2 * Copyright (C) 1993-2002 by Darren Reed.
4 * See the IPFILTER.LICENCE file for details on licencing.
6 #if defined(__sgi) && (IRIX > 602)
7 # include <sys/ptimers.h>
13 #include <sys/types.h>
14 #if !defined(__SVR4) && !defined(__svr4__)
17 # include <sys/byteorder.h>
20 #include <sys/param.h>
24 #include <sys/socket.h>
25 #include <sys/ioctl.h>
26 #if defined(sun) && (defined(__svr4__) || defined(__SVR4))
27 # include <sys/ioccom.h>
28 # include <sys/sysmacros.h>
30 #include <netinet/in.h>
31 #include <netinet/in_systm.h>
32 #include <netinet/ip.h>
33 #include <netinet/tcp.h>
35 #if __FreeBSD_version >= 300000
36 # include <net/if_var.h>
39 #include <arpa/nameser.h>
40 #include <arpa/inet.h>
43 #include "netinet/ip_compat.h"
44 #include "netinet/ip_fil.h"
45 #include "netinet/ip_nat.h"
46 #include "netinet/ip_state.h"
47 #include "netinet/ip_proxy.h"
50 #if defined(sun) && !SOLARIS2
51 # define STRERROR(x) sys_errlist[x]
52 extern char *sys_errlist[];
54 # define STRERROR(x) strerror(x)
58 static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
59 static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.27 2002/12/06 11:40:27 darrenr Exp $";
64 #define bzero(a,b) memset(a,0,b)
67 extern void printnat __P((ipnat_t *, int));
68 extern int countbits __P((u_32_t));
71 ipnat_t *natparse __P((char *, int));
72 void natparsefile __P((int, char *, int));
73 void nat_setgroupmap __P((struct ipnat *));
76 void nat_setgroupmap(n)
79 if (n->in_outmsk == n->in_inmsk)
81 else if (n->in_flags & IPN_AUTOPORTMAP) {
82 n->in_ippip = ~ntohl(n->in_inmsk);
83 if (n->in_outmsk != 0xffffffff)
84 n->in_ippip /= (~ntohl(n->in_outmsk) + 1);
88 n->in_ppip = USABLE_PORTS / n->in_ippip;
90 n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
92 if (!(n->in_ppip = n->in_pmin))
94 n->in_ippip = USABLE_PORTS / n->in_ppip;
100 * Parse a line of input from the ipnat configuration file
102 ipnat_t *natparse(line, linenum)
108 char *dnetm = NULL, *dport = NULL;
109 char *s, *t, *cps[31], **cpp;
111 char *port1a = NULL, *port1b = NULL, *port2a = NULL;
116 * Search for end of line and comment marker, advance of leading spaces
118 if ((s = strchr(line, '\n')))
120 if ((s = strchr(line, '#')))
122 while (*line && isspace(*line))
127 bzero((char *)&ipn, sizeof(ipn));
131 * split line upto into segments.
133 for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
134 cps[++i] = strtok(NULL, " \b\t\r\n");
139 fprintf(stderr, "%d: not enough segments in line\n", linenum);
146 * Check first word is a recognised keyword and then is the interface
148 if (!strcasecmp(*cpp, "map"))
149 ipn.in_redir = NAT_MAP;
150 else if (!strcasecmp(*cpp, "map-block"))
151 ipn.in_redir = NAT_MAPBLK;
152 else if (!strcasecmp(*cpp, "rdr"))
153 ipn.in_redir = NAT_REDIRECT;
154 else if (!strcasecmp(*cpp, "bimap"))
155 ipn.in_redir = NAT_BIMAP;
157 fprintf(stderr, "%d: unknown mapping: \"%s\"\n",
164 strncpy(ipn.in_ifname, *cpp, sizeof(ipn.in_ifname) - 1);
165 ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
169 * If the first word after the interface is "from" or is a ! then
170 * the expanded syntax is being used so parse it differently.
