13b9b51feSCy Schubert 23b9b51feSCy Schubert /* 33b9b51feSCy Schubert * Copyright (C) 2012 by Darren Reed. 43b9b51feSCy Schubert * 53b9b51feSCy Schubert * See the IPFILTER.LICENCE file for details on licencing. 63b9b51feSCy Schubert * Id: ip_nat.h,v 2.90.2.20 2007/09/25 08:27:32 darrenr Exp $ 73b9b51feSCy Schubert */ 83b9b51feSCy Schubert 93b9b51feSCy Schubert #ifndef __IP_NAT_H__ 103b9b51feSCy Schubert #define __IP_NAT_H__ 113b9b51feSCy Schubert 123b9b51feSCy Schubert #ifndef SOLARIS 133b9b51feSCy Schubert # if defined(sun) && defined(__SVR4) 143b9b51feSCy Schubert # define SOLARIS 1 153b9b51feSCy Schubert # else 163b9b51feSCy Schubert # define SOLARIS 0 173b9b51feSCy Schubert # endif 183b9b51feSCy Schubert #endif 193b9b51feSCy Schubert 203b9b51feSCy Schubert #define SIOCADNAT _IOW('r', 60, struct ipfobj) 213b9b51feSCy Schubert #define SIOCRMNAT _IOW('r', 61, struct ipfobj) 223b9b51feSCy Schubert #define SIOCGNATS _IOWR('r', 62, struct ipfobj) 233b9b51feSCy Schubert #define SIOCGNATL _IOWR('r', 63, struct ipfobj) 243b9b51feSCy Schubert #define SIOCPURGENAT _IOWR('r', 100, struct ipfobj) 253b9b51feSCy Schubert 263b9b51feSCy Schubert #undef LARGE_NAT /* define this if you're setting up a system to NAT 273b9b51feSCy Schubert * LARGE numbers of networks/hosts - i.e. in the 283b9b51feSCy Schubert * hundreds or thousands. In such a case, you should 293b9b51feSCy Schubert * also change the RDR_SIZE and NAT_SIZE below to more 303b9b51feSCy Schubert * appropriate sizes. The figures below were used for 313b9b51feSCy Schubert * a setup with 1000-2000 networks to NAT. 323b9b51feSCy Schubert */ 333b9b51feSCy Schubert #ifdef NAT_SIZE 343b9b51feSCy Schubert # define NAT_SIZE_LARGE NAT_SIZE 353b9b51feSCy Schubert # define NAT_SIZE_NORMAL NAT_SIZE 363b9b51feSCy Schubert #else 373b9b51feSCy Schubert # define NAT_SIZE_LARGE 2047 383b9b51feSCy Schubert # define NAT_SIZE_NORMAL 127 393b9b51feSCy Schubert #endif 403b9b51feSCy Schubert #ifdef RDR_SIZE 413b9b51feSCy Schubert # define RDR_SIZE_LARGE RDR_SIZE 423b9b51feSCy Schubert # define RDR_SIZE_NORMAL RDR_SIZE 433b9b51feSCy Schubert #else 443b9b51feSCy Schubert # define RDR_SIZE_LARGE 2047 453b9b51feSCy Schubert # define RDR_SIZE_NORMAL 127 463b9b51feSCy Schubert #endif 473b9b51feSCy Schubert #ifdef HOSTMAP_SIZE 483b9b51feSCy Schubert # define HOSTMAP_SIZE_LARGE HOSTMAP_SIZE 493b9b51feSCy Schubert # define HOSTMAP_SIZE_NORMAL HOSTMAP_SIZE 503b9b51feSCy Schubert #else 513b9b51feSCy Schubert # define HOSTMAP_SIZE_LARGE 8191 523b9b51feSCy Schubert # define HOSTMAP_SIZE_NORMAL 2047 533b9b51feSCy Schubert #endif 543b9b51feSCy Schubert /* 553b9b51feSCy Schubert * This is newly introduced and for the sake of "least surprise", the numbers 563b9b51feSCy Schubert * present aren't what we'd normally use for creating a proper hash table. 573b9b51feSCy Schubert */ 583b9b51feSCy Schubert #ifdef NAT_TABLE_MAX 593b9b51feSCy Schubert # define NAT_TABLE_MAX_LARGE NAT_TABLE_MAX 603b9b51feSCy Schubert # define NAT_TABLE_MAX_NORMAL NAT_TABLE_MAX 613b9b51feSCy Schubert #else 623b9b51feSCy Schubert # define NAT_TABLE_MAX_LARGE 180000 633b9b51feSCy Schubert # define NAT_TABLE_MAX_NORMAL 30000 643b9b51feSCy Schubert #endif 653b9b51feSCy Schubert #ifdef NAT_TABLE_SZ 663b9b51feSCy Schubert # define NAT_TABLE_SZ_LARGE NAT_TABLE_SZ 673b9b51feSCy Schubert # define NAT_TABLE_SZ_NORMAL NAT_TABLE_SZ 683b9b51feSCy Schubert #else 693b9b51feSCy Schubert # define NAT_TABLE_SZ_LARGE 16383 703b9b51feSCy Schubert # define NAT_TABLE_SZ_NORMAL 2047 713b9b51feSCy Schubert #endif 723b9b51feSCy Schubert #ifndef APR_LABELLEN 733b9b51feSCy Schubert #define APR_LABELLEN 16 743b9b51feSCy Schubert #endif 753b9b51feSCy Schubert #define NAT_HW_CKSUM 0x80000000 763b9b51feSCy Schubert #define NAT_HW_CKSUM_PART 0x40000000 773b9b51feSCy Schubert 783b9b51feSCy Schubert #define DEF_NAT_AGE 1200 /* 10 minutes (600 seconds) */ 793b9b51feSCy Schubert 803b9b51feSCy Schubert struct ipstate; 813b9b51feSCy Schubert struct ap_session; 823b9b51feSCy Schubert 833b9b51feSCy Schubert /* 843b9b51feSCy Schubert * This structure is used in the active NAT table and represents an 853b9b51feSCy Schubert * active NAT session. 863b9b51feSCy Schubert */ 873b9b51feSCy Schubert typedef struct nat { 883b9b51feSCy Schubert ipfmutex_t nat_lock; 893b9b51feSCy Schubert struct nat *nat_next; 903b9b51feSCy Schubert struct nat **nat_pnext; 913b9b51feSCy Schubert struct nat *nat_hnext[2]; 923b9b51feSCy Schubert struct nat **nat_phnext[2]; 933b9b51feSCy Schubert struct hostmap *nat_hm; 943b9b51feSCy Schubert void *nat_data; 953b9b51feSCy Schubert struct nat **nat_me; 963b9b51feSCy Schubert struct ipstate *nat_state; 973b9b51feSCy Schubert struct ap_session *nat_aps; /* proxy session */ 983b9b51feSCy Schubert frentry_t *nat_fr; /* filter rule ptr if appropriate */ 993b9b51feSCy Schubert struct ipnat *nat_ptr; /* pointer back to the rule */ 1003b9b51feSCy Schubert void *nat_ifps[2]; 1013b9b51feSCy Schubert void *nat_sync; 1023b9b51feSCy Schubert ipftqent_t nat_tqe; 1033b9b51feSCy Schubert int nat_mtu[2]; 1043b9b51feSCy Schubert u_32_t nat_flags; 1053b9b51feSCy Schubert