Add support for dynamic NAT rules and dynamic portmap. (#31)

Author: rmind

src/kern/Makefile

@@ -41,7 +41,7 @@ CFLAGS+=	-DNDEBUG
 OBJDIR=		build
 endif
 
-LDFLAGS+=	-lpthread -lnv -lpcap -lqsbr -lthmap -llpm -lcdb -lbpfjit
+LDFLAGS+=	-lpthread -lnv -lqsbr -lthmap -llpm -lcdb -lbpfjit
 ifeq ($(SYSNAME),Linux)
 LDFLAGS+=	-ljemalloc
 endif

src/kern/files.npf

@@ -28,6 +28,7 @@ file	net/npf/npf_conndb.c			npf
 file	net/npf/npf_state.c			npf
 file	net/npf/npf_state_tcp.c			npf
 file	net/npf/npf_nat.c			npf
+file	net/npf/npf_portmap.c			npf
 file	net/npf/npf_alg.c			npf
 file	net/npf/npf_sendpkt.c			npf
 file	net/npf/npf_worker.c			npf

src/kern/npf-params.7

@@ -98,6 +98,14 @@ Timeout for the TCP time-wait state.
 Default: 240.
 .El
 .\" ---
+.It Li portmap.min_port
+Lower bound of the port range used when selecting the port for dynamic NAT
+with port translation enabled.
+Default: 1024 (also the lowest allowed value).
+.It Li portmap.max_port
+Upper bound of the port range as described above.
+Default: 65535 (also the highest allowed value).
+.\" ---
 .El
 .\" -----
 .Sh EXAMPLES

src/kern/npf.c

@@ -80,6 +80,7 @@ npf_create(int flags, const npf_mbufops_t *mbufops, const npf_ifops_t *ifops)
 	npf_state_sysinit(npf);
 	npf_ifmap_init(npf, ifops);
 	npf_conn_init(npf, flags);
+	npf_portmap_init(npf);
 	npf_alg_init(npf);
 	npf_ext_init(npf);
 
@@ -100,6 +101,7 @@ npf_destroy(npf_t *npf)
 	/* Finally, safe to destroy the subsystems. */
 	npf_ext_fini(npf);
 	npf_alg_fini(npf);
+	npf_portmap_fini(npf);
 	npf_conn_fini(npf);
 	npf_ifmap_fini(npf);
 	npf_state_sysfini(npf);

src/kern/npf_conf.c

@@ -169,6 +169,7 @@ npf_config_load(npf_t *npf, npf_ruleset_t *rset, npf_tableset_t *tset,
 	/* Synchronise: drain all references. */
 	pserialize_perform(npf->qsbr);
 	if (flush) {
+		npf_portmap_flush(npf);
 		npf_ifmap_flush(npf);
 	}
 

src/kern/npf_conndb.c

@@ -32,8 +32,8 @@
  *
  * Warning (not applicable for the userspace npfkern):
  *
- *	The thmap data is partially lock-free data structure that uses its
- *	own spin-locks on the writer side (insert/delete operations).
+ *	thmap is partially lock-free data structure that uses its own
+ *	spin-locks on the writer side (insert/delete operations).
  *
  *	The relevant interrupt priority level (IPL) must be set and the
  *	kernel preemption disabled across the critical paths to prevent
@@ -93,8 +93,8 @@ typedef struct {
 void
 npf_conndb_sysinit(npf_t *npf)
 {
-	const size_t len = sizeof(npf_conndb_params_t);
-	npf_conndb_params_t *params = kmem_zalloc(len, KM_SLEEP);
+	npf_conndb_params_t *params = npf_param_allocgroup(npf,
+	    NPF_PARAMS_CONNDB, sizeof(npf_conndb_params_t));
 	npf_param_t param_map[] = {
 		{
 			"gc.step",
@@ -104,14 +104,13 @@ npf_conndb_sysinit(npf_t *npf)
 		}
 	};
 	npf_param_register(npf, param_map, __arraycount(param_map));
-	npf->params[NPF_PARAMS_CONNDB] = params;
 }
 
