openvpn/clinat_8c_source.html

/*

 *  OpenVPN -- An application to securely tunnel IP networks

 *             over a single TCP/UDP port, with support for SSL/TLS-based

 *             session authentication and key exchange,

 *             packet encryption, packet authentication, and

 *             packet compression.

 *

 *  Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>

 *

 *  This program is free software; you can redistribute it and/or modify

 *  it under the terms of the GNU General Public License version 2

 *  as published by the Free Software Foundation.

 *

 *  This program is distributed in the hope that it will be useful,

 *  but WITHOUT ANY WARRANTY; without even the implied warranty of

 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 *  GNU General Public License for more details.

 *

 *  You should have received a copy of the GNU General Public License along

 *  with this program; if not, see <https://www.gnu.org/licenses/>.

 */


#ifdef HAVE_CONFIG_H

#include "config.h"

#endif


#include "syshead.h"


#include "clinat.h"

#include "proto.h"

#include "socket_util.h"

#include "memdbg.h"


static bool


add_entry(struct client_nat_option_list *dest, const struct client_nat_entry *e)

{

    if (dest->n >= MAX_CLIENT_NAT)

    {

        msg(M_WARN, "WARNING: client-nat table overflow (max %d entries)", MAX_CLIENT_NAT);

        return false;

    }

    else

    {

        dest->entries[dest->n++] = *e;

        return true;

    }

}


void


print_client_nat_list(const struct client_nat_option_list *list, int msglevel)

{

    struct gc_arena gc = gc_new();

    int i;


    msg(msglevel, "*** CNAT list");

    if (list)

    {

        for (i = 0; i < list->n; ++i)

        {

            const struct client_nat_entry *e = &list->entries[i];

            msg(msglevel, "  CNAT[%d] t=%d %s/%s/%s", i, e->type,

                print_in_addr_t(e->network, IA_NET_ORDER, &gc),

                print_in_addr_t(e->netmask, IA_NET_ORDER, &gc),

                print_in_addr_t(e->foreign_network, IA_NET_ORDER, &gc));

        }

    }

    gc_free(&gc);

}


struct client_nat_option_list *


new_client_nat_list(struct gc_arena *gc)

{

    struct client_nat_option_list *ret;

    ALLOC_OBJ_CLEAR_GC(ret, struct client_nat_option_list, gc);

    return ret;

}


struct client_nat_option_list *


clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)

{

    struct client_nat_option_list *ret;

    ALLOC_OBJ_GC(ret, struct client_nat_option_list, gc);

    *ret = *src;

    return ret;

}


void


copy_client_nat_option_list(struct client_nat_option_list *dest,

                            const struct client_nat_option_list *src)

{

    int i;

    for (i = 0; i < src->n; ++i)

    {

        if (!add_entry(dest, &src->entries[i]))

        {

            break;

        }

    }

}


void


add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type,

                              const char *network, const char *netmask, const char *foreign_network,

                              int msglevel)

{

    struct client_nat_entry e;

    bool ok;


    if (!strcmp(type, "snat"))

    {

        e.type = CN_SNAT;

    }

    else if (!strcmp(type, "dnat"))

    {

        e.type = CN_DNAT;

    }

    else

    {

        msg(msglevel, "client-nat: type must be 'snat' or 'dnat'");

        return;

    }


    e.network = getaddr(0, network, 0, &ok, NULL);

    if (!ok)

    {

        msg(msglevel, "client-nat: bad network: %s", network);

        return;

    }

    e.netmask = getaddr(0, netmask, 0, &ok, NULL);

    if (!ok)

    {

        msg(msglevel, "client-nat: bad netmask: %s", netmask);

        return;

    }

    e.foreign_network = getaddr(0, foreign_network, 0, &ok, NULL);

    if (!ok)

    {

        msg(msglevel, "client-nat: bad foreign network: %s", foreign_network);

        return;