u_32_t nat_sumd[2]; /* ip checksum delta for data segment*/ 1063b9b51feSCy Schubert u_32_t nat_ipsumd; /* ip checksum delta for ip header */ 1073b9b51feSCy Schubert u_32_t nat_mssclamp; /* if != zero clamp MSS to this */ 1083b9b51feSCy Schubert i6addr_t nat_odst6; 1093b9b51feSCy Schubert i6addr_t nat_osrc6; 1103b9b51feSCy Schubert i6addr_t nat_ndst6; 1113b9b51feSCy Schubert i6addr_t nat_nsrc6; 1123b9b51feSCy Schubert U_QUAD_T nat_pkts[2]; 1133b9b51feSCy Schubert U_QUAD_T nat_bytes[2]; 1143b9b51feSCy Schubert union { 1153b9b51feSCy Schubert udpinfo_t nat_unu; 1163b9b51feSCy Schubert tcpinfo_t nat_unt; 1173b9b51feSCy Schubert icmpinfo_t nat_uni; 1183b9b51feSCy Schubert greinfo_t nat_ugre; 1193b9b51feSCy Schubert } nat_unold, nat_unnew; 1203b9b51feSCy Schubert int nat_use; 1213b9b51feSCy Schubert int nat_pr[2]; /* protocol for NAT */ 1223b9b51feSCy Schubert int nat_dir; 1233b9b51feSCy Schubert int nat_ref; /* reference count */ 1243b9b51feSCy Schubert u_int nat_hv[2]; 1253b9b51feSCy Schubert char nat_ifnames[2][LIFNAMSIZ]; 1263b9b51feSCy Schubert int nat_rev; /* 0 = forward, 1 = reverse */ 1273b9b51feSCy Schubert int nat_dlocal; 1283b9b51feSCy Schubert int nat_v[2]; /* 0 = old, 1 = new */ 1293b9b51feSCy Schubert u_int nat_redir; /* copy of in_redir */ 1303b9b51feSCy Schubert } nat_t; 1313b9b51feSCy Schubert 1323b9b51feSCy Schubert #define nat_osrcip nat_osrc6.in4 1333b9b51feSCy Schubert #define nat_odstip nat_odst6.in4 1343b9b51feSCy Schubert #define nat_nsrcip nat_nsrc6.in4 1353b9b51feSCy Schubert #define nat_ndstip nat_ndst6.in4 1363b9b51feSCy Schubert #define nat_osrcaddr nat_osrc6.in4.s_addr 1373b9b51feSCy Schubert #define nat_odstaddr nat_odst6.in4.s_addr 1383b9b51feSCy Schubert #define nat_nsrcaddr nat_nsrc6.in4.s_addr 1393b9b51feSCy Schubert #define nat_ndstaddr nat_ndst6.in4.s_addr 1403b9b51feSCy Schubert #define nat_age nat_tqe.tqe_die 1413b9b51feSCy Schubert #define nat_osport nat_unold.nat_unt.ts_sport 1423b9b51feSCy Schubert #define nat_odport nat_unold.nat_unt.ts_dport 1433b9b51feSCy Schubert #define nat_nsport nat_unnew.nat_unt.ts_sport 1443b9b51feSCy Schubert #define nat_ndport nat_unnew.nat_unt.ts_dport 1453b9b51feSCy Schubert #define nat_oicmpid nat_unold.nat_uni.ici_id 1463b9b51feSCy Schubert #define nat_nicmpid nat_unnew.nat_uni.ici_id 1473b9b51feSCy Schubert #define nat_type nat_unold.nat_uni.ici_type 1483b9b51feSCy Schubert #define nat_oseq nat_unold.nat_uni.ici_seq 1493b9b51feSCy Schubert #define nat_nseq nat_unnew.nat_uni.ici_seq 1503b9b51feSCy Schubert #define nat_tcpstate nat_tqe.tqe_state 1513b9b51feSCy Schubert #define nat_die nat_tqe.tqe_die 1523b9b51feSCy Schubert #define nat_touched nat_tqe.tqe_touched 1533b9b51feSCy Schubert 1543b9b51feSCy Schubert /* 1553b9b51feSCy Schubert * Values for nat_dir 1563b9b51feSCy Schubert */ 1573b9b51feSCy Schubert #define NAT_INBOUND 0 1583b9b51feSCy Schubert #define NAT_OUTBOUND 1 1593b9b51feSCy Schubert #define NAT_ENCAPIN 2 1603b9b51feSCy Schubert #define NAT_ENCAPOUT 3 1613b9b51feSCy Schubert #define NAT_DIVERTIN 4 1623b9b51feSCy Schubert #define NAT_DIVERTOUT 5 1633b9b51feSCy Schubert 1643b9b51feSCy Schubert /* 1653b9b51feSCy Schubert * Definitions for nat_flags 1663b9b51feSCy Schubert */ 1673b9b51feSCy Schubert #define NAT_TCP 0x0001 /* IPN_TCP */ 1683b9b51feSCy Schubert #define NAT_UDP 0x0002 /* IPN_UDP */ 1693b9b51feSCy Schubert #define NAT_ICMPERR 0x0004 /* IPN_ICMPERR */ 1703b9b51feSCy Schubert #define NAT_ICMPQUERY 0x0008 /* IPN_ICMPQUERY */ 1713b9b51feSCy Schubert #define NAT_SEARCH 0x0010 1723b9b51feSCy Schubert #define NAT_SLAVE 0x0020 /* Slave connection for a proxy */ 1733b9b51feSCy Schubert #define NAT_NOTRULEPORT 0x0040 /* Don't use the port # in the NAT rule */ 1743b9b51feSCy Schubert 1753b9b51feSCy Schubert #define NAT_TCPUDP (NAT_TCP|NAT_UDP) 1763b9b51feSCy Schubert #define NAT_TCPUDPICMP (NAT_TCP|NAT_UDP|NAT_ICMPERR) 1773b9b51feSCy Schubert #define NAT_TCPUDPICMPQ (NAT_TCP|NAT_UDP|NAT_ICMPQUERY) 1783b9b51feSCy Schubert #define NAT_FROMRULE (NAT_TCP|NAT_UDP) 1793b9b51feSCy Schubert 1803b9b51feSCy Schubert /* 0x0100 reserved for FI_W_SPORT */ 1813b9b51feSCy Schubert /* 0x0200 reserved for FI_W_DPORT */ 1823b9b51feSCy Schubert /* 0x0400 reserved for FI_W_SADDR */ 1833b9b51feSCy Schubert /* 0x0800 reserved for FI_W_DADDR */ 1843b9b51feSCy Schubert /* 0x1000 reserved for FI_W_NEWFR */ 1853b9b51feSCy Schubert /* 0x2000 reserved for SI_CLONE */ 1863b9b51feSCy Schubert /* 0x4000 reserved for SI_CLONED */ 1873b9b51feSCy Schubert /* 0x8000 reserved for SI_IGNOREPKT */ 1883b9b51feSCy Schubert 1893b9b51feSCy Schubert #define NAT_DEBUG 0x800000 1903b9b51feSCy Schubert 1913b9b51feSCy Schubert typedef struct nat_addr_s { 1923b9b51feSCy Schubert i6addr_t na_addr[2]; 1933b9b51feSCy Schubert i6addr_t na_nextaddr; 1943b9b51feSCy Schubert int na_atype; 1953b9b51feSCy Schubert int na_function; 1963b9b51feSCy Schubert } nat_addr_t; 1973b9b51feSCy Schubert 1983b9b51feSCy Schubert #define na_nextip na_nextaddr.in4.s_addr 1993b9b51feSCy Schubert #define na_nextip6 na_nextaddr.in6 2003b9b51feSCy Schubert #define na_num na_addr[0].iplookupnum 2013b9b51feSCy Schubert #define na_type na_addr[0].iplookuptype 2023b9b51feSCy Schubert #define na_subtype na_addr[0].iplookupsubtype 2033b9b51feSCy Schubert #define na_ptr na_addr[1].iplookupptr 2043b9b51feSCy Schubert #define na_func na_addr[1].iplookupfunc 2053b9b51feSCy Schubert 2063b9b51feSCy Schubert 2073b9b51feSCy Schubert /* 2083b9b51feSCy Schubert * This structure represents an actual NAT rule, loaded by ipnat. 