Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/sys/netpfil/ipfw/nat64/nat64stl.c
109343 views
1
/*-

2
 * SPDX-License-Identifier: BSD-2-Clause

3
 *

4
 * Copyright (c) 2015-2019 Yandex LLC

5
 * Copyright (c) 2015-2019 Andrey V. Elsukov <[email protected]>

6
 *

7
 * Redistribution and use in source and binary forms, with or without

8
 * modification, are permitted provided that the following conditions

9
 * are met:

10
 *

11
 * 1. Redistributions of source code must retain the above copyright

12
 *    notice, this list of conditions and the following disclaimer.

13
 * 2. Redistributions in binary form must reproduce the above copyright

14
 *    notice, this list of conditions and the following disclaimer in the

15
 *    documentation and/or other materials provided with the distribution.

16
 *

17
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

18
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

19
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

20
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,

21
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

22
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

23
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

24
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

25
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

26
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

27
 */

28


29
#include <sys/param.h>

30
#include <sys/systm.h>

31
#include <sys/counter.h>

32
#include <sys/kernel.h>

33
#include <sys/lock.h>

34
#include <sys/mbuf.h>

35
#include <sys/module.h>

36
#include <sys/rmlock.h>

37
#include <sys/rwlock.h>

38
#include <sys/socket.h>

39
#include <sys/sysctl.h>

40


41
#include <net/if.h>

42
#include <net/if_var.h>

43
#include <net/if_pflog.h>

44
#include <net/pfil.h>

45


46
#include <netinet/in.h>

47
#include <netinet/ip.h>

48
#include <netinet/ip_icmp.h>

49
#include <netinet/ip_var.h>

50
#include <netinet/ip_fw.h>

51
#include <netinet/ip6.h>

52
#include <netinet/icmp6.h>

53
#include <netinet6/ip_fw_nat64.h>

54


55
#include <netpfil/ipfw/ip_fw_private.h>

56
#include <netpfil/pf/pf.h>

57


58
#include "nat64stl.h"

59


60
#define	NAT64_LOOKUP(chain, cmd)	\

61
    (struct nat64stl_cfg *)SRV_OBJECT((chain), insntod(cmd, kidx)->kidx)

62


63
static void

64
nat64stl_log(struct pfloghdr *plog, struct mbuf *m, sa_family_t family,

65
    uint32_t kidx)

66
{

67
	static uint32_t pktid = 0;

68


69
	memset(plog, 0, sizeof(*plog));

70
	plog->length = PFLOG_REAL_HDRLEN;

71
	plog->af = family;

72
	plog->action = PF_NAT;

73
	plog->dir = PF_IN;

74
	plog->rulenr = htonl(kidx);

75
	pktid++;

76
	plog->subrulenr = htonl(pktid);

77
	plog->ruleset[0] = '\0';

78
	strlcpy(plog->ifname, "NAT64STL", sizeof(plog->ifname));

79
	ipfw_pflog_tap(plog, m);

80
}

81


82
static int

83
nat64stl_handle_ip4(struct ip_fw_chain *chain, struct nat64stl_cfg *cfg,

84
    struct mbuf *m, uint32_t tablearg)

85
{

86
	struct pfloghdr loghdr, *logdata;

87
	struct in6_addr saddr, daddr;

88
	struct ip *ip;

89


90
	ip = mtod(m, struct ip*);

91
	if (nat64_check_ip4(ip->ip_src.s_addr) != 0 ||

92
	    nat64_check_ip4(ip->ip_dst.s_addr) != 0 ||

93
	    nat64_check_private_ip4(&cfg->base, ip->ip_src.s_addr) != 0 ||

94
	    nat64_check_private_ip4(&cfg->base, ip->ip_dst.s_addr) != 0)

95
		return (NAT64SKIP);

96


97
	daddr = TARG_VAL(chain, tablearg, nh6);

98
	if (nat64_check_ip6(&daddr) != 0)

99
		return (NAT64MFREE);

100


101
	saddr = cfg->base.plat_prefix;

102
	nat64_embed_ip4(&saddr, cfg->base.plat_plen, ip->ip_src.s_addr);

103
	if (cfg->base.flags & NAT64_LOG) {

104
		logdata = &loghdr;

105
		nat64stl_log(logdata, m, AF_INET, cfg->no.kidx);

106
	} else

107
		logdata = NULL;

108
	return (nat64_do_handle_ip4(m, &saddr, &daddr, 0, &cfg->base,

109
	    logdata));

110
}

111


112
static int

113
nat64stl_handle_ip6(struct ip_fw_chain *chain, struct nat64stl_cfg *cfg,

114
    struct mbuf *m, uint32_t tablearg)

115
{

116
	struct pfloghdr loghdr, *logdata;

117
	struct ip6_hdr *ip6;

118
	uint32_t aaddr;

119


120
	aaddr = htonl(TARG_VAL(chain, tablearg, nh4));

121
	if (nat64_check_private_ip4(&cfg->base, aaddr) != 0) {

122
		NAT64STAT_INC(&cfg->base.stats, dropped);

123
		return (NAT64MFREE);

124
	}

125
	/*

126
	 * NOTE: we expect ipfw_chk() did m_pullup() up to upper level

127
	 * protocol's headers. Also we skip some checks, that ip6_input(),

128
	 * ip6_forward(), ip6_fastfwd() and ipfw_chk() already did.