172 if (!strcasecmp(*cpp, "from") || (**cpp == '!')) {
173 if (!strcmp(*cpp, "!")) {
175 if (strcasecmp(*cpp, "from")) {
176 fprintf(stderr, "Missing from after !\n");
179 ipn.in_flags |= IPN_NOTSRC;
180 } else if (**cpp == '!') {
181 if (strcasecmp(*cpp + 1, "from")) {
182 fprintf(stderr, "Missing from after !\n");
185 ipn.in_flags |= IPN_NOTSRC;
187 if ((ipn.in_flags & IPN_NOTSRC) &&
188 (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) {
189 fprintf(stderr, "Cannot use '! from' with map\n");
193 ipn.in_flags |= IPN_FILTER;
195 if (ipn.in_redir == NAT_REDIRECT) {
196 if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
197 (u_32_t *)&ipn.in_srcmsk, &ipn.in_sport,
198 &ipn.in_scmp, &ipn.in_stop, linenum)) {
202 if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
203 (u_32_t *)&ipn.in_inmsk, &ipn.in_sport,
204 &ipn.in_scmp, &ipn.in_stop, linenum)) {
209 if (!strcmp(*cpp, "!")) {
211 ipn.in_flags |= IPN_NOTDST;
212 } else if (**cpp == '!') {
214 ipn.in_flags |= IPN_NOTDST;
217 if (strcasecmp(*cpp, "to")) {
218 fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
222 if ((ipn.in_flags & IPN_NOTDST) &&
223 (ipn.in_redir & (NAT_REDIRECT))) {
224 fprintf(stderr, "Cannot use '! to' with rdr\n");
229 fprintf(stderr, "%d: missing host after to\n", linenum);
232 if (ipn.in_redir == NAT_REDIRECT) {
233 if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
234 (u_32_t *)&ipn.in_outmsk, &ipn.in_dport,
235 &ipn.in_dcmp, &ipn.in_dtop, linenum)) {
238 ipn.in_pmin = htons(ipn.in_dport);
240 if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
241 (u_32_t *)&ipn.in_srcmsk, &ipn.in_dport,
242 &ipn.in_dcmp, &ipn.in_dtop, linenum)) {
249 fprintf(stderr, "%d: short line\n", linenum);
254 fprintf(stderr, "%d: no netmask on LHS\n", linenum);
258 if (ipn.in_redir == NAT_REDIRECT) {
259 if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1)
261 if (genmask(t, (u_32_t *)&ipn.in_outmsk) == -1) {
265 if (hostnum((u_32_t *)&ipn.in_inip, s, linenum) == -1)
267 if (genmask(t, (u_32_t *)&ipn.in_inmsk) == -1) {
273 fprintf(stderr, "%d: short line\n", linenum);
279 * If it is a standard redirect then we expect it to have a port
280 * match after the hostmask.
282 if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
283 if (strcasecmp(*cpp, "port")) {
284 fprintf(stderr, "%d: missing fields - 1st port\n",
293 "%d: missing fields (destination port)\n",
298 if (isdigit(**cpp) && (s = strchr(*cpp, '-')))
305 if (!strcmp(*cpp, "-")) {
313 ipn.in_pmax = ipn.in_pmin;
317 * In the middle of the NAT rule syntax is -> to indicate the
318 * direction of translation.
321 fprintf(stderr, "%d: missing fields (->)\n", linenum);
324 if (strcmp(*cpp, "->")) {
325 fprintf(stderr, "%d: missing ->\n", linenum);
331 fprintf(stderr, "%d: missing fields (%s)\n",
332 linenum, ipn.in_redir ? "destination" : "target");
336 if (ipn.in_redir == NAT_MAP) {
337 if (!strcasecmp(*cpp, "range")) {
339 ipn.in_flags |= IPN_IPRANGE;
341 fprintf(stderr, "%d: missing fields (%s)\n",
343 ipn.in_redir ? "destination":"target");
349 if (ipn.in_flags & IPN_IPRANGE) {
350 dnetm = strrchr(*cpp, '-');
353 if (*cpp && !strcmp(*cpp, "-") && *(cpp + 1))
357 if (dnetm == NULL || *dnetm == '\0') {
359 "%d: desination range not specified\n",