2093b9b51feSCy Schubert */ 2103b9b51feSCy Schubert typedef struct ipnat { 2113b9b51feSCy Schubert ipfmutex_t in_lock; 2123b9b51feSCy Schubert struct ipnat *in_next; /* NAT rule list next */ 2133b9b51feSCy Schubert struct ipnat **in_pnext; /* prior rdr next ptr */ 2143b9b51feSCy Schubert struct ipnat *in_rnext; /* rdr rule hash next */ 2153b9b51feSCy Schubert struct ipnat **in_prnext; /* prior rdr next ptr */ 2163b9b51feSCy Schubert struct ipnat *in_mnext; /* map rule hash next */ 2173b9b51feSCy Schubert struct ipnat **in_pmnext; /* prior map next ptr */ 2183b9b51feSCy Schubert struct ipftq *in_tqehead[2]; 2193b9b51feSCy Schubert void *in_ifps[2]; 2203b9b51feSCy Schubert void *in_apr; 2213b9b51feSCy Schubert char *in_comment; 2223b9b51feSCy Schubert mb_t *in_divmp; 2233b9b51feSCy Schubert void *in_pconf; 2243b9b51feSCy Schubert U_QUAD_T in_pkts[2]; 2253b9b51feSCy Schubert U_QUAD_T in_bytes[2]; 2263b9b51feSCy Schubert u_long in_space; 2273b9b51feSCy Schubert u_long in_hits; 2283b9b51feSCy Schubert int in_size; 2293b9b51feSCy Schubert int in_use; 2303b9b51feSCy Schubert u_int in_hv[2]; 2313b9b51feSCy Schubert int in_flineno; /* conf. file line number */ 2323b9b51feSCy Schubert int in_stepnext; 2333b9b51feSCy Schubert int in_dlocal; 2343b9b51feSCy Schubert u_short in_dpnext; 2353b9b51feSCy Schubert u_short in_spnext; 2363b9b51feSCy Schubert /* From here to the end is covered by IPN_CMPSIZ */ 2373b9b51feSCy Schubert u_char in_v[2]; /* 0 = old, 1 = new */ 2383b9b51feSCy Schubert u_32_t in_flags; 2393b9b51feSCy Schubert u_32_t in_mssclamp; /* if != 0 clamp MSS to this */ 2403b9b51feSCy Schubert u_int in_age[2]; 2413b9b51feSCy Schubert int in_redir; /* see below for values */ 2423b9b51feSCy Schubert int in_pr[2]; /* protocol. */ 2433b9b51feSCy Schubert nat_addr_t in_ndst; 2443b9b51feSCy Schubert nat_addr_t in_nsrc; 2453b9b51feSCy Schubert nat_addr_t in_osrc; 2463b9b51feSCy Schubert nat_addr_t in_odst; 2473b9b51feSCy Schubert frtuc_t in_tuc; 2483b9b51feSCy Schubert u_short in_ppip; /* ports per IP. */ 2493b9b51feSCy Schubert u_short in_ippip; /* IP #'s per IP# */ 2503b9b51feSCy Schubert u_short in_ndports[2]; 2513b9b51feSCy Schubert u_short in_nsports[2]; 2523b9b51feSCy Schubert int in_ifnames[2]; 2533b9b51feSCy Schubert int in_plabel; /* proxy label. */ 2543b9b51feSCy Schubert int in_pconfig; /* proxy label. */ 2553b9b51feSCy Schubert ipftag_t in_tag; 2563b9b51feSCy Schubert int in_namelen; 2573b9b51feSCy Schubert char in_names[1]; 2583b9b51feSCy Schubert } ipnat_t; 2593b9b51feSCy Schubert 2603b9b51feSCy Schubert /* 2613b9b51feSCy Schubert * MAP-IN MAP-OUT RDR-IN RDR-OUT 2623b9b51feSCy Schubert * osrc X == src == src X 2633b9b51feSCy Schubert * odst X == dst == dst X 2643b9b51feSCy Schubert * nsrc == dst X X == dst 2653b9b51feSCy Schubert * ndst == src X X == src 2663b9b51feSCy Schubert */ 2673b9b51feSCy Schubert #define in_dpmin in_ndports[0] /* Also holds static redir port */ 2683b9b51feSCy Schubert #define in_dpmax in_ndports[1] 2693b9b51feSCy Schubert #define in_spmin in_nsports[0] /* Also holds static redir port */ 2703b9b51feSCy Schubert #define in_spmax in_nsports[1] 2713b9b51feSCy Schubert #define in_ndport in_ndports[0] 2723b9b51feSCy Schubert #define in_nsport in_nsports[0] 2733b9b51feSCy Schubert #define in_dipnext in_ndst.na_nextaddr.in4 2743b9b51feSCy Schubert #define in_dipnext6 in_ndst.na_nextaddr 2753b9b51feSCy Schubert #define in_dnip in_ndst.na_nextaddr.in4.s_addr 2763b9b51feSCy Schubert #define in_dnip6 in_ndst.na_nextaddr 2773b9b51feSCy Schubert #define in_sipnext in_nsrc.na_nextaddr.in4 2783b9b51feSCy Schubert #define in_snip in_nsrc.na_nextaddr.in4.s_addr 2793b9b51feSCy Schubert #define in_snip6 in_nsrc.na_nextaddr 2803b9b51feSCy Schubert #define in_odstip in_odst.na_addr[0].in4 2813b9b51feSCy Schubert #define in_odstip6 in_odst.na_addr[0] 2823b9b51feSCy Schubert #define in_odstaddr in_odst.na_addr[0].in4.s_addr 2833b9b51feSCy Schubert #define in_odstmsk in_odst.na_addr[1].in4.s_addr 2843b9b51feSCy Schubert #define in_odstmsk6 in_odst.na_addr[1] 2853b9b51feSCy Schubert #define in_odstatype in_odst.na_atype 2863b9b51feSCy Schubert #define in_osrcip in_osrc.na_addr[0].in4 2873b9b51feSCy Schubert #define in_osrcip6 in_osrc.na_addr[0] 2883b9b51feSCy Schubert #define in_osrcaddr in_osrc.na_addr[0].in4.s_addr 2893b9b51feSCy Schubert #define in_osrcmsk in_osrc.na_addr[1].in4.s_addr 2903b9b51feSCy Schubert #define in_osrcmsk6 in_osrc.na_addr[1] 2913b9b51feSCy Schubert #define in_osrcatype in_osrc.na_atype 2923b9b51feSCy Schubert #define in_ndstip in_ndst.na_addr[0].in4 2933b9b51feSCy Schubert #define in_ndstip6 in_ndst.na_addr[0] 2943b9b51feSCy Schubert #define in_ndstaddr in_ndst.na_addr[0].in4.s_addr 2953b9b51feSCy Schubert #define in_ndstmsk in_ndst.na_addr[1].in4.s_addr 2963b9b51feSCy Schubert #define in_ndstmsk6 in_ndst.na_addr[1] 2973b9b51feSCy Schubert #define in_ndstatype in_ndst.na_atype 2983b9b51feSCy Schubert #define in_ndstafunc in_ndst.na_function 2993b9b51feSCy Schubert #define in_nsrcip in_nsrc.na_addr[0].in4 3003b9b51feSCy Schubert #define in_nsrcip6 in_nsrc.na_addr[0] 3013b9b51feSCy Schubert #define in_nsrcaddr in_nsrc.na_addr[0].in4.s_addr 3023b9b51feSCy Schubert #define in_nsrcmsk in_nsrc.na_addr[1].in4.s_addr 3033b9b51feSCy Schubert #define in_nsrcmsk6 in_nsrc.na_addr[1] 3043b9b51feSCy Schubert #define in_nsrcatype in_nsrc.na_atype 3053b9b51feSCy Schubert #define in_nsrcafunc in_nsrc.na_function 3063b9b51feSCy Schubert #define in_scmp in_tuc.ftu_scmp 3073b9b51feSCy Schubert #define in_dcmp in_tuc.ftu_dcmp 3083b9b51feSCy Schubert #define in_stop in_tuc.ftu_stop 3093b9b51feSCy Schubert #define in_dtop in_tuc.ftu_dtop 3103b9b51feSCy Schubert #define in_osport in_tuc.ftu_sport 3113b9b51feSCy Schubert #define in_odport in_tuc.ftu_dport 3123b9b51feSCy Schubert #define in_ndstnum in_ndst.na_addr[0].iplookupnum 3133b9b51feSCy Schubert #define in_ndsttype in_ndst.na_addr[0].iplookuptype 3143b9b51feSCy Schubert #define in_ndstptr in_ndst.na_addr[1].iplookupptr 3153b9b51feSCy Schubert #define in_ndstfunc in_ndst.na_addr[1].iplookupfunc 3163b9b51feSCy Schubert #define in_nsrcnum in_nsrc.na_addr[0].iplookupnum 3173b9b51feSCy Schubert #define in_nsrctype in_nsrc.na_addr[0].iplookuptype 3183b9b51feSCy Schubert #define in_nsrcptr in_nsrc.na_addr[1].iplookupptr 3193b9b51feSCy Schubert #define in_nsrcfunc in_nsrc.na_addr[1].iplookupfunc 3203b9b51feSCy Schubert #define in_odstnum in_odst.na_addr[0].iplookupnum 3213b9b51feSCy Schubert #define in_odsttype in_odst.na_addr[0].iplookuptype 3223b9b51feSCy Schubert #define in_odstptr in_odst.na_addr[1].iplookupptr 3233b9b51feSCy Schubert #define in_odstfunc in_odst.na_addr[1].iplookupfunc 3243b9b51feSCy Schubert #define in_osrcnum in_osrc.na_addr[0].iplookupnum 3253b9b51feSCy Schubert #define in_osrctype in_osrc.na_addr[0].iplookuptype 3263b9b51feSCy Schubert #define in_osrcptr in_osrc.na_addr[1].iplookupptr 3273b9b51feSCy Schubert #define in_osrcfunc in_osrc.na_addr[1].iplookupfunc 3283b9b51feSCy Schubert #define in_icmpidmin in_nsports[0] 3293b9b51feSCy Schubert #define in_icmpidmax in_nsports[1] 3303b9b51feSCy Schubert 3313b9b51feSCy Schubert /* 3323b9b51feSCy Schubert * Bit definitions for in_flags 3333b9b51feSCy Schubert */ 3343b9b51feSCy Schubert #define IPN_ANY 0x00000 3353b9b51feSCy Schubert #define IPN_TCP 0x00001 3363b9b51feSCy Schubert #define IPN_UDP 0x00002 3373b9b51feSCy Schubert #define IPN_TCPUDP (IPN_TCP|IPN_UDP) 3383b9b51feSCy Schubert #define IPN_ICMPERR 0x00004 3393b9b51feSCy Schubert #define IPN_TCPUDPICMP (IPN_TCP|IPN_UDP|IPN_ICMPERR) 3403b9b51feSCy Schubert #define IPN_ICMPQUERY 0x00008 3413b9b51feSCy Schubert #define IPN_TCPUDPICMPQ (IPN_TCP|IPN_UDP|IPN_ICMPQUERY) 3423b9b51feSCy Schubert #define IPN_RF (IPN_TCPUDP|IPN_DELETE|IPN_ICMPERR) 3433b9b51feSCy Schubert #define IPN_AUTOPORTMAP 0x00010 3443b9b51feSCy Schubert #define IPN_FILTER 0x00020 3453b9b51feSCy Schubert #define IPN_SPLIT 0x00040 3463b9b51feSCy Schubert #define IPN_ROUNDR 0x00080 3473b9b51feSCy Schubert #define IPN_SIPRANGE 0x00100 3483b9b51feSCy Schubert #define IPN_DIPRANGE 0x00200 3493b9b51feSCy Schubert #define IPN_NOTSRC 0x00400 3503b9b51feSCy Schubert #define IPN_NOTDST 0x00800 3513b9b51feSCy Schubert #define IPN_NO 0x01000 3523b9b51feSCy Schubert #define IPN_DYNSRCIP 0x02000 /* dynamic src IP# */ 3533b9b51feSCy Schubert #define IPN_DYNDSTIP 0x04000 /* dynamic dst IP# */ 3543b9b51feSCy Schubert #define IPN_DELETE 0x08000 3553b9b51feSCy Schubert #define IPN_STICKY 0x10000 3563b9b51feSCy Schubert #define IPN_FRAG 0x20000 3573b9b51feSCy Schubert #define IPN_FIXEDSPORT 0x40000 3583b9b51feSCy Schubert #define IPN_FIXEDDPORT 0x80000 3593b9b51feSCy Schubert #define IPN_FINDFORWARD 0x100000 3603b9b51feSCy Schubert #define IPN_IN 0x200000 3613b9b51feSCy Schubert #define IPN_SEQUENTIAL 0x400000 3623b9b51feSCy Schubert #define IPN_PURGE 0x800000 3633b9b51feSCy Schubert #define IPN_PROXYRULE 0x1000000 3643b9b51feSCy Schubert #define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_SIPRANGE|IPN_SPLIT|\ 3653b9b51feSCy Schubert IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST|IPN_NO|\ 3663b9b51feSCy Schubert IPN_FRAG|IPN_STICKY|IPN_FIXEDDPORT|IPN_ICMPQUERY|\ 3673b9b51feSCy Schubert IPN_DIPRANGE|IPN_SEQUENTIAL|IPN_PURGE) 3683b9b51feSCy Schubert 3693b9b51feSCy Schubert /* 3703b9b51feSCy Schubert * Values for in_redir 3713b9b51feSCy Schubert */ 3723b9b51feSCy Schubert #define NAT_MAP 0x01 3733b9b51feSCy Schubert #define NAT_REDIRECT 0x02 3743b9b51feSCy Schubert #define NAT_BIMAP (NAT_MAP|NAT_REDIRECT) 3753b9b51feSCy Schubert #define NAT_MAPBLK 0x04 3763b9b51feSCy Schubert #define NAT_REWRITE 0x08 3773b9b51feSCy Schubert #define NAT_ENCAP 0x10 3783b9b51feSCy Schubert #define NAT_DIVERTUDP 0x20 3793b9b51feSCy Schubert 3803b9b51feSCy Schubert #define MAPBLK_MINPORT 1024 /* don't