129
	 */

130
	ip6 = mtod(m, struct ip6_hdr *);

131
	/* Check ip6_dst matches configured prefix */

132
	if (memcmp(&ip6->ip6_dst, &cfg->base.plat_prefix,

133
	    cfg->base.plat_plen / 8) != 0)

134
		return (NAT64SKIP);

135


136
	if (cfg->base.flags & NAT64_LOG) {

137
		logdata = &loghdr;

138
		nat64stl_log(logdata, m, AF_INET6, cfg->no.kidx);

139
	} else

140
		logdata = NULL;

141
	return (nat64_do_handle_ip6(m, aaddr, 0, &cfg->base, logdata));

142
}

143


144
static int

145
nat64stl_handle_icmp6(struct ip_fw_chain *chain, struct nat64stl_cfg *cfg,

146
    struct mbuf *m)

147
{

148
	struct pfloghdr loghdr, *logdata;

149
	struct nat64_counters *stats;

150
	struct ip6_hdr *ip6i;

151
	struct icmp6_hdr *icmp6;

152
	uint32_t tablearg;

153
	int hlen, proto;

154


155
	hlen = 0;

156
	stats = &cfg->base.stats;

157
	proto = nat64_getlasthdr(m, &hlen);

158
	if (proto != IPPROTO_ICMPV6) {

159
		NAT64STAT_INC(stats, dropped);

160
		return (NAT64MFREE);

161
	}

162
	icmp6 = mtodo(m, hlen);

163
	switch (icmp6->icmp6_type) {

164
	case ICMP6_DST_UNREACH:

165
	case ICMP6_PACKET_TOO_BIG:

166
	case ICMP6_TIME_EXCEED_TRANSIT:

167
	case ICMP6_PARAM_PROB:

168
		break;

169
	default:

170
		NAT64STAT_INC(stats, dropped);

171
		return (NAT64MFREE);

172
	}

173
	hlen += sizeof(struct icmp6_hdr);

174
	if (m->m_pkthdr.len < hlen + sizeof(struct ip6_hdr) + ICMP_MINLEN) {

175
		NAT64STAT_INC(stats, dropped);

176
		return (NAT64MFREE);

177
	}

178
	if (m->m_len < hlen + sizeof(struct ip6_hdr) + ICMP_MINLEN)

179
		m = m_pullup(m, hlen + sizeof(struct ip6_hdr) + ICMP_MINLEN);

180
	if (m == NULL) {

181
		NAT64STAT_INC(stats, nomem);

182
		return (NAT64RETURN);

183
	}

184
	/*

185
	 * Use destination address from inner IPv6 header to determine

186
	 * IPv4 mapped address.

187
	 */

188
	ip6i = mtodo(m, hlen);

189
	if (ipfw_lookup_table(chain, cfg->map64,

190
	    sizeof(struct in6_addr), &ip6i->ip6_dst, &tablearg) == 0) {

191
		m_freem(m);

192
		return (NAT64RETURN);

193
	}

194
	if (cfg->base.flags & NAT64_LOG) {

195
		logdata = &loghdr;

196
		nat64stl_log(logdata, m, AF_INET6, cfg->no.kidx);

197
	} else

198
		logdata = NULL;

199
	return (nat64_handle_icmp6(m, 0,

200
	    htonl(TARG_VAL(chain, tablearg, nh4)), 0, &cfg->base, logdata));

201
}

202


203
int

204
ipfw_nat64stl(struct ip_fw_chain *chain, struct ip_fw_args *args,

205
    ipfw_insn *cmd, int *done)

206
{

207
	struct nat64stl_cfg *cfg;

208
	ipfw_insn *icmd;

209
	in_addr_t dst4;

210
	uint32_t tablearg;

211
	int ret;

212


213
	IPFW_RLOCK_ASSERT(chain);

214


215
	*done = 0; /* try next rule if not matched */

216
	icmd = cmd + F_LEN(cmd);

217
	if (cmd->opcode != O_EXTERNAL_ACTION ||

218
	    insntod(cmd, kidx)->kidx != V_nat64stl_eid ||

219
	    icmd->opcode != O_EXTERNAL_INSTANCE ||

220
	    (cfg = NAT64_LOOKUP(chain, icmd)) == NULL)

221
		return (0);

222


223
	switch (args->f_id.addr_type) {

224
	case 4:

225
		dst4 = htonl(args->f_id.dst_ip);

226
		ret = ipfw_lookup_table(chain, cfg->map46, sizeof(in_addr_t),

227
		    &dst4, &tablearg);

228
		break;

229
	case 6:

230
		ret = ipfw_lookup_table(chain, cfg->map64,

231
		    sizeof(struct in6_addr), &args->f_id.src_ip6, &tablearg);

232
		break;

233
	default:

234
		return (0);

235
	}

236
	if (ret == 0) {

237
		/*

238
		 * In case when packet is ICMPv6 message from an intermediate

239
		 * router, the source address of message will not match the

240
		 * addresses from our map64 table.

241
		 */

242
		if (args->f_id.proto != IPPROTO_ICMPV6)

243
			return (0);

244


245
		ret = nat64stl_handle_icmp6(chain, cfg, args->m);

246
	} else {

247
		if (args->f_id.addr_type == 4)

248
			ret = nat64stl_handle_ip4(chain, cfg, args->m,

249
			    tablearg);

250
		else

251
			ret = nat64stl_handle_ip6(chain, cfg, args->m,

252
			    tablearg);

253
	}

254
	if (ret == NAT64SKIP)

255
		return (0);

256


257
	*done = 1; /* terminate the search */

258
	if (ret == NAT64MFREE)

259
		m_freem(args->m);

260
	args->m = NULL;

261
	return (IP_FW_NAT64);

262
}

263


264