363 } else if (ipn.in_redir != NAT_REDIRECT) {
364 dnetm = strrchr(*cpp, '/');
367 if (*cpp && !strcasecmp(*cpp, "netmask"))
372 "%d: missing fields (dest netmask)\n",
380 if (ipn.in_redir == NAT_REDIRECT) {
381 dnetm = strchr(*cpp, ',');
383 ipn.in_flags |= IPN_SPLIT;
386 if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1)
389 if (ntohl(ipn.in_inip) == INADDR_LOOPBACK) {
391 "localhost as destination not supported\n");
396 if (!strcmp(*cpp, ipn.in_ifname))
398 if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1)
403 if (ipn.in_redir & NAT_MAPBLK) {
405 if (strcasecmp(*cpp, "ports")) {
407 "%d: expected \"ports\" - got \"%s\"\n",
414 "%d: missing argument to \"ports\"\n",
418 if (!strcasecmp(*cpp, "auto"))
419 ipn.in_flags |= IPN_AUTOPORTMAP;
421 ipn.in_pmin = atoi(*cpp);
425 } else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
426 if (*cpp && (strrchr(*cpp, '/') != NULL)) {
427 fprintf(stderr, "%d: No netmask supported in %s\n",
428 linenum, "destination host for redirect");
433 fprintf(stderr, "%d: Missing destination port %s\n",
434 linenum, "in redirect");
438 /* If it's a in_redir, expect target port */
440 if (strcasecmp(*cpp, "port")) {
441 fprintf(stderr, "%d: missing fields - 2nd port (%s)\n",
448 "%d: missing fields (destination port)\n",
455 if (dnetm && *dnetm == '/')
458 if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) {
459 if (ipn.in_flags & IPN_IPRANGE) {
460 if (hostnum((u_32_t *)&ipn.in_outmsk, dnetm,
463 } else if (genmask(dnetm, (u_32_t *)&ipn.in_outmsk))
466 if (ipn.in_flags & IPN_SPLIT) {
467 if (hostnum((u_32_t *)&ipn.in_inmsk, dnetm,
470 } else if (genmask("255.255.255.255", (u_32_t *)&ipn.in_inmsk))
473 ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */
477 if (!strcasecmp(proto, "tcp"))
478 ipn.in_flags |= IPN_TCP;
479 else if (!strcasecmp(proto, "udp"))
480 ipn.in_flags |= IPN_UDP;
481 else if (!strcasecmp(proto, "tcp/udp"))
482 ipn.in_flags |= IPN_TCPUDP;
483 else if (!strcasecmp(proto, "tcpudp")) {
484 ipn.in_flags |= IPN_TCPUDP;
486 } else if (!strcasecmp(proto, "ip"))
487 ipn.in_flags |= IPN_ANY;
489 ipn.in_flags |= IPN_ANY;
490 if ((pr = getprotobyname(proto)))
491 ipn.in_p = pr->p_proto;
493 if (!isdigit(*proto)) {
495 "%d: Unknown protocol %s\n",
499 ipn.in_p = atoi(proto);
502 if ((ipn.in_flags & IPN_TCPUDP) == 0) {
507 if (*cpp && !strcasecmp(*cpp, "round-robin")) {
509 ipn.in_flags |= IPN_ROUNDR;
512 if (*cpp && !strcasecmp(*cpp, "frag")) {
514 ipn.in_flags |= IPN_FRAG;
517 if (*cpp && !strcasecmp(*cpp, "age")) {
521 "%d: age with no parameters\n",
526 ipn.in_age[0] = atoi(*cpp);
527 s = index(*cpp, '/');
529 ipn.in_age[1] = atoi(s + 1);
531 ipn.in_age[1] = ipn.in_age[0];
535 if (*cpp && !strcasecmp(*cpp, "mssclamp")) {
538 ipn.in_mssclamp = atoi(*cpp);
542 "%d: mssclamp with no parameters\n",
550 "%d: extra junk at the end of the line: %s\n",
557 if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
558 if (!portnum(port1a, &ipn.in_pmin, linenum))
560 ipn.in_pmin = htons(ipn.in_pmin);
561 if (port1b != NULL) {
562 if (!portnum(port1b, &ipn.in_pmax, linenum))
564 ipn.in_pmax = htons(ipn.in_pmax);
566 ipn.in_pmax = ipn.in_pmin;
569 if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
570 if (!portnum(port2a, &ipn.in_pnext, linenum))
572 ipn.in_pnext = htons(ipn.in_pnext);