use reserved ports for src port */ 3813b9b51feSCy Schubert #define USABLE_PORTS (65536 - MAPBLK_MINPORT) 3823b9b51feSCy Schubert 3833b9b51feSCy Schubert #define IPN_CMPSIZ (sizeof(ipnat_t) - offsetof(ipnat_t, in_v)) 3843b9b51feSCy Schubert 3853b9b51feSCy Schubert typedef struct natlookup { 3863b9b51feSCy Schubert i6addr_t nl_inipaddr; 3873b9b51feSCy Schubert i6addr_t nl_outipaddr; 3883b9b51feSCy Schubert i6addr_t nl_realipaddr; 3893b9b51feSCy Schubert int nl_v; 3903b9b51feSCy Schubert int nl_flags; 3913b9b51feSCy Schubert u_short nl_inport; 3923b9b51feSCy Schubert u_short nl_outport; 3933b9b51feSCy Schubert u_short nl_realport; 3943b9b51feSCy Schubert } natlookup_t; 3953b9b51feSCy Schubert 3963b9b51feSCy Schubert #define nl_inip nl_inipaddr.in4 3973b9b51feSCy Schubert #define nl_outip nl_outipaddr.in4 3983b9b51feSCy Schubert #define nl_realip nl_realipaddr.in4 3993b9b51feSCy Schubert #define nl_inip6 nl_inipaddr.in6 4003b9b51feSCy Schubert #define nl_outip6 nl_outipaddr.in6 4013b9b51feSCy Schubert #define nl_realip6 nl_realipaddr.in6 4023b9b51feSCy Schubert 4033b9b51feSCy Schubert 4043b9b51feSCy Schubert typedef struct nat_save { 4053b9b51feSCy Schubert void *ipn_next; 4063b9b51feSCy Schubert struct nat ipn_nat; 4073b9b51feSCy Schubert struct ipnat ipn_ipnat; 4083b9b51feSCy Schubert struct frentry ipn_fr; 4093b9b51feSCy Schubert int ipn_dsize; 4103b9b51feSCy Schubert char ipn_data[4]; 4113b9b51feSCy Schubert } nat_save_t; 4123b9b51feSCy Schubert 4133b9b51feSCy Schubert #define ipn_rule ipn_nat.nat_fr 4143b9b51feSCy Schubert 4153b9b51feSCy Schubert typedef struct natget { 4163b9b51feSCy Schubert void *ng_ptr; 4173b9b51feSCy Schubert int ng_sz; 4183b9b51feSCy Schubert } natget_t; 4193b9b51feSCy Schubert 4203b9b51feSCy Schubert 4213b9b51feSCy Schubert /* 4223b9b51feSCy Schubert * This structure gets used to help NAT sessions keep the same NAT rule (and 4233b9b51feSCy Schubert * thus translation for IP address) when: 4243b9b51feSCy Schubert * (a) round-robin redirects are in use 4253b9b51feSCy Schubert * (b) different IP add 4263b9b51feSCy Schubert */ 4273b9b51feSCy Schubert typedef struct hostmap { 4283b9b51feSCy Schubert struct hostmap *hm_hnext; 4293b9b51feSCy Schubert struct hostmap **hm_phnext; 4303b9b51feSCy Schubert struct hostmap *hm_next; 4313b9b51feSCy Schubert struct hostmap **hm_pnext; 4323b9b51feSCy Schubert struct ipnat *hm_ipnat; 4333b9b51feSCy Schubert i6addr_t hm_osrcip6; 4343b9b51feSCy Schubert i6addr_t hm_odstip6; 4353b9b51feSCy Schubert i6addr_t hm_nsrcip6; 4363b9b51feSCy Schubert i6addr_t hm_ndstip6; 4373b9b51feSCy Schubert u_32_t hm_port; 4383b9b51feSCy Schubert int hm_ref; 4393b9b51feSCy Schubert int hm_hv; 4403b9b51feSCy Schubert int hm_v; 4413b9b51feSCy Schubert } hostmap_t; 4423b9b51feSCy Schubert 4433b9b51feSCy Schubert #define hm_osrcip hm_osrcip6.in4 4443b9b51feSCy Schubert #define hm_odstip hm_odstip6.in4 4453b9b51feSCy Schubert #define hm_nsrcip hm_nsrcip6.in4 4463b9b51feSCy Schubert #define hm_ndstip hm_ndstip6.in4 4473b9b51feSCy Schubert #define hm_osrc6 hm_osrcip6.in6 4483b9b51feSCy Schubert #define hm_odst6 hm_odstip6.in6 4493b9b51feSCy Schubert #define hm_nsrc6 hm_nsrcip6.in6 4503b9b51feSCy Schubert #define hm_ndst6 hm_ndstip6.in6 4513b9b51feSCy Schubert 4523b9b51feSCy Schubert 4533b9b51feSCy Schubert /* 4543b9b51feSCy Schubert * Structure used to pass information in to nat_newmap and nat_newrdr. 4553b9b51feSCy Schubert */ 4563b9b51feSCy Schubert typedef struct natinfo { 4573b9b51feSCy Schubert ipnat_t *nai_np; 4583b9b51feSCy Schubert u_32_t nai_sum1; 4593b9b51feSCy Schubert u_32_t nai_sum2; 4603b9b51feSCy Schubert struct in_addr nai_ip; /* In host byte order */ 4613b9b51feSCy Schubert u_short nai_port; 4623b9b51feSCy Schubert u_short nai_nport; 4633b9b51feSCy Schubert u_short nai_sport; 4643b9b51feSCy Schubert u_short nai_dport; 4653b9b51feSCy Schubert } natinfo_t; 4663b9b51feSCy Schubert 4673b9b51feSCy Schubert 4683b9b51feSCy Schubert typedef struct nat_stat_side { 4693b9b51feSCy Schubert u_int *ns_bucketlen; 4703b9b51feSCy Schubert nat_t **ns_table; 4713b9b51feSCy Schubert u_long ns_added; 4723b9b51feSCy Schubert u_long ns_appr_fail; 4733b9b51feSCy Schubert u_long ns_badnat; 4743b9b51feSCy Schubert u_long ns_badnatnew; 4753b9b51feSCy Schubert u_long ns_badnextaddr; 4763b9b51feSCy Schubert u_long ns_bucket_max; 4773b9b51feSCy Schubert u_long ns_clone_nomem; 4783b9b51feSCy Schubert u_long ns_decap_bad; 4793b9b51feSCy Schubert u_long ns_decap_fail; 4803b9b51feSCy Schubert u_long ns_decap_pullup; 4813b9b51feSCy Schubert u_long ns_divert_dup; 4823b9b51feSCy Schubert u_long ns_divert_exist; 4833b9b51feSCy Schubert u_long ns_drop; 4843b9b51feSCy Schubert u_long ns_encap_dup; 4853b9b51feSCy Schubert u_long ns_encap_pullup; 4863b9b51feSCy Schubert u_long ns_exhausted; 4873b9b51feSCy Schubert u_long ns_icmp_address; 4883b9b51feSCy Schubert u_long ns_icmp_basic; 4893b9b51feSCy Schubert u_long ns_icmp_mbuf; 4903b9b51feSCy Schubert u_long ns_icmp_notfound; 4913b9b51feSCy Schubert u_long ns_icmp_rebuild; 4923b9b51feSCy Schubert u_long ns_icmp_short; 4933b9b51feSCy Schubert u_long