1 '\" te
2 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH IPNAT 7I "May 22, 2008"
7 .SH NAME
8 ipnat \- IP Filter/NAT module interface
9 .SH DESCRIPTION
10 .sp
11 .LP
12 The \fBipnat\fR device provides interfaction with the NAT features of the
13 Solaris IPFilter.
14 .SH APPLICATION PROGRAMMING INTERFACE
15 .sp
16 .LP
17 The NAT features programming model is a component of the Solaris IP Filter and
18 is accessed via the NAT device file \fB/dev/ipnat\fR. Opening the device for
19 reading or writing determines which ioctl calls can be successfully made.
20 .SH IOCTLS
21 .sp
22 .LP
23 The caller must construct a \fBipfobj\fR structure when issuing a
24 \fBSIOCGNATL\fR or \fBSIOCSTPUT\fR. The \fBipfobj\fR structure is then passed
25 to the ioctl call and is filled out with ipfo_type set to \fBIPFOBJ_value\fR.
26 \fBIPFOBJ_ value\fR provides a matching name for the structure, while ipfo_size
27 is set to the total size of the structure being passed and ipfo_ptr is set to
28 the structure address. The ipfo_rev structure should be set to the current
29 value of IPFILTER_VERSION, while ipfo_offset and ipfo_xxxpad should be set to
30 0.
31 .sp
32 .in +2
33 .nf
34 /*
35 * Structure used with SIOCGNATL/SIOCSTPUT.
36 */
37 /*
38 * Object structure description. For passing through in ioctls.
39 */
40 typedef struct ipfobj {
41 u_32_t ipfo_rev; /* IPFilter version (IPFILTER_VERSION) */
42 u_32_t ipfo_size; /* size of object at ipfo_ptr */
43 void *ipfo_ptr; /* pointer to object */
44 int ipfo_type; /* type of object being pointed to */
45 int ipfo_offset; /* bytes from ipfo_ptr where to start */
46 u_char ipfo_xxxpad[32]; /* reserved for future use */
47 } ipfobj_t;
48
49 #define IPFILTER_VERSION 4010901 /* IPFilter version */
50 #define IPFOBJ_NATSAVE 8 /* struct nat_save */
51 #define IPFOBJ_NATLOOKUP 9 /* struct natlookup */
52 .fi
53 .in -2
54
55 .sp
56 .LP
57 The following ioctl() calls may be used to manipulate the ipnat sub-system
58 inside of ipf. Note that the ipnat driver only accept calls from applications
59 using the same data model as the kernel. In other words, 64-bit kernels can
60 only accept calls from 64-bit applications. Calls from 32-bit applications fail
61 with \fBEINVAL\fR.
62 .sp
63 .ne 2
64 .na
65 \fB\fBSIOCSTLCK\fR\fR
66 .ad
67 .RS 13n
68 Set or clear the NAT lock to prevent table updates attributable to packet
69 flow-through.
70 .RE
71
72 .sp
73 .ne 2
74 .na
75 \fB\fBSIOCGNATL\fR\fR
76 .ad
77 .RS 13n
78 Search the NAT table for the rdr entry that matches the fields in the natlookup
79 structure. The caller must populate the structure with the address/port
80 information of the accepted TCP connection (nl_inip, nl_inport) and the
81 address/port information of the peer (nl_outip, nl_outport). The nl_flags field
82 must have the IPN_TCP option set. All other fields must be set to 0. If the
83 call succeeds, nl_realip and nl_realport are set to the real destination
84 address and port, respectively. The nl_inport and nl_outport fields must be in
85 host byte order.
86 .sp
87 If \fBIPN_FINDFORWARD\fR is set in nl_flags, a check is made to see if it is
88 possible to create an outgoing NAT session by checking if a packet coming from
89 (nl_realip,nl_realport) and destined for (nl_outip,nl_outport) can be
90 translated. If translation is possible, the flag remains set, otherwise it is
91 cleared in the structure returned to the caller.
92 .sp
93 .in +2
94 .nf
95 /*
96 * Structure used with SIOCGNATL.
