Add hooks for an IP NAT module, much like the firewall stuff...

Move the sockopt definitions for the firewall code from ip_fw.h to in.h where it belongs.
1996-08-21 21:37:07 +00:00 · 1996-08-21 21:37:07 +00:00 · fed1c7e9e4
commit fed1c7e9e4
parent 1702c53ed2
5 changed files with 60 additions and 23 deletions
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@ -31,7 +31,7 @@
 * SUCH DAMAGE.
 *
 *	@(#)in.h	8.3 (Berkeley) 1/3/94
- * $Id: in.h,v 1.18 1996/07/10 19:44:20 julian Exp $
+ * $Id: in.h,v 1.19 1996/08/12 14:05:53 peter Exp $
 */

 #ifndef _NETINET_IN_H_
@ -220,6 +220,13 @@ struct ip_opts {
 #define IP_RSVP_VIF_OFF		18   /* unset RSVP per-vif socket */
 #define IP_PORTRANGE		19   /* int; range to choose for unspec port */

+#define IP_FW_ADD     		50   /* add a firewall rule to chain */
+#define IP_FW_DEL    		51   /* delete a firewall rule from chain */
+#define IP_FW_FLUSH   		52   /* flush firewall rule chain */
+#define IP_FW_ZERO    		53   /* clear all firewall counters */
+#define IP_FW_GET     		54   /* get entire firewall rule chain */
+#define IP_NAT			55   /* set/get NAT opts */
+
 /*
 * Defaults and limits for options
 */
@ -322,10 +329,19 @@ char 	*inet_ntoa __P((struct in_addr)); /* in libkern */

 /* Firewall hooks */
 struct ip;
-typedef  int ip_fw_chk_t __P((struct ip**, int, struct ifnet*, int, struct mbuf**));
-typedef  int ip_fw_ctl_t __P((int, struct mbuf**));
-extern ip_fw_chk_t *ip_fw_chk_ptr;
-extern ip_fw_ctl_t *ip_fw_ctl_ptr;
+typedef	int ip_fw_chk_t __P((struct ip**, int, struct ifnet*, int, struct mbuf**));
+typedef	int ip_fw_ctl_t __P((int, struct mbuf**));
+extern	ip_fw_chk_t *ip_fw_chk_ptr;
+extern	ip_fw_ctl_t *ip_fw_ctl_ptr;
+
+/* ip NAT hooks */
+typedef	int ip_nat_t __P((struct ip**, struct mbuf**, int));
+typedef	int ip_nat_ctl_t __P((int, struct mbuf**));
+extern	ip_nat_t *ip_nat_ptr;
+extern	ip_nat_ctl_t *ip_nat_ctl_ptr;
+#define	IP_NAT_IN	0x00000001
+#define	IP_NAT_OUT	0x00000002
+
 #endif /* KERNEL */

 #endif
--- a/sys/netinet/ip_fw.h
+++ b/sys/netinet/ip_fw.h
@ -11,7 +11,7 @@
 *
 * This software is provided ``AS IS'' without any warranties of any kind.
 *
- *	$Id: ip_fw.h,v 1.21 1996/07/10 19:44:24 julian Exp $
+ *	$Id: ip_fw.h,v 1.22 1996/08/13 19:43:41 pst Exp $
 */

 /*
@ -113,17 +113,6 @@ struct ip_fw_chain {
 #define IP_FW_TCPF_URG		TH_URG
 #define IP_FW_TCPF_ESTAB	0x40

-/*
- * New IP firewall options for [gs]etsockopt at the RAW IP level.
- */
-#define IP_FW_BASE_CTL	50
-
-#define IP_FW_ADD     (IP_FW_BASE_CTL+0)
-#define IP_FW_DEL     (IP_FW_BASE_CTL+1)
-#define IP_FW_FLUSH   (IP_FW_BASE_CTL+2)
-#define IP_FW_ZERO    (IP_FW_BASE_CTL+3)
-#define IP_FW_GET     (IP_FW_BASE_CTL+4)
-
 /*
 * Main firewall chains definitions and global var's definitions.
 */
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -31,7 +31,7 @@
 * SUCH DAMAGE.
 *
 *	@(#)ip_input.c	8.2 (Berkeley) 1/4/94
- * $Id: ip_input.c,v 1.44 1996/06/12 19:34:33 gpalmer Exp $
+ * $Id: ip_input.c,v 1.45 1996/07/10 19:44:25 julian Exp $
 */

 #include "opt_ipfw.h"
@ -114,6 +114,10 @@ SYSCTL_INT(_net_inet_ip, IPCTL_DEFMTU, mtu, CTLFLAG_RW,
 ip_fw_chk_t *ip_fw_chk_ptr;
 ip_fw_ctl_t *ip_fw_ctl_ptr;

+/* IP Network Address Translation (NAT) hooks */ 
+ip_nat_t *ip_nat_ptr;
+ip_nat_ctl_t *ip_nat_ctl_ptr;
+
 /*
 * We need to save the IP options in case a protocol wants to respond
 * to an incoming packet over the same route if the packet got here
@ -175,6 +179,10 @@ ip_init()
 #ifdef IPFIREWALL
 	ip_fw_init();
 #endif
+#ifdef IPNAT
+        ip_nat_init(); 
+#endif
+
 }

 static struct	sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
@ -265,6 +273,7 @@ ip_input(struct mbuf *m)
 	 * and it is still fresh out of network we do our black
 	 * deals with it.
 	 * - Firewall: deny/allow/divert
+	 * - Xlate: translate packet's addr/port (NAT).
 	 * - Wrap: fake packet's addr/port <unimpl.>
 	 * - Encapsulate: put it in another IP and send out. <unimp.>
 	 */
@ -290,6 +299,9 @@ ip_input(struct mbuf *m)
 		}
 	}

+        if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, IP_NAT_IN))
+		return;
+
 	/*
 	 * Process options and, if not destined for us,
 	 * ship it on.  ip_dooptions returns 1 when an
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@ -31,7 +31,7 @@
 * SUCH DAMAGE.
 *
 *	@(#)ip_output.c	8.3 (Berkeley) 1/21/94
- *	$Id: ip_output.c,v 1.40 1996/06/08 08:18:59 bde Exp $
+ *	$Id: ip_output.c,v 1.41 1996/07/10 19:44:26 julian Exp $
 */

 #define _IP_VHL
@ -331,6 +331,19 @@ ip_output(m0, opt, ro, flags, imo)
 	}

 sendit:
+        /*
+	 * IpHack's section.
+	 * - Xlate: translate packet's addr/port (NAT).
+	 * - Firewall: deny/allow
+	 * - Wrap: fake packet's addr/port <unimpl.>
+	 * - Encapsulate: put it in another IP and send out. <unimp.>
+	 */ 
+
+        if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, IP_NAT_OUT)) {
+		error = EACCES; 
+		goto done;
+	}
+
 #ifdef COMPAT_IPFW
 	/*
 	 * Check with the firewall...
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@ -31,7 +31,7 @@
 * SUCH DAMAGE.
 *
 *	@(#)raw_ip.c	8.7 (Berkeley) 5/15/95
- *	$Id: raw_ip.c,v 1.32 1996/07/20 00:16:20 alex Exp $
+ *	$Id: raw_ip.c,v 1.33 1996/07/24 18:46:18 wollman Exp $
 */

 #include <sys/param.h>
@ -235,23 +235,30 @@ rip_ctloutput(op, so, level, optname, m)

 #ifdef COMPAT_IPFW
 	case IP_FW_GET:
-		if (ip_fw_ctl_ptr==NULL || op == PRCO_SETOPT) {
+		if (ip_fw_ctl_ptr == NULL || op == PRCO_SETOPT) {
 			if (*m) (void)m_free(*m);
 			return(EINVAL);
 		}
 		return (*ip_fw_ctl_ptr)(optname, m); 
+
 	case IP_FW_ADD:
 	case IP_FW_DEL:
 	case IP_FW_FLUSH:
 	case IP_FW_ZERO:
-		if (ip_fw_ctl_ptr==NULL || op != PRCO_SETOPT) {
+		if (ip_fw_ctl_ptr == NULL || op != PRCO_SETOPT) {
 			if (*m) (void)m_free(*m);
 			return(EINVAL);
 		}
-
 		return (*ip_fw_ctl_ptr)(optname, m); 
 #endif

+	case IP_NAT:
+		if (ip_nat_ctl_ptr == NULL) {
+			if (*m) (void)m_free(*m);
+			return(EINVAL);
+		}
+		return (*ip_nat_ctl_ptr)(optname, m); 
+
 	case IP_RSVP_ON:
 		return ip_rsvp_init(so);
 		break;