ns_icmp_size; 4943b9b51feSCy Schubert u_long ns_ifpaddrfail; 4953b9b51feSCy Schubert u_long ns_ignored; 4963b9b51feSCy Schubert u_long ns_insert_fail; 4973b9b51feSCy Schubert u_long ns_inuse; 4983b9b51feSCy Schubert u_long ns_log; 4993b9b51feSCy Schubert u_long ns_lookup_miss; 5003b9b51feSCy Schubert u_long ns_lookup_nowild; 5013b9b51feSCy Schubert u_long ns_new_ifpaddr; 5023b9b51feSCy Schubert u_long ns_memfail; 5033b9b51feSCy Schubert u_long ns_table_max; 5043b9b51feSCy Schubert u_long ns_translated; 5053b9b51feSCy Schubert u_long ns_unfinalised; 5063b9b51feSCy Schubert u_long ns_wrap; 5073b9b51feSCy Schubert u_long ns_xlate_null; 5083b9b51feSCy Schubert u_long ns_xlate_exists; 5093b9b51feSCy Schubert u_long ns_ipf_proxy_fail; 5103b9b51feSCy Schubert u_long ns_uncreate[2]; 5113b9b51feSCy Schubert } nat_stat_side_t; 5123b9b51feSCy Schubert 5133b9b51feSCy Schubert 5143b9b51feSCy Schubert typedef struct natstat { 5153b9b51feSCy Schubert nat_t *ns_instances; 5163b9b51feSCy Schubert ipnat_t *ns_list; 5173b9b51feSCy Schubert hostmap_t *ns_maplist; 5183b9b51feSCy Schubert hostmap_t **ns_maptable; 5193b9b51feSCy Schubert u_int ns_active; 5203b9b51feSCy Schubert u_long ns_addtrpnt; 5213b9b51feSCy Schubert u_long ns_divert_build; 5223b9b51feSCy Schubert u_long ns_expire; 5233b9b51feSCy Schubert u_long ns_flush_all; 5243b9b51feSCy Schubert u_long ns_flush_closing; 5253b9b51feSCy Schubert u_long ns_flush_queue; 5263b9b51feSCy Schubert u_long ns_flush_state; 5273b9b51feSCy Schubert u_long ns_flush_timeout; 5283b9b51feSCy Schubert u_long ns_hm_new; 5293b9b51feSCy Schubert u_long ns_hm_newfail; 5303b9b51feSCy Schubert u_long ns_hm_addref; 5313b9b51feSCy Schubert u_long ns_hm_nullnp; 5323b9b51feSCy Schubert u_long ns_log_ok; 5333b9b51feSCy Schubert u_long ns_log_fail; 5343b9b51feSCy Schubert u_int ns_hostmap_sz; 5353b9b51feSCy Schubert u_int ns_nattab_sz; 5363b9b51feSCy Schubert u_int ns_nattab_max; 5373b9b51feSCy Schubert u_int ns_orphans; 5383b9b51feSCy Schubert u_int ns_rules; 5393b9b51feSCy Schubert u_int ns_rules_map; 5403b9b51feSCy Schubert u_int ns_rules_rdr; 5413b9b51feSCy Schubert u_int ns_rultab_sz; 5423b9b51feSCy Schubert u_int ns_rdrtab_sz; 5433b9b51feSCy Schubert u_32_t ns_ticks; 5443b9b51feSCy Schubert u_int ns_trpntab_sz; 5453b9b51feSCy Schubert u_int ns_wilds; 5463b9b51feSCy Schubert u_long ns_proto[256]; 5473b9b51feSCy Schubert nat_stat_side_t ns_side[2]; 5483b9b51feSCy Schubert #ifdef USE_INET6 5493b9b51feSCy Schubert nat_stat_side_t ns_side6[2]; 5503b9b51feSCy Schubert #endif 5513b9b51feSCy Schubert } natstat_t; 5523b9b51feSCy Schubert 5533b9b51feSCy Schubert typedef struct natlog { 5543b9b51feSCy Schubert i6addr_t nl_osrcip; 5553b9b51feSCy Schubert i6addr_t nl_odstip; 5563b9b51feSCy Schubert i6addr_t nl_nsrcip; 5573b9b51feSCy Schubert i6addr_t nl_ndstip; 5583b9b51feSCy Schubert u_short nl_osrcport; 5593b9b51feSCy Schubert u_short nl_odstport; 5603b9b51feSCy Schubert u_short nl_nsrcport; 5613b9b51feSCy Schubert u_short nl_ndstport; 5623b9b51feSCy Schubert int nl_action; 5633b9b51feSCy Schubert int nl_type; 5643b9b51feSCy Schubert int nl_rule; 5653b9b51feSCy Schubert U_QUAD_T nl_pkts[2]; 5663b9b51feSCy Schubert U_QUAD_T nl_bytes[2]; 5673b9b51feSCy Schubert u_char nl_p[2]; 5683b9b51feSCy Schubert u_char nl_v[2]; 5693b9b51feSCy Schubert u_char nl_ifnames[2][LIFNAMSIZ]; 5703b9b51feSCy Schubert } natlog_t; 5713b9b51feSCy Schubert 5723b9b51feSCy Schubert 5733b9b51feSCy Schubert #define NL_NEW 0 5743b9b51feSCy Schubert #define NL_CLONE 1 5753b9b51feSCy Schubert #define NL_PURGE 0xfffc 5763b9b51feSCy Schubert #define NL_DESTROY 0xfffd 5773b9b51feSCy Schubert #define NL_FLUSH 0xfffe 5783b9b51feSCy Schubert #define NL_EXPIRE 0xffff 5793b9b51feSCy Schubert 5803b9b51feSCy Schubert #define NAT_HASH_FN(_k,_l,_m) (((_k) + ((_k) >> 12) + _l) % (_m)) 5813b9b51feSCy Schubert #define NAT_HASH_FN6(_k,_l,_m) ((((u_32_t *)(_k))[3] \ 5823b9b51feSCy Schubert + (((u_32_t *)(_k))[3] >> 12) \ 5833b9b51feSCy Schubert + (((u_32_t *)(_k))[2]) \ 5843b9b51feSCy Schubert + (((u_32_t *)(_k))[2] >> 12) \ 5853b9b51feSCy Schubert + (((u_32_t *)(_k))[1]) \ 5863b9b51feSCy Schubert + (((u_32_t *)(_k))[1] >> 12) \ 5873b9b51feSCy Schubert + (((u_32_t *)(_k))[0]) \ 5883b9b51feSCy Schubert + (((u_32_t *)(_k))[0] >> 12) \ 5893b9b51feSCy Schubert + _l) % (_m)) 5903b9b51feSCy Schubert 5913b9b51feSCy Schubert #define LONG_SUM(_i) (((_i) & 0xffff) + ((_i) >> 16)) 5923b9b51feSCy Schubert #define LONG_SUM6(_i) (LONG_SUM(ntohl(((u_32_t *)(_i))[0])) + \ 5933b9b51feSCy Schubert LONG_SUM(ntohl(((u_32_t *)(_i))[1])) + \ 5943b9b51feSCy Schubert LONG_SUM(ntohl(((u_32_t *)(_i))[2])) + \ 5953b9b51feSCy Schubert LONG_SUM(ntohl(((u_32_t *)(_i))[3]))) 5963b9b51feSCy Schubert 5973b9b51feSCy Schubert #define CALC_SUMD(s1, s2, sd) { \ 5983b9b51feSCy Schubert (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ 5993b9b51feSCy Schubert (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ 6003b9b51feSCy Schubert /* Do it twice */ \ 6013b9b51feSCy Schubert (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ 6023b9b51feSCy Schubert (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ 6033b9b51feSCy Schubert /* Because ~1 == -2, We really need ~1 == -1 */ \ 6043b9b51feSCy Schubert if ((s1) > (s2)) (s2)--; \ 6053b9b51feSCy Schubert (sd) = (s2) - (s1); \ 6063b9b51feSCy Schubert (sd) = ((sd) & 0xffff) + ((sd) >> 16); } 6073b9b51feSCy Schubert 6083b9b51feSCy Schubert #define NAT_SYSSPACE 0x80000000 6093b9b51feSCy Schubert #define NAT_LOCKHELD 0x40000000 6103b9b51feSCy Schubert 6113b9b51feSCy Schubert /* 6123b9b51feSCy Schubert * This is present in ip_nat.h because it needs to be shared between 6133b9b51feSCy Schubert * ip_nat.c and ip_nat6.c 6143b9b51feSCy Schubert */ 6153b9b51feSCy Schubert typedef struct ipf_nat_softc_s { 6163b9b51feSCy Schubert ipfmutex_t ipf_nat_new; 6173b9b51feSCy Schubert ipfmutex_t ipf_nat_io; 6183b9b51feSCy Schubert int ipf_nat_doflush; 6193b9b51feSCy Schubert int ipf_nat_logging; 6203b9b51feSCy Schubert int ipf_nat_lock; 6213b9b51feSCy Schubert int ipf_nat_inited; 6223b9b51feSCy Schubert int ipf_nat_table_wm_high; 6233b9b51feSCy Schubert int ipf_nat_table_wm_low; 6243b9b51feSCy Schubert u_int ipf_nat_table_max; 6253b9b51feSCy Schubert u_int ipf_nat_table_sz; 6263b9b51feSCy Schubert u_int ipf_nat_maprules_sz; 6273b9b51feSCy Schubert u_int ipf_nat_rdrrules_sz; 6283b9b51feSCy Schubert u_int ipf_nat_hostmap_sz; 6293b9b51feSCy Schubert u_int ipf_nat_maxbucket; 6303b9b51feSCy Schubert u_int ipf_nat_last_force_flush; 6313b9b51feSCy Schubert u_int ipf_nat_defage; 6323b9b51feSCy Schubert u_int ipf_nat_defipage; 6333b9b51feSCy Schubert u_int ipf_nat_deficmpage; 6343b9b51feSCy Schubert ipf_v4_masktab_t ipf_nat_map_mask; 6353b9b51feSCy Schubert ipf_v6_masktab_t ipf_nat6_map_mask; 6363b9b51feSCy Schubert ipf_v4_masktab_t ipf_nat_rdr_mask; 6373b9b51feSCy Schubert ipf_v6_masktab_t ipf_nat6_rdr_mask; 6383b9b51feSCy Schubert nat_t **ipf_nat_table[2]; 6393b9b51feSCy Schubert nat_t *ipf_nat_instances; 6403b9b51feSCy Schubert ipnat_t *ipf_nat_list; 6413b9b51feSCy Schubert ipnat_t **ipf_nat_list_tail; 6423b9b51feSCy Schubert ipnat_t **ipf_nat_map_rules; 6433b9b51feSCy Schubert ipnat_t **ipf_nat_rdr_rules; 6443b9b51feSCy Schubert ipftq_t *ipf_nat_utqe; 6453b9b51feSCy Schubert hostmap_t **ipf_hm_maptable ; 6463b9b51feSCy Schubert hostmap_t *ipf_hm_maplist ; 6473b9b51feSCy Schubert ipftuneable_t *ipf_nat_tune; 6483b9b51feSCy Schubert ipftq_t ipf_nat_udptq; 6493b9b51feSCy Schubert ipftq_t ipf_nat_udpacktq; 6503b9b51feSCy Schubert ipftq_t ipf_nat_icmptq; 6513b9b51feSCy Schubert ipftq_t ipf_nat_icmpacktq; 6523b9b51feSCy Schubert ipftq_t ipf_nat_iptq; 6533b9b51feSCy Schubert ipftq_t ipf_nat_pending; 6543b9b51feSCy Schubert ipftq_t ipf_nat_tcptq[IPF_TCP_NSTATES]; 6553b9b51feSCy Schubert natstat_t ipf_nat_stats; 6563b9b51feSCy Schubert } ipf_nat_softc_t ; 6573b9b51feSCy Schubert 6583b9b51feSCy Schubert #define ipf_nat_map_max ipf_nat_map_mask.imt4_max 6593b9b51feSCy Schubert #define ipf_nat_rdr_max ipf_nat_rdr_mask.imt4_max 6603b9b51feSCy Schubert #define ipf_nat6_map_max ipf_nat6_map_mask.imt6_max 6613b9b51feSCy Schubert #define ipf_nat6_rdr_max ipf_nat6_rdr_mask.imt6_max 6623b9b51feSCy Schubert #define ipf_nat_map_active_masks ipf_nat_map_mask.imt4_active 6633b9b51feSCy Schubert #define ipf_nat_rdr_active_masks ipf_nat_rdr_mask.imt4_active 6643b9b51feSCy Schubert #define ipf_nat6_map_active_masks ipf_nat6_map_mask.imt6_active 6653b9b51feSCy Schubert #define ipf_nat6_rdr_active_masks ipf_nat6_rdr_mask.imt6_active 6663b9b51feSCy Schubert 6673b9b51feSCy Schubert extern frentry_t ipfnatblock; 6683b9b51feSCy Schubert 6693b9b51feSCy Schubert extern void ipf_fix_datacksum(u_short *, u_32_t); 6703b9b51feSCy Schubert extern void ipf_fix_incksum(int, u_short *, u_32_t, u_32_t); 6713b9b51feSCy Schubert extern void ipf_fix_outcksum(int, u_short *, u_32_t, u_32_t); 6723b9b51feSCy Schubert 6733b9b51feSCy Schubert extern int ipf_nat_checkin(fr_info_t *, u_32_t *); 6743b9b51feSCy Schubert extern int ipf_nat_checkout(fr_info_t *, u_32_t *); 6753b9b51feSCy Schubert extern void ipf_nat_delete(ipf_main_softc_t *, struct nat *, int); 6763b9b51feSCy Schubert extern void ipf_nat_deref(ipf_main_softc_t *, nat_t **); 6773b9b51feSCy Schubert extern void ipf_nat_expire(ipf_main_softc_t *); 6783b9b51feSCy Schubert extern int ipf_nat_hashtab_add(ipf_main_softc_t *, 6793b9b51feSCy Schubert ipf_nat_softc_t *, nat_t *); 6803b9b51feSCy Schubert extern void ipf_nat_hostmapdel(ipf_main_softc_t *, hostmap_t **); 6813b9b51feSCy Schubert extern int ipf_nat_hostmap_rehash(ipf_main_softc_t *, 6823b9b51feSCy Schubert ipftuneable_t *, ipftuneval_t *); 6833b9b51feSCy Schubert extern nat_t *ipf_nat_icmperrorlookup(fr_info_t *, int); 6843b9b51feSCy Schubert extern nat_t *ipf_nat_icmperror(fr_info_t *, u_int *, int); 6853b9b51feSCy Schubert extern int ipf_nat_init(void); 6863b9b51feSCy Schubert extern nat_t *ipf_nat_inlookup(fr_info_t *, u_int, u_int, 6873b9b51feSCy Schubert struct in_addr, struct in_addr); 6883b9b51feSCy Schubert extern int ipf_nat_in(fr_info_t *, nat_t *, int, u_32_t); 6893b9b51feSCy Schubert extern int ipf_nat_insert(ipf_main_softc_t *, ipf_nat_softc_t *, 6903b9b51feSCy Schubert nat_t *); 6913b9b51feSCy