_t *ip;
987: int hlen;
988: fr_info_t *fin;
989: {
990: register ipnat_t *np;
991: register u_32_t ipa;
992: tcphdr_t *tcp = NULL;
993: u_short nflags = 0, sport = 0, dport = 0, *csump = NULL;
994: struct ifnet *ifp;
995: frentry_t *fr;
996: nat_t *nat;
997: int natadd = 1;
998:
999: if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) &&
1000: fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1)
1001: ifp = fr->fr_tif.fd_ifp;
1002: else
1003: ifp = fin->fin_ifp;
1004:
1005: if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) {
1006: if (ip->ip_p == IPPROTO_TCP)
1007: nflags = IPN_TCP;
1008: else if (ip->ip_p == IPPROTO_UDP)
1009: nflags = IPN_UDP;
1010: if (nflags) {
1011: tcp = (tcphdr_t *)fin->fin_dp;
1012: sport = tcp->th_sport;
1013: dport = tcp->th_dport;
1014: }
1015: }
1016:
1017: ipa = ip->ip_src.s_addr;
1018:
1019: MUTEX_ENTER(&ipf_nat);
1020: if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
1021: (nat = ipfr_nat_knownfrag(ip, fin)))
1022: natadd = 0;
1023: else if ((nat = nat_outlookup(ifp, nflags, ip->ip_src, sport,
1024: ip->ip_dst, dport)))
1025: ;
1026: else
1027: /*
1028: * If there is no current entry in the nat table for this IP#,
1029: * create one for it (if there is a matching rule).
1030: */
1031: for (np = nat_list; np; np = np->in_next)
1032: if ((np->in_ifp == ifp) && np->in_space &&
1033: (!np->in_flags || (np->in_flags & nflags)) &&
1034: ((ipa & np->in_inmsk) == np->in_inip) &&
1035: ((np->in_redir & NAT_MAP) ||
1036: (np->in_pnext == sport))) {
1037: if (*np->in_plabel && !ap_ok(ip, tcp, np))
1038: continue;
1039: /*
1040: * If it's a redirection, then we don't want to
1041: * create new outgoing port stuff.
1042: * Redirections are only for incoming
1043: * connections.
1044: */
1045: if (!(np->in_redir & NAT_MAP))
1046: continue;
1047: if ((nat = nat_new(np, ip, fin, nflags,
1048: NAT_OUTBOUND)))
1049: #if IPFILTER_LOG
1050: nat_log(nat, (u_short)np->in_redir);
1051: #else
1052: ;
1053: #endif
1054: break;
1055: }
1056:
1057: if (nat) {
1058: if (natadd && fin->fin_fi.fi_fl & FI_FRAG)
1059: ipfr_nat_newfrag(ip, fin, 0, nat);
1060: nat->nat_age = fr_defnatage;
1061: ip->ip_src = nat->nat_outip;
1062: nat->nat_bytes += ip->ip_len;
1063: nat->nat_pkts++;
1064:
1065: /*
1066: * Fix up checksums, not by recalculating them, but
1067: * simply computing adjustments.
1068: */
1069: #if SOLARIS || defined(__sgi)
1070: if (nat->nat_dir == NAT_OUTBOUND)
1071: fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
1072: else
1073: fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
1074: #endif
1075:
1076: if (nflags && !(ip->ip_off & 0x1fff) &&
1077: !(fin->fin_fi.fi_fl & FI_SHORT)) {
1078:
1079: if (nat->nat_outport)
1080: tcp->th_sport = nat->nat_outport;
1081:
1082: if (ip->ip_p == IPPROTO_TCP) {
1083: csump = &tcp->th_sum;
1084: fr_tcp_age(&nat->nat_age,
1085: nat->nat_state, ip, fin,1);
1086: /*
1087: * Increase this because we may have
1088: * "keep state" following this too and
1089: * packet storms can occur if this is
1090: * removed too quickly.
1091: */
1092: if (nat->nat_age == fr_tcpclosed)
1093: nat->nat_age = fr_tcplastack;
1094: } else if (ip->ip_p == IPPROTO_UDP) {
1095: udphdr_t *udp = (udphdr_t *)tcp;
1096:
1097: if (udp->uh_sum)
1098: csump = &udp->uh_sum;
1099: } else if (ip->ip_p == IPPROTO_ICMP) {
1100: icmphdr_t *ic = (icmphdr_t *)tcp;
1101:
1102: csump = &ic->icmp_cksum;
1103: }
1104: if (csump) {
1105: if (nat->nat_dir == NAT_OUTBOUND)
1106: fix_outcksum(csump,
1107: nat->nat_sumd);
1108: else
1109: fix_incksum(csump,
1110: nat->nat_sumd);
1111: }
1112: }
1113: (void) ap_check(ip, tcp, fin, nat);
1114: nat_stats.ns_mapped[1]++;
1115: MUTEX_EXIT(&ipf_nat);
1116: return -2;
1117: }
1118: MUTEX_EXIT(&ipf_nat);
1119: return 0;
1120: }
1121:
1122:
1123: /*
1124: * Packets coming in from the external interface go through this.
1125: * Here, the destination address requires alteration, if anything.
1126: */
1127: int ip_natin(ip, hlen, fin)
1128: ip_t *ip;
1129: int hlen;
1130: fr_info_t *fin;
1131: {
1132: register ipnat_t *np;
1133: register struct in_addr in;
1134: struct ifnet *ifp = fin->fin_ifp;
1135: tcphdr_t *tcp = NULL;
1136: u_short sport = 0, dport = 0, *csump = NULL;
1137: nat_t *nat;
1138: int nflags = 0, natadd = 1;
1139:
1140: if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) {
1141: if (ip->ip_p == IPPROTO_TCP)
1142: nflags = IPN_TCP;
1143: else if (ip->ip_p == IPPROTO_UDP)
1144: nflags = IPN_UDP;
1145: if (nflags) {
1146: tcp = (tcphdr_t *)((char *)ip + hlen);
1147: dport = tcp->th_dport;
1148: sport = tcp->th_sport;
1149: }
1150: }
1151:
1152: in = ip->ip_dst;
1153:
1154: MUTEX_ENTER(&ipf_nat);
1155:
1156: if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmpin(ip, fin, &nflags)))
1157: ;
1158: else if ((ip->ip_off & IP_OFFMASK) &&
1159: (nat = ipfr_nat_knownfrag(ip, fin)))
1160: natadd = 0;
1161: else if ((nat = nat_inlookup(fin->fin_ifp, nflags, ip->ip_src, sport,
1162: ip->ip_dst, dport)))
1163: ;
1164: else
1165: /*
1166: * If there is no current entry in the nat table for this IP#,
1167: * create one for it (if there is a matching rule).
1168: */
1169: for (np = nat_list; np; np = np->in_next)
1170: if ((np->in_ifp == ifp) &&
1171: (!np->in_flags || (nflags & np->in_flags)) &&
1172: ((in.s_addr & np->in_outmsk) == np->in_outip) &&
1173: (np->in_redir & NAT_REDIRECT) &&
1174: (!np->in_pmin || np->in_pmin == dport)) {
1175: if ((nat = nat_new(np, ip, fin, nflags,
1176: NAT_INBOUND)))
1177: #if IPFILTER_LOG
1178: nat_log(nat, (u_short)np->in_redir);
1179: #else
1180: ;
1181: #endif
1182: break;
1183: }
1184: if (nat) {
1185: if (natadd && fin->fin_fi.fi_fl & FI_FRAG)
1186: ipfr_nat_newfrag(ip, fin, 0, nat);
1187: (void) ap_check(ip, tcp, fin, nat);
1188:
1189: if (nflags != IPN_ICMPERR)
1190: nat->nat_age = fr_defnatage;
1191:
1192: ip->ip_dst = nat->nat_inip;
1193: nat->nat_bytes += ip->ip_len;
1194: nat->nat_pkts++;
1195:
1196: /*
1197: * Fix up checksums, not by recalculating them, but
1198: * simply computing adjustments.
1199: */
1200: #if SOLARIS || defined(__sgi)
1201: if (nat->nat_dir == NAT_OUTBOUND)
1202: fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
1203: else
1204: fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
1205: #endif
1206: if ((nflags & IPN_TCPUDP) && !(ip->ip_off & 0x1fff) &&
1207: !(fin->fin_fi.fi_fl & FI_SHORT)) {
1208:
1209: if (nat->nat_inport)
1210: tcp->th_dport = nat->nat_inport;
1211:
1212: if (ip->ip_p == IPPROTO_TCP) {
1213: csump = &tcp->th_sum;
1214: fr_tcp_age(&nat->nat_age,
1215: nat->nat_state, ip, fin,0);
1216: /*
1217: * Increase this because we may have
1218: * "keep state" following this too and
1219: * packet storms can occur if this is
1220: * removed too quickly.
1221: */
1222: if (nat->nat_age == fr_tcpclosed)
1223: nat->nat_age = fr_tcplastack;
1224: } else if (ip->ip_p == IPPROTO_UDP) {
1225: udphdr_t *udp = (udphdr_t *)tcp;
1226:
1227: if (udp->uh_sum)
1228: csump = &udp->uh_sum;
1229: } else if (ip->ip_p == IPPROTO_ICMP) {
1230: icmphdr_t *ic = (icmphdr_t *)tcp;
1231:
1232: csump = &ic->icmp_cksum;
1233: }
1234: if (csump) {
1235: if (nat->nat_dir == NAT_OUTBOUND)
1236: fix_incksum(csump,
1237: nat->nat_sumd);
1238: else
1239: fix_outcksum(csump,
1240: nat->nat_sumd);
1241: }
1242: }
1243: nat_stats.ns_mapped[0]++;
1244: MUTEX_EXIT(&ipf_nat);
1245: return -2;
1246: }
1247: MUTEX_EXIT(&ipf_nat);
1248: return 0;
1249: }
1250:
1251:
1252: /*
1253: * Free all memory used by NAT structures allocated at runtime.