 void
 npf_conndb_sysfini(npf_t *npf)
 {
 	const size_t len = sizeof(npf_conndb_params_t);
-	kmem_free(npf->params[NPF_PARAMS_CONNDB], len);
+	npf_param_freegroup(npf, NPF_PARAMS_CONNDB, len);
 }
 
 npf_conndb_t *

src/kern/npf_ctl.c

@@ -453,8 +453,58 @@ npf_mk_rules(npf_t *npf, nvlist_t *npf_dict, nvlist_t *errdict,
 }
 
 static int __noinline
-npf_mk_natlist(npf_t *npf, nvlist_t *npf_dict, nvlist_t *errdict,
-    npf_tableset_t *tblset, npf_ruleset_t **ntsetp)
+npf_mk_singlenat(npf_t *npf, const nvlist_t *nat, npf_ruleset_t *ntset,
+    npf_tableset_t *tblset, nvlist_t *errdict, npf_rule_t **rlp)
+{
+	npf_rule_t *rl = NULL;
+	npf_natpolicy_t *np;
+	int error;
+
+	/*
+	 * NAT rules are standard rules, plus the translation policy.
+	 * We first construct the rule structure.
+	 */
+	error = npf_mk_singlerule(npf, nat, NULL, &rl, errdict);
+	if (error) {
+		return error;
+	}
+	KASSERT(rl != NULL);
+	*rlp = rl;
+
+	/* If rule is named, it is a group with NAT policies. */
+	if (dnvlist_get_string(nat, "name", NULL)) {
+		return 0;
+	}
+
+	/* Check the table ID. */
+	if (nvlist_exists_number(nat, "nat-table-id")) {
+		unsigned tid = nvlist_get_number(nat, "nat-table-id");
+
+		if (!npf_tableset_getbyid(tblset, tid)) {
+			NPF_ERR_DEBUG(errdict);
+			error = EINVAL;
+			goto out;
+		}
+	}
+
+	/* Allocate a new NAT policy and assign it to the rule. */
+	np = npf_nat_newpolicy(npf, nat, ntset);
+	if (np == NULL) {
+		NPF_ERR_DEBUG(errdict);
+		error = ENOMEM;
+		goto out;
+	}
+	npf_rule_setnat(rl, np);
+out:
+	if (error) {
+		npf_rule_free(rl);
+	}
+	return error;
+}
+
+static int __noinline
+npf_mk_natlist(npf_t *npf, nvlist_t *npf_dict, npf_tableset_t *tblset,
+    nvlist_t *errdict, npf_ruleset_t **ntsetp)
 {
 	const nvlist_t * const *nat_rules;
 	npf_ruleset_t *ntset;
@@ -478,42 +528,12 @@ npf_mk_natlist(npf_t *npf, nvlist_t *npf_dict, nvlist_t *errdict,
 	for (unsigned i = 0; i < nitems; i++) {
 		const nvlist_t *nat = nat_rules[i];
 		npf_rule_t *rl = NULL;
-		npf_natpolicy_t *np;
 
-		/*
-		 * NAT policies are standard rules, plus the additional
-		 * translation information.  First, make a rule.
-		 */
-		error = npf_mk_singlerule(npf, nat, NULL, &rl, errdict);
+		error = npf_mk_singlenat(npf, nat, ntset, tblset, errdict, &rl);
 		if (error) {
 			break;
 		}
 		npf_ruleset_insert(ntset, rl);
-
-		/* If rule is named, it is a group with NAT policies. */
-		if (dnvlist_get_string(nat, "name", NULL)) {
-			continue;
-		}
-
-		/* Check the table ID. */
-		if (nvlist_exists_number(nat, "nat-table-id")) {
-			unsigned tid = nvlist_get_number(nat, "nat-table-id");
-
-			if (!npf_tableset_getbyid(tblset, tid)) {
-				NPF_ERR_DEBUG(errdict);
-				error = EINVAL;
-				break;
-			}
-		}
-
-		/* Allocate a new NAT policy and assign to the rule. */
-		np = npf_nat_newpolicy(npf, nat, ntset);
-		if (np == NULL) {
-			NPF_ERR_DEBUG(errdict);
-			error = ENOMEM;
-			break;
-		}
-		npf_rule_setnat(rl, np);
 	}
 	*ntsetp = ntset;
 	return error;
@@ -593,7 +613,7 @@ npfctl_load_nvlist(npf_t *npf, nvlist_t *npf_dict, nvlist_t *errdict)
 	if (error) {
 		goto fail;
 	}
-	error = npf_mk_natlist(npf, npf_dict, errdict, tblset, &ntset);
+	error = npf_mk_natlist(npf, npf_dict, tblset, errdict, &ntset);
 	if (error) {
 		goto fail;
 	}
@@ -747,31 +767,42 @@ npfctl_rule(npf_t *npf, u_long cmd, void *data)
 	const char *ruleset_name;
 	uint32_t rcmd;
 	int error = 0;
+	bool natset;
 
 	error = npf_nvlist_copyin(npf, data, &npf_rule);
 	if (error) {
 		return error;
 	}
 	rcmd = dnvlist_get_number(npf_rule, "command", 0);
+	natset = dnvlist_get_bool(npf_rule, "nat-rule", false);
 	ruleset_name = dnvlist_get_string(npf_rule, "ruleset-name", NULL);
 	if (!ruleset_name) {
 		error = EINVAL;
 		goto out;
 	}
 
-	if (rcmd == NPF_CMD_RULE_ADD) {
+	npf_config_enter(npf);
+	rlset = natset ? npf_config_natset(npf) : npf_config_ruleset(npf);
+	switch (rcmd) {
+	case NPF_CMD_RULE_ADD: {
 		retdict = nvlist_create(0);
-		error = npf_mk_singlerule(npf, npf_rule, NULL, &rl, retdict);
+		if (natset) {
+			/*
+			 * Translation rule.
+			 */
+			error = npf_mk_singlenat(npf, npf_rule, rlset,
+			    npf_config_tableset(npf), retdict, &rl);
+		} else {
+			/*
+			 * Standard rule.
+			 */
+			error = npf_mk_singlerule(npf, npf_rule, NULL,
+			    &rl, retdict);
+		}
 		if (error) {
+			npf_config_exit(npf);
 			goto out;
 		}
-	}
-
-	npf_config_enter(npf);
-	rlset = npf_config_ruleset(npf);
-
-	switch (rcmd) {
-	case NPF_CMD_RULE_ADD: {
 		if ((error = npf_ruleset_add(rlset, ruleset_name, rl)) == 0) {
 			/* Success. */
 			uint64_t id = npf_rule_getid(rl);

src/kern/npf_impl.h

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
+ * Copyright (c) 2009-2019 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This material is based upon work partially supported by The
@@ -72,12 +72,14 @@
 struct npf_ruleset;
 struct npf_rule;
 struct npf_rprocset;
+struct npf_portmap;
 struct npf_nat;
 struct npf_conn;
 struct npf_config;
 
 typedef struct npf_ruleset	npf_ruleset_t;
 typedef struct npf_rule		npf_rule_t;
+typedef struct npf_portmap	npf_portmap_t;
 typedef struct npf_nat		npf_nat_t;
 typedef struct npf_rprocset	npf_rprocset_t;
 typedef struct npf_alg		npf_alg_t;
@@ -179,12 +181,13 @@ typedef struct {
 	int		max;
 } npf_param_t;
 
-enum {
+typedef enum {
 	NPF_PARAMS_CONNDB = 0,
 	NPF_PARAMS_GENERIC_STATE,
 	NPF_PARAMS_TCP_STATE,
+	NPF_PARAMS_PORTMAP,
 	NPF_PARAMS_COUNT
-};
+} npf_paramgroup_t;
 
 /*
  * NPF INSTANCE (CONTEXT) STRUCTURE AND AUXILIARY OPERATIONS.
@@ -214,7 +217,8 @@ struct npf {
 	npf_conndb_t *		conn_db;
 	pool_cache_t		conn_cache[2];
 
-	/* ALGs. */
+	/* NAT and ALGs. */
+	npf_portmap_t *		portmap;
 	npf_algset_t *		algset;
 