97 */
98 typedef struct natlookup {
99 i6addr_t nl_inipaddr;
100 i6addr_t nl_outipaddr;
101 i6addr_t nl_realipaddr;
102 int nl_v;
103 int nl_flags;
104 u_short nl_inport;
105 u_short nl_outport;
106 u_short nl_realport;
107 } natlookup_t
108
109 #define nl_inip nl_inipaddr.in4
110 #define nl_outip nl_outipaddr.in4
111 #define nl_realip nl_realipaddr.in4
112 #define nl_inip6 nl_inipaddr.in6
113 #define nl_outip6 nl_outipaddr.in6
114 #define nl_realip6 nl_realipaddr.in6
115
116 /*
117 * Accepted values for nl_flags
118 */
119 #define IPN_TCP 0x00001
120 #define IPN_FINDFORWARD 0x400000
121 .fi
122 .in -2
123
124 .RE
125
126 .sp
127 .ne 2
128 .na
129 \fB\fBSIOCSTPUT\fR\fR
130 .ad
131 .RS 13n
132 Move a NAT mapping structure from user space into the kernel. This ioctl is
133 used by \fBipfs\fR(1M) to restore NAT sessions saved in
134 \fB/var/db/ipf/ipnat.ipf\fR. The nat_save structure must have its ipn_nat and
135 ipn_ipnat structures filled out correctly. Fields not assigned a value must be
136 initialised to 0. All pointer fields are adjusted, as appropriate, once the
137 structure is passed into the kernel and none are preserved.
138 .sp
139 To create a translation, the following fields must be set:
140 .br
141 .in +2
142 Interface name - The interface name on which the host is to be exited must be
143 set in nat_ifnames[0].
144 .in -2
145 .br
146 .in +2
147 Local IP address and port number - The connection's local IP address and port
148 number are stored in network byte order using nat_inip/nat_inport.
149 .in -2
150 .br
151 .in +2
152 Destination address/port - The destination address/port are stored in
153 nat_oip/nat_oport.
154 .in -2
155 .br
156 .in +2
157 Target address/port - The translation's target address/port is stored in
158 nat_outip/nat_outport.
159 .in -2
160 The caller must also precalculate the checksum adjustments necessary to
161 complete the translation and store those values in nat_sumd (delta required for
162 TCP header) and nat_ipsumd (delta required for IP header).
163 .sp
164 .in +2
165 .nf
166 /*
167 * Structures used with SIOCSTPUT.
168 */
169 typedef struct nat_save {
170 void *ipn_next;
171 struct nat ipn_nat;
172 struct ipnat ipn_ipnat;
173 struct frentry ipn_fr;
174 int ipn_dsize;
175 char ipn_data[4];
176 } nat_save_t;
177
178 typedef struct nat {
179 ipfmutex_t nat_lock;
180 struct nat *nat_next;
181 struct nat **nat_pnext;
182 struct nat *nat_hnext[2];
183 struct nat **nat_phnext[2];
184 struct hostmap *nat_hm;
185 void *nat_data;
186 struct nat **nat_me;
187 struct ipstate *nat_state;
188 struct ap_session *nat_aps;
189 frentry_t *nat_fr;
190 struct ipnat *nat_ptr;
191 void *nat_ifps[2];
192 void *nat_sync;
193 ipftqent_t nat_tqe;
194 u_32_t nat_flags;
195 u_32_t nat_sumd[2];
196 u_32_t nat_ipsumd;
197 u_32_t nat_mssclamp;
198 i6addr_t nat_inip6;
199 i6addr_t nat_outip6;
200 i6addr_t nat_oip6;
201 U_QUAD_T nat_pkts[2];
202 U_QUAD_T nat_bytes[2];
203 union {
204 udpinfo_t nat_unu;
205 tcpinfo_t nat_unt;
206 icmpinfo_t nat_uni;
207 greinfo_t nat_ugre;
208 } nat_un;
209 u_short nat_oport;
210 u_short nat_use;
211 u_char nat_p;
212 int nat_dir;
213 int nat_ref;
214 int nat_hv[2];
215 char nat_ifnames[2][LIFNAMSIZ];
216 int nat_rev;
217 int nat_v;
218 } nat_t;
219
220 #define nat_inip nat_inip6.in4
221 #define nat_outip nat_outip6.in4
222 #define nat_oip nat_oip6.in4
223 #define nat_inport nat_un.nat_unt.ts_sport
224 #define nat_outport nat_un.nat_unt.ts_dport
225 /*
226 * Values for nat_dir
227 */
228 #define NAT_INBOUND 0
229 #define NAT_OUTBOUND 1
230 /*
231 * Definitions for nat_flags
232 */
233 #define NAT_TCP 0x0001 /* IPN_TCP */
234 .fi
235 .in -2
236
237 .RE
238
239 .SH EXAMPLES
240 .sp
241 .LP
242 The following example shows how to prepare and use \fBSIOCSTPUT\fR to insert a
243 NAT session directly into the table. Note that the usual TCP/IP code is omitted
244 is this example.
