1
/*-
2
 * SPDX-License-Identifier: BSD-2-Clause
3
 *
4
 * Copyright (c) 2015-2019 Yandex LLC
5
 * Copyright (c) 2015-2019 Andrey V. Elsukov <[email protected]>
6
 *
7
 * Redistribution and use in source and binary forms, with or without
8
 * modification, are permitted provided that the following conditions
9
 * are met:
10
 *
11
 * 1. Redistributions of source code must retain the above copyright
12
 *    notice, this list of conditions and the following disclaimer.
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in the
15
 *    documentation and/or other materials provided with the distribution.
16
 *
17
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27
 */
28

29
#ifndef	_IP_FW_NAT64_TRANSLATE_H_
30
#define	_IP_FW_NAT64_TRANSLATE_H_
31

32
struct nat64_stats {
33
	uint64_t	opcnt64;	/* 6to4 of packets translated */
34
	uint64_t	opcnt46;	/* 4to6 of packets translated */
35
	uint64_t	ofrags;		/* number of fragments generated */
36
	uint64_t	ifrags;		/* number of fragments received */
37
	uint64_t	oerrors;	/* number of output errors */
38
	uint64_t	noroute4;
39
	uint64_t	noroute6;
40
	uint64_t	nomatch4;	/* No addr/port match */
41
	uint64_t	noproto;	/* Protocol not supported */
42
	uint64_t	nomem;		/* mbufs allocation failed */
43
	uint64_t	dropped;	/* number of packets silently
44
					 * dropped due to some errors/
45
					 * unsupported/etc.
46
					 */
47

48
	uint64_t	jrequests;	/* jobs requests queued */
49
	uint64_t	jcalls;		/* jobs handler calls */
50
	uint64_t	jhostsreq;	/* hosts requests */
51
	uint64_t	jportreq;	/* PG allocation requests */
52
	uint64_t	jhostfails;	/* hosts requests failed */
53
	uint64_t	jportfails;	/* PG allocation failed */
54
	uint64_t	jmaxlen;
55
	uint64_t	jnomem;
56
	uint64_t	jreinjected;
57

58
	uint64_t	screated;
59
	uint64_t	sdeleted;
60
	uint64_t	spgcreated;
61
	uint64_t	spgdeleted;
62
};
63

64
#define	IPFW_NAT64_VERSION	1
65
#define	NAT64STATS	(sizeof(struct nat64_stats) / sizeof(uint64_t))
66
struct nat64_counters {
67
	counter_u64_t		cnt[NAT64STATS];
68
};
69
#define	NAT64STAT_ADD(s, f, v)		\
70
    counter_u64_add((s)->cnt[		\
71
	offsetof(struct nat64_stats, f) / sizeof(uint64_t)], (v))
72
#define	NAT64STAT_INC(s, f)	NAT64STAT_ADD(s, f, 1)
73
#define	NAT64STAT_FETCH(s, f)		\
74
    counter_u64_fetch((s)->cnt[	\
75
	offsetof(struct nat64_stats, f) / sizeof(uint64_t)])
76

77
#define	L3HDR(_ip, _t)	((_t)((uint32_t *)(_ip) + (_ip)->ip_hl))
78
#define	TCP(p)		((struct tcphdr *)(p))
79
#define	UDP(p)		((struct udphdr *)(p))
80
#define	ICMP(p)		((struct icmphdr *)(p))
81
#define	ICMP6(p)	((struct icmp6_hdr *)(p))
82

83
#define	NAT64SKIP	0
84
#define	NAT64RETURN	1
85
#define	NAT64MFREE	-1
86

87
/*
88
 * According to RFC6877:
89
 *  PLAT is provider-side translator (XLAT) that translates N:1 global
90
 *  IPv6 addresses to global IPv4 addresses, and vice versa.
91
 *
92
 *  CLAT is customer-side translator (XLAT) that algorithmically
93
 *  translates 1:1 private IPv4 addresses to global IPv6 addresses,
94
 *  and vice versa.
95
 */
96
struct nat64_config {
97
	struct in6_addr		clat_prefix;
98
	struct in6_addr		plat_prefix;
99
	uint32_t		flags;
100
#define	NAT64_WKPFX		0x00010000	/* prefix is well-known */
101
#define	NAT64_CLATPFX		0x00020000	/* dst prefix is configured */
102
#define	NAT64_PLATPFX		0x00040000	/* src prefix is configured */
103
	uint8_t			clat_plen;
104
	uint8_t			plat_plen;
105

106
	struct nat64_counters	stats;
107
};
108

109
static inline int
110
nat64_check_ip6(struct in6_addr *addr)
111
{
112

113
	/* XXX: We should really check /8 */
114
	if (addr->s6_addr16[0] == 0 || /* 0000::/8 Reserved by IETF */
115
	    IN6_IS_ADDR_MULTICAST(addr) || IN6_IS_ADDR_LINKLOCAL(addr))
116
		return (1);
117
	return (0);
118
}
119

120
static inline int
121
nat64_check_ip4(in_addr_t ia)
122
{
123

124
	/* These checks are ordered from most likely to least */
125
	if (IN_MULTICAST(ntohl(ia)) || IN_LOOPBACK(ntohl(ia)) ||
126
	    IN_LINKLOCAL(ntohl(ia)) || IN_EXPERIMENTAL(ntohl(ia)))
127
		return (1);
128
	return (0);
129
}
130

131
/* Well-known prefix 64:ff9b::/96 */
132
#define	IPV6_ADDR_INT32_WKPFX	htonl(0x64ff9b)
133
#define	IN6_IS_ADDR_WKPFX(a)	\
134
    ((a)->s6_addr32[0] == IPV6_ADDR_INT32_WKPFX && \
135
	(a)->s6_addr32[1] == 0 && (a)->s6_addr32[2] == 0)
136

137
int nat64_check_private_ip4(const struct nat64_config *cfg, in_addr_t ia);
138
int nat64_check_prefixlen(int length);
139
int nat64_check_prefix6(const struct in6_addr *prefix, int length);
140
int nat64_getlasthdr(struct mbuf *m, int *offset);
141
int nat64_do_handle_ip4(struct mbuf *m, struct in6_addr *saddr,
142
    struct in6_addr *daddr, uint16_t lport, struct nat64_config *cfg,
143
    void *logdata);
144
int nat64_do_handle_ip6(struct mbuf *m, uint32_t aaddr, uint16_t aport,
145
    struct nat64_config *cfg, void *logdata);
146
int nat64_handle_icmp6(struct mbuf *m, int hlen, uint32_t aaddr,
147
    uint16_t aport, struct nat64_config *cfg, void *logdata);
148
void nat64_embed_ip4(struct in6_addr *ip6, int plen, in_addr_t ia);
149
in_addr_t nat64_extract_ip4(const struct in6_addr *ip6, int plen);
150

151
void nat64_set_output_method(int);
152
int nat64_get_output_method(void);
153

154
#endif
155

156