575 if (!(ipn.in_flags & IPN_SPLIT))
576 ipn.in_inip &= ipn.in_inmsk;
577 if ((ipn.in_flags & IPN_IPRANGE) == 0)
578 ipn.in_outip &= ipn.in_outmsk;
579 ipn.in_srcip &= ipn.in_srcmsk;
581 if ((ipn.in_redir & NAT_MAPBLK) != 0)
582 nat_setgroupmap(&ipn);
584 if (*cpp && !*(cpp+1) && !strcasecmp(*cpp, "frag")) {
586 ipn.in_flags |= IPN_FRAG;
592 if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "proxy")) {
593 if (ipn.in_redir == NAT_BIMAP) {
594 fprintf(stderr, "%d: cannot use proxy with bimap\n",
601 "%d: missing parameter for \"proxy\"\n",
607 if (!strcasecmp(*cpp, "port")) {
611 "%d: missing parameter for \"port\"\n",
621 "%d: missing parameter for \"proxy\"\n",
627 "%d: missing keyword \"port\"\n", linenum);
631 if ((proto = index(*cpp, '/'))) {
633 if ((pr = getprotobyname(proto)))
634 ipn.in_p = pr->p_proto;
636 ipn.in_p = atoi(proto);
640 if (dport && !portnum(dport, &ipn.in_dport, linenum))
642 ipn.in_dport = htons(ipn.in_dport);
644 (void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel));
647 } else if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "portmap")) {
648 if (ipn.in_redir == NAT_BIMAP) {
649 fprintf(stderr, "%d: cannot use portmap with bimap\n",
656 "%d: missing expression following portmap\n",
661 if (!strcasecmp(*cpp, "tcp"))
662 ipn.in_flags |= IPN_TCP;
663 else if (!strcasecmp(*cpp, "udp"))
664 ipn.in_flags |= IPN_UDP;
665 else if (!strcasecmp(*cpp, "tcpudp"))
666 ipn.in_flags |= IPN_TCPUDP;
667 else if (!strcasecmp(*cpp, "tcp/udp"))
668 ipn.in_flags |= IPN_TCPUDP;
671 "%d: expected protocol name - got \"%s\"\n",
679 fprintf(stderr, "%d: no port range found\n", linenum);
683 if (!strcasecmp(*cpp, "auto")) {
684 ipn.in_flags |= IPN_AUTOPORTMAP;
685 ipn.in_pmin = htons(1024);
686 ipn.in_pmax = htons(65535);
687 nat_setgroupmap(&ipn);
690 if (!(t = strchr(*cpp, ':'))) {
692 "%d: no port range in \"%s\"\n",
697 if (!portnum(*cpp, &ipn.in_pmin, linenum) ||
698 !portnum(t, &ipn.in_pmax, linenum))
700 ipn.in_pmin = htons(ipn.in_pmin);
701 ipn.in_pmax = htons(ipn.in_pmax);
706 if (*cpp && !strcasecmp(*cpp, "frag")) {
708 ipn.in_flags |= IPN_FRAG;
711 if (*cpp && !strcasecmp(*cpp, "age")) {
714 fprintf(stderr, "%d: age with no parameters\n",
718 ipn.in_age[0] = atoi(*cpp);
719 s = index(*cpp, '/');
721 ipn.in_age[1] = atoi(s + 1);
723 ipn.in_age[1] = ipn.in_age[0];
727 if (*cpp && !strcasecmp(*cpp, "mssclamp")) {
730 ipn.in_mssclamp = atoi(*cpp);
733 fprintf(stderr, "%d: mssclamp with no parameters\n",
740 fprintf(stderr, "%d: extra junk at the end of the line: %s\n",
748 void natparsefile(fd, file, opts)
758 if (strcmp(file, "-")) {
759 if (!(fp = fopen(file, "r"))) {
760 fprintf(stderr, "%s: open: %s\n", file,
767 while (fgets(line, sizeof(line) - 1, fp)) {
769 line[sizeof(line) - 1] = '\0';
770 if ((s = strchr(line, '\n')))
773 if (!(np = natparse(line, linenum))) {
775 fprintf(stderr, "%d: syntax error in \"%s\"\n",
778 if ((opts & OPT_VERBOSE) && np)
780 if (!(opts & OPT_NODO)) {
781 if (!(opts & OPT_REMOVE)) {
782 if (ioctl(fd, SIOCADNAT, &np) == -1) {
783 fprintf(stderr, "%d:",
785 perror("ioctl(SIOCADNAT)");
787 } else if (ioctl(fd, SIOCRMNAT, &np) == -1) {
788 fprintf(stderr, "%d:", linenum);
789 perror("ioctl(SIOCRMNAT)");
projects / dragonfly.git / blob