Schubert extern int ipf_nat_ioctl(ipf_main_softc_t *, caddr_t, ioctlcmd_t, 6923b9b51feSCy Schubert int, int, void *); 6933b9b51feSCy Schubert extern void ipf_nat_log(ipf_main_softc_t *, ipf_nat_softc_t *, 6943b9b51feSCy Schubert struct nat *, u_int); 6953b9b51feSCy Schubert extern nat_t *ipf_nat_lookupredir(natlookup_t *); 6963b9b51feSCy Schubert extern nat_t *ipf_nat_maplookup(void *, u_int, struct in_addr, 6973b9b51feSCy Schubert struct in_addr); 6983b9b51feSCy Schubert extern nat_t *ipf_nat_add(fr_info_t *, ipnat_t *, nat_t **, 6993b9b51feSCy Schubert u_int, int); 7003b9b51feSCy Schubert extern int ipf_nat_out(fr_info_t *, nat_t *, int, u_32_t); 7013b9b51feSCy Schubert extern nat_t *ipf_nat_outlookup(fr_info_t *, u_int, u_int, 7023b9b51feSCy Schubert struct in_addr, struct in_addr); 7033b9b51feSCy Schubert extern u_short *ipf_nat_proto(fr_info_t *, nat_t *, u_int); 7043b9b51feSCy Schubert extern void ipf_nat_rule_deref(ipf_main_softc_t *, ipnat_t **); 7053b9b51feSCy Schubert extern void ipf_nat_setqueue(ipf_main_softc_t *, ipf_nat_softc_t *, 7063b9b51feSCy Schubert nat_t *); 7073b9b51feSCy Schubert extern void ipf_nat_setpending(ipf_main_softc_t *, nat_t *); 7083b9b51feSCy Schubert extern nat_t *ipf_nat_tnlookup(fr_info_t *, int); 7093b9b51feSCy Schubert extern void ipf_nat_update(fr_info_t *, nat_t *); 7103b9b51feSCy Schubert extern int ipf_nat_rehash(ipf_main_softc_t *, ipftuneable_t *, 7113b9b51feSCy Schubert ipftuneval_t *); 7123b9b51feSCy Schubert extern int ipf_nat_rehash_rules(ipf_main_softc_t *, ipftuneable_t *, 7133b9b51feSCy Schubert ipftuneval_t *); 7143b9b51feSCy Schubert extern int ipf_nat_settimeout(struct ipf_main_softc_s *, 7153b9b51feSCy Schubert ipftuneable_t *, ipftuneval_t *); 7163b9b51feSCy Schubert extern void ipf_nat_sync(ipf_main_softc_t *, void *); 7173b9b51feSCy Schubert 7183b9b51feSCy Schubert extern nat_t *ipf_nat_clone(fr_info_t *, nat_t *); 7193b9b51feSCy Schubert extern void ipf_nat_delmap(ipf_nat_softc_t *, ipnat_t *); 7203b9b51feSCy Schubert extern void ipf_nat_delrdr(ipf_nat_softc_t *, ipnat_t *); 7213b9b51feSCy Schubert extern int ipf_nat_wildok(nat_t *, int, int, int, int); 7223b9b51feSCy Schubert extern void ipf_nat_setlock(void *, int); 7233b9b51feSCy Schubert extern void ipf_nat_load(void); 7243b9b51feSCy Schubert extern void *ipf_nat_soft_create(ipf_main_softc_t *); 7253b9b51feSCy Schubert extern int ipf_nat_soft_init(ipf_main_softc_t *, void *); 7263b9b51feSCy Schubert extern void ipf_nat_soft_destroy(ipf_main_softc_t *, void *); 7273b9b51feSCy Schubert extern int ipf_nat_soft_fini(ipf_main_softc_t *, void *); 7283b9b51feSCy Schubert extern int ipf_nat_main_load(void); 7293b9b51feSCy Schubert extern int ipf_nat_main_unload(void); 7303b9b51feSCy Schubert extern ipftq_t *ipf_nat_add_tq(ipf_main_softc_t *, int); 7313b9b51feSCy Schubert extern void ipf_nat_uncreate(fr_info_t *); 7323b9b51feSCy Schubert 7333b9b51feSCy Schubert #ifdef USE_INET6 7343b9b51feSCy Schubert extern nat_t *ipf_nat6_add(fr_info_t *, ipnat_t *, nat_t **, 7353b9b51feSCy Schubert u_int, int); 7363b9b51feSCy Schubert extern void ipf_nat6_addrdr(ipf_nat_softc_t *, ipnat_t *); 7373b9b51feSCy Schubert extern void ipf_nat6_addmap(ipf_nat_softc_t *, ipnat_t *); 7383b9b51feSCy Schubert extern void ipf_nat6_addencap(ipf_nat_softc_t *, ipnat_t *); 7393b9b51feSCy Schubert extern int ipf_nat6_checkout(fr_info_t *, u_32_t *); 7403b9b51feSCy Schubert extern int ipf_nat6_checkin(fr_info_t *, u_32_t *); 7413b9b51feSCy Schubert extern void ipf_nat6_delmap(ipf_nat_softc_t *, ipnat_t *); 7423b9b51feSCy Schubert extern void ipf_nat6_delrdr(ipf_nat_softc_t *, ipnat_t *); 7433b9b51feSCy Schubert extern int ipf_nat6_finalise(fr_info_t *, nat_t *); 7443b9b51feSCy Schubert extern nat_t *ipf_nat6_icmperror(fr_info_t *, u_int *, int); 7453b9b51feSCy Schubert extern nat_t *ipf_nat6_icmperrorlookup(fr_info_t *, int); 7463b9b51feSCy Schubert extern nat_t *ipf_nat6_inlookup(fr_info_t *, u_int, u_int, 7473b9b51feSCy Schubert struct in6_addr *, struct in6_addr *); 7483b9b51feSCy Schubert extern u_32_t ipf_nat6_ip6subtract(i6addr_t *, i6addr_t *); 7493b9b51feSCy Schubert extern frentry_t *ipf_nat6_ipfin(fr_info_t *, u_32_t *); 7503b9b51feSCy Schubert extern frentry_t *ipf_nat6_ipfout(fr_info_t *, u_32_t *); 7513b9b51feSCy Schubert extern nat_t *ipf_nat6_lookupredir(natlookup_t *); 7523b9b51feSCy Schubert extern int ipf_nat6_newmap(fr_info_t *, nat_t *, natinfo_t *); 7533b9b51feSCy Schubert extern int ipf_nat6_newrdr(fr_info_t *, nat_t *, natinfo_t *); 7543b9b51feSCy Schubert extern nat_t *ipf_nat6_outlookup(fr_info_t *, u_int, u_int, 7553b9b51feSCy Schubert struct in6_addr *, struct in6_addr *); 7563b9b51feSCy Schubert extern int ipf_nat6_newrewrite(fr_info_t *, nat_t *, natinfo_t *); 7573b9b51feSCy Schubert extern int ipf_nat6_newdivert(fr_info_t *, nat_t *, natinfo_t *); 7583b9b51feSCy Schubert extern int ipf_nat6_ruleaddrinit(ipf_main_softc_t *, ipf_nat_softc_t *, ipnat_t *); 7593b9b51feSCy Schubert 7603b9b51feSCy Schubert #endif 7613b9b51feSCy Schubert 7623b9b51feSCy Schubert 7633b9b51feSCy Schubert #endif /* __IP_NAT_H__ */ 764