1254: */
1255: void ip_natunload()
1256: {
1257: MUTEX_ENTER(&ipf_nat);
1258: (void) nat_clearlist();
1259: (void) nat_flushtable();
1260: (void) ap_unload();
1261: MUTEX_EXIT(&ipf_nat);
1262: }
1263:
1264:
1265: /*
1266: * Slowly expire held state for NAT entries. Timeouts are set in
1267: * expectation of this being called twice per second.
1268: */
1269: void ip_natexpire()
1270: {
1271: register struct nat *nat, **natp;
1272: #if defined(_KERNEL) && !SOLARIS
1273: int s;
1274: #endif
1275:
1276: SPL_NET(s);
1277: MUTEX_ENTER(&ipf_nat);
1278: for (natp = &nat_instances; (nat = *natp); ) {
1279: if (--nat->nat_age) {
1280: natp = &nat->nat_next;
1281: continue;
1282: }
1283: *natp = nat->nat_next;
1284: #if IPFILTER_LOG
1285: nat_log(nat, NL_EXPIRE);
1286: #endif
1287: nat_delete(nat);
1288: nat_stats.ns_expire++;
1289: }
1290:
1291: ap_expire();
1292:
1293: MUTEX_EXIT(&ipf_nat);
1294: SPL_X(s);
1295: }
1296:
1297:
1298: /*
1299: */
1300: #ifdef __STDC__
1301: void ip_natsync(void *ifp)
1302: #else
1303: void ip_natsync(ifp)
1304: void *ifp;
1305: #endif
1306: {
1307: register nat_t *nat;
1308: register u_32_t sum1, sum2, sumd;
1309: struct in_addr in;
1310: ipnat_t *np;
1311: #if defined(_KERNEL) && !SOLARIS
1312: int s;
1313: #endif
1314:
1315: SPL_NET(s);
1316: MUTEX_ENTER(&ipf_nat);
1317: for (nat = nat_instances; nat; nat = nat->nat_next)
1318: if ((ifp == nat->nat_ifp) && (np = nat->nat_ptr))
1319: if ((np->in_outmsk == 0xffffffff) && !np->in_nip) {
1320: /*
1321: * Change the map-to address to be the same
1322: * as the new one.
1323: */
1324: sum1 = nat->nat_outip.s_addr;
1325: if (nat_ifpaddr(nat, ifp, &in) == -1)
1326: nat->nat_outip.s_addr = htonl(in.s_addr);
1327: sum2 = nat->nat_outip.s_addr;
1328:
1329: /*
1330: * Readjust the checksum adjustment to take
1331: * into account the new IP#.
1332: *
1333: * Do it twice
1334: */
1335: sum1 = (sum1 & 0xffff) + (sum1 >> 16);
1336: sum1 = (sum1 & 0xffff) + (sum1 >> 16);
1337:
1338: /* Do it twice */
1339: sum2 = (sum2 & 0xffff) + (sum2 >> 16);
1340: sum2 = (sum2 & 0xffff) + (sum2 >> 16);
1341:
1342: /* Because ~1 == -2, We really need ~1 == -1 */
1343: if (sum1 > sum2)
1344: sum2--;
1345: sumd = sum2 - sum1;
1346: sumd = (sumd & 0xffff) + (sumd >> 16);
1347: sumd += nat->nat_sumd;
1348: nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16);
1349: }
1350: MUTEX_EXIT(&ipf_nat);
1351: SPL_X(s);
1352: }
1353:
1354:
1355: #if IPFILTER_LOG
1356: # ifdef __STDC__
1357: void nat_log(struct nat *nat, u_short type)
1358: # else
1359: void nat_log(nat, type)
1360: struct nat *nat;
1361: u_short type;
1362: # endif
1363: {
1364: struct ipnat *np;
1365: struct natlog natl;
1366: void *items[1];
1367: size_t sizes[1];
1368: int rulen, types[1];
1369:
1370: natl.nl_inip = nat->nat_inip;
1371: natl.nl_outip = nat->nat_outip;
1372: natl.nl_origip = nat->nat_oip;
1373: natl.nl_bytes = nat->nat_bytes;
1374: natl.nl_pkts = nat->nat_pkts;
1375: natl.nl_origport = nat->nat_oport;
1376: natl.nl_inport = nat->nat_inport;
1377: natl.nl_outport = nat->nat_outport;
1378: natl.nl_type = type;
1379: natl.nl_rule = -1;
1380: if (nat->nat_ptr) {
1381: for (rulen = 0, np = nat_list; np; np = np->in_next, rulen++)
1382: if (np == nat->nat_ptr) {
1383: natl.nl_rule = rulen;
1384: break;
1385: }
1386: }
1387: items[0] = &natl;
1388: sizes[0] = sizeof(natl);
1389: types[0] = 0;
1390:
1391: (void) ipllog(IPL_LOGNAT, 0, items, sizes, types, 1);
1392: }
1393: #endif
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.