245 .sp
246 .LP
247 In the code segment below, incoming_fd is the TCP connection file descriptor
248 that is accepted as part of the redirect process, while remote_fd is the
249 outgoing TCP connection to the remote server being translated back to the
250 original IP address/port pair.
251 .LP
252 Note -
253 .sp
254 .RS 2
255 The following ipnat headers must be included before you can use the code shown
256 in this example:
257 .sp
258 .in +2
259 .nf
260 #include <netinet/in.h>
261 #include <arpa/inet.h>
262 #include <net/if.h>
263 #include <netinet/ipl.h>
264 #include <netinet/ip_compat.h>
265 #include <netinet/ip_fil.h>
266 #include <netinet/ip_nat.h>
267 #include <string.h>
268 #include <fcntl.h>
269 .fi
270 .in -2
271
272 .RE
273 .LP
274 Note -
275 .sp
276 .RS 2
277 In the example below, various code fragments have been excluded to enhance
278 clarity.
279 .RE
280 .sp
281 .in +2
282 .nf
283 int
284 translate_connection(int incoming_fd)
285 {
286 struct sockaddr_in usin;
287 struct natlookup nlp;
288 struct nat_save ns;
289 struct ipfobj obj;
290 struct nat *nat;
291 int remote_fd;
292 int nat_fd;
293 int onoff;
294
295 memset(&ns, 0, sizeof(ns));
296 nat = &ns.ipn_nat
297
298 namelen = sizeof(usin);
299 getsockname(remote_fd, (struct sockaddr *)&usin, &namelen);
300
301 namelen = sizeof(sin);
302 getpeername(incoming_fd, (struct sockaddr *) &sin, &namelen);
303
304 namelen = sizeof(sloc);
305 getsockname(incoming_fd, (struct sockaddr *) &sloc, &namelen);
306
307 bzero((char *) &obi, sizeof(obj));
308 obj.ipfo_rev = IPFILTER_VERSION;
309 obj.ipfo_size = sizeof(nlp);
310 obj.ipfo_ptr = &nip;
311 obj.ipfo_type = IPFOBJ_NATLOOKUP;
312
313 /*
314 * Build up the NAT natlookup structure.
315 */
316 bzero((char *) &nlp, sizeof(nlp));
317 nlp.nl_outip = sin.sin_addr;
318 nlp.nl_inip = sloc.sin_addr;
319 nlp.nl_flags = IPN_TCP;
320 nlp.nl_outport = ntohs(sin.sin_port);
321 nlp.nl_inport = ntohs(sloc.sin_port);
322
323 /*
324 * Open the NAT device and lookup the mapping pair.
325 */
326 nat_fd = open(IPNAT_NAME, O_RDWR);
327 if (ioctl(nat_fd, SIOCGNATL, &obj) != 0)
328 return -1;
329
330 nat->nat_inip = usin.sin_addr;
331 nat->nat_outip = nlp.nl_outip;
332 nat->nat_oip = nlp.nl_realip;
333
334 sum1 = LONG_SUM(ntohl(usin.sin_addr.s_addr)) +
335 ntohs(usin.sin_port);
336 sum2 = LONG_SUM(ntohl(nat->nat_outip.s_addr)) +
337 ntohs(nlp.nl_outport);
338 CALC_SUMD(sum1, sum2, sumd);
339 nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
340 nat->nat_sumd[1] = nat->nat_sumd[0];
341
342 sum1 = LONG_SUM(ntohl(usin.sin_addr.s_addr));
343 sum2 = LONG_SUM(ntohl(nat->nat_outip.s_addr));
344 CALC_SUMD(sum1, sum2, sumd);
345 nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16);
346
347 nat->nat_inport = usin.sin_port;
348 nat->nat_outport = nlp.nl_outport;
349 nat->nat_oport = nlp.nl_realport;
350
351 nat->nat_flags = IPN_TCPUDP;
352
353 /*
354 * Prepare the ipfobj structure, accordingly.
355 */
356 bzero((char *)&obi, sizeof(obj));
357 obj.ipfo_rev = IPFILTER_VERSION;
358 obj.ipfo_size = sizeof(*nsp);
359 obj.ipfo_ptr = nsp;
360 obj.ipfo_type = IPFOBJ_NATSAVE;
361
362 onoff = 1;
363 if (ioctl(nat_fd, SIOCSTPUT, &obj) != 0)
364 fprintf(stderr, "Error occurred\en");
365
366 return connect(rem_fd, (struct sockaddr ) &usin, sizeof(usin));
367 }
368 .fi
369 .in -2
370
371 .SH ERRORS
372 .sp
373 .ne 2
374 .na
375 \fBEPERM\fR
376 .ad
377 .RS 10n
378 The device has been opened for reading only. To succeed, the ioctl call must be
379 opened for both reading and writing. The call may be returned if it is
380 privileged and the calling process did not assert {\fBPRIV_SYS_NET_CONFIG\fR}
381 in the effective set.
382 .RE
383
384 .sp
385 .ne 2
386 .na
387 \fBENOMEM\fR
388 .ad
389 .RS 10n
390 More memory was allocated than the kernel can provide. The call may also be
391 returned if the application inserts a NAT entry that exceeds the hash bucket
392 chain's maximum length.
393 .RE
394
395 .sp
396 .ne 2
397 .na
398 \fBEFAULT\fR
399 .ad
400 .RS 10n
401 The calling process specified an invalid pointer in the ipfobj structure.
402 .RE
403
404 .sp
405 .ne 2
406 .na
407 \fBEINVAL\fR
408 .ad
409 .RS 10n
410 The calling process detected a parameter or field set to an unacceptable value.
411 .RE
412
413 .sp
414 .ne 2
415 .na
416 \fBEEXIST\fR
417 .ad
418 .RS 10n
419 The calling process, via \fBSIOCSTPUT\fR, attempted to add a NAT entry that
420 already exists in the NAT table.
421 .RE
422
423 .sp
424 .ne 2
425 .na
426 \fBESRCH\fR
427 .ad
428 .RS 10n
429 The calling process called \fBSIOCSTPUT\fR before setting the SI_NEWFR flag and
430 providing a pointer in the nat_fr field that cannot be found in the current
431 rule set.
432 .RE
433
434 .sp
435 .ne 2
436 .na
437 \fBEACESS\fR
438 .ad
439 .RS 10n
440 The calling process issued a \fBSIOCSTPUT\fR before issuing a SIOCSTLCK.
441 .RE
442
443 .SH ATTRIBUTES
444 .sp
445 .LP
446 See \fBattributes\fR(5) for descriptions of the following attributes:
447 .sp
448
449 .sp
450 .TS
451 box;
452 c | c
453 l | l .
454 ATTRIBUTE TYPE ATTRIBUTE VALUE
455 _
456 Interface Stability Committed
457 .TE
458
459 .SH SEE ALSO
460 .sp
461 .LP
462 \fBipfs\fR(1M), \fBipnat\fR(1M), \fBioctl\fR(2), \fBattributes\fR(5)