 	/* Interface mapping. */
@@ -297,6 +301,8 @@ void		npf_stats_dec(npf_t *, npf_stats_t);
 void		npf_param_init(npf_t *);
 void		npf_param_fini(npf_t *);
 void		npf_param_register(npf_t *, npf_param_t *, unsigned);
+void *		npf_param_allocgroup(npf_t *, npf_paramgroup_t, size_t);
+void		npf_param_freegroup(npf_t *, npf_paramgroup_t, size_t);
 int		npf_param_check(npf_t *, const char *, int);
 
 void		npf_ifmap_init(npf_t *, const npf_ifops_t *);
@@ -340,6 +346,7 @@ void		npf_addr_mask(const npf_addr_t *, const npf_netmask_t,
 		    const int, npf_addr_t *);
 void		npf_addr_bitor(const npf_addr_t *, const npf_netmask_t,
 		    const int, npf_addr_t *);
+int		npf_netmask_check(const int, npf_netmask_t);
 
 int		npf_tcpsaw(const npf_cache_t *, tcp_seq *, tcp_seq *,
 		    uint32_t *);
@@ -390,7 +397,6 @@ void		npf_ruleset_destroy(npf_ruleset_t *);
 void		npf_ruleset_insert(npf_ruleset_t *, npf_rule_t *);
 void		npf_ruleset_reload(npf_t *, npf_ruleset_t *,
 		    npf_ruleset_t *, bool);
-npf_rule_t *	npf_ruleset_sharepm(npf_ruleset_t *, npf_natpolicy_t *);
 npf_natpolicy_t *npf_ruleset_findnat(npf_ruleset_t *, uint64_t);
 void		npf_ruleset_freealg(npf_ruleset_t *, npf_alg_t *);
 int		npf_ruleset_export(npf_t *, const npf_ruleset_t *,
@@ -451,14 +457,22 @@ void		npf_state_tcp_sysfini(npf_t *);
 bool		npf_state_tcp(npf_cache_t *, npf_state_t *, int);
 int		npf_state_tcp_timeout(npf_t *, const npf_state_t *);
 
+/* Portmap. */
+void		npf_portmap_init(npf_t *);
+void		npf_portmap_fini(npf_t *);
+
+in_port_t	npf_portmap_get(npf_t *, int, const npf_addr_t *);
+bool		npf_portmap_take(npf_t *, int, const npf_addr_t *, in_port_t);
+void		npf_portmap_put(npf_t *, int, const npf_addr_t *, in_port_t);
+void		npf_portmap_flush(npf_t *);
+
 /* NAT. */
 void		npf_nat_sysinit(void);
 void		npf_nat_sysfini(void);
 npf_natpolicy_t *npf_nat_newpolicy(npf_t *, const nvlist_t *, npf_ruleset_t *);
 int		npf_nat_policyexport(const npf_natpolicy_t *, nvlist_t *);
 void		npf_nat_freepolicy(npf_natpolicy_t *);
 bool		npf_nat_cmppolicy(npf_natpolicy_t *, npf_natpolicy_t *);
-bool		npf_nat_sharepm(npf_natpolicy_t *, npf_natpolicy_t *);
 void		npf_nat_setid(npf_natpolicy_t *, uint64_t);
 uint64_t	npf_nat_getid(const npf_natpolicy_t *);
 void		npf_nat_freealg(npf_natpolicy_t *, npf_alg_t *);

src/kern/npf_inet.c

@@ -221,6 +221,26 @@ npf_addr_cmp(const npf_addr_t *addr1, const npf_netmask_t mask1,
 	return memcmp(addr1, addr2, alen);
 }
 
+int
+npf_netmask_check(const int alen, npf_netmask_t mask)
+{
+	switch (alen) {
+	case sizeof(struct in_addr):
+		if (__predict_false(mask > 32 && mask != NPF_NO_NETMASK)) {
+			return EINVAL;
+		}
+		break;
+	case sizeof(struct in6_addr):
+		if (__predict_false(mask > 128 && mask != NPF_NO_NETMASK)) {
+			return EINVAL;
+		}
+		break;
+	default:
+		return EINVAL;
+	}
+	return 0;
+}
+
 /*
  * npf_tcpsaw: helper to fetch SEQ, ACK, WIN and return TCP data length.
  *