    }


    add_entry(dest, &e);

}


#if 0

static void

print_checksum(struct openvpn_iphdr *iph, const char *prefix)

{

    uint16_t *sptr;

    unsigned int sum = 0;

    int i = 0;

    for (sptr = (uint16_t *)iph; (uint8_t *)sptr < (uint8_t *)iph + sizeof(struct openvpn_iphdr); sptr++)

    {

        i += 1;

        sum += *sptr;

    }

    msg(M_INFO, "** CKSUM[%d] %s %08x", i, prefix, sum);

}

#endif


static void


print_pkt(struct openvpn_iphdr *iph, const char *prefix, const int direction, const int msglevel)

{

    struct gc_arena gc = gc_new();


    char *dirstr = "???";

    if (direction == CN_OUTGOING)

    {

        dirstr = "OUT";

    }

    else if (direction == CN_INCOMING)

    {

        dirstr = "IN";

    }


    msg(msglevel, "** CNAT %s %s %s -> %s", dirstr, prefix,

        print_in_addr_t(iph->saddr, IA_NET_ORDER, &gc),

        print_in_addr_t(iph->daddr, IA_NET_ORDER, &gc));


    gc_free(&gc);

}


void


client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf,

                     const int direction)

{

    struct ip_tcp_udp_hdr *h = (struct ip_tcp_udp_hdr *)BPTR(ipbuf);

    int i;

    uint32_t addr, *addr_ptr;

    const uint32_t *from, *to;

    int accumulate = 0;

    unsigned int amask;

    unsigned int alog = 0;


    if (check_debug_level(D_CLIENT_NAT))

    {

        print_pkt(&h->ip, "BEFORE", direction, D_CLIENT_NAT);

    }


    for (i = 0; i < list->n; ++i)

    {

        const struct client_nat_entry *e = &list->entries[i]; /* current NAT rule */

        if (e->type ^ direction)

        {

            addr = *(addr_ptr = &h->ip.daddr);

            amask = 2;

        }

        else

        {

            addr = *(addr_ptr = &h->ip.saddr);

            amask = 1;

        }

        if (direction)

        {

            from = &e->foreign_network;

            to = &e->network;

        }

        else

        {

            from = &e->network;

            to = &e->foreign_network;

        }


        if (((addr & e->netmask) == *from) && !(amask & alog))

        {

            /* pre-adjust IP checksum */

            ADD_CHECKSUM_32(accumulate, addr);


            /* do NAT transform */

            addr = (addr & ~e->netmask) | *to;


            /* post-adjust IP checksum */

            SUB_CHECKSUM_32(accumulate, addr);


            /* write the modified address to packet */

            *addr_ptr = addr;


            /* mark as modified */

            alog |= amask;

        }

    }

    if (alog)

    {

        if (check_debug_level(D_CLIENT_NAT))

        {

            print_pkt(&h->ip, "AFTER", direction, D_CLIENT_NAT);

        }


        ADJUST_CHECKSUM(accumulate, h->ip.check);


        if (h->ip.protocol == OPENVPN_IPPROTO_TCP)

        {

            if (BLEN(ipbuf) >= sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_tcphdr))

            {

                ADJUST_CHECKSUM(accumulate, h->u.tcp.check);

            }

        }

        else if (h->ip.protocol == OPENVPN_IPPROTO_UDP)

        {

            if (BLEN(ipbuf) >= sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_udphdr))

            {

                ADJUST_CHECKSUM(accumulate, h->u.udp.check);

            }

        }

    }

}


BPTR
#define BPTR(buf)
Definition buffer.h:123

ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1079

BLEN
#define BLEN(buf)
Definition buffer.h:126

ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1074

gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015

gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1007

print_client_nat_list
void print_client_nat_list(const struct client_nat_option_list *list, int msglevel)
Definition clinat.c:50

client_nat_transform
void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction)
Definition clinat.c:184

print_pkt
static void print_pkt(struct openvpn_iphdr *iph, const char *prefix, const int direction, const int msglevel)
Definition clinat.c:162

add_entry
static bool add_entry(struct client_nat_option_list *dest, const struct client_nat_entry *e)
Definition clinat.c:35

add_client_nat_to_option_list
void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, int msglevel)
Definition clinat.c:102

new_client_nat_list
struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc)
Definition clinat.c:71

clone_client_nat_option_list
struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)
Definition clinat.c:79

copy_client_nat_option_list
void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src)
Definition clinat.c:88

clinat.h

CN_INCOMING
#define CN_INCOMING
Definition clinat.h:31

CN_SNAT
#define CN_SNAT
Definition clinat.h:35

MAX_CLIENT_NAT
#define MAX_CLIENT_NAT
Definition clinat.h:28

CN_OUTGOING
#define CN_OUTGOING
Definition clinat.h:30

CN_DNAT
#define CN_DNAT
Definition clinat.h:36

M_INFO
#define M_INFO
Definition errlevel.h:54

D_CLIENT_NAT
#define D_CLIENT_NAT
Definition errlevel.h:115

memdbg.h

check_debug_level
static bool check_debug_level(unsigned int level)
Definition error.h:257

msg
#define msg(flags,...)
Definition error.h:150

M_WARN
#define M_WARN
Definition error.h:90

proto.h

SUB_CHECKSUM_32
#define SUB_CHECKSUM_32(acc, u32)
Definition proto.h:240

ADJUST_CHECKSUM
#define ADJUST_CHECKSUM(acc, cksum)
Definition proto.h:215

OPENVPN_IPPROTO_UDP
#define OPENVPN_IPPROTO_UDP
Definition proto.h:106

OPENVPN_IPPROTO_TCP
#define OPENVPN_IPPROTO_TCP
Definition proto.h:105

ADD_CHECKSUM_32
#define ADD_CHECKSUM_32(acc, u32)
Definition proto.h:234

getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:187

print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:196

socket_util.h

IA_NET_ORDER
#define IA_NET_ORDER
Definition socket_util.h:90

buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60

client_nat_entry
Definition clinat.h:34

client_nat_entry::type
int type
Definition clinat.h:37

client_nat_entry::network
in_addr_t network
Definition clinat.h:38

client_nat_entry::foreign_network
in_addr_t foreign_network
Definition clinat.h:40

client_nat_entry::netmask
in_addr_t netmask
Definition clinat.h:39

client_nat_option_list
Definition clinat.h:44

client_nat_option_list::n
int n
Definition clinat.h:45

client_nat_option_list::entries
struct client_nat_entry entries[MAX_CLIENT_NAT]
Definition clinat.h:46

gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116

gc_arena::list
struct gc_entry * list
First element of the linked list of gc_entry structures.
Definition buffer.h:117

ip_tcp_udp_hdr
Definition proto.h:196

ip_tcp_udp_hdr::u
union ip_tcp_udp_hdr::@23 u

ip_tcp_udp_hdr::ip
struct openvpn_iphdr ip
Definition proto.h:197

ip_tcp_udp_hdr::udp
struct openvpn_udphdr udp
Definition proto.h:201

ip_tcp_udp_hdr::tcp
struct openvpn_tcphdr tcp
Definition proto.h:200

openvpn_iphdr
Definition proto.h:90

openvpn_iphdr::saddr
uint32_t saddr
Definition proto.h:111

openvpn_iphdr::daddr
uint32_t daddr
Definition proto.h:112

openvpn_iphdr::protocol
uint8_t protocol
Definition proto.h:108

openvpn_iphdr::check
uint16_t check
Definition proto.h:110

openvpn_tcphdr
Definition proto.h:166

openvpn_tcphdr::check
uint16_t check
Definition proto.h:186

openvpn_udphdr
Definition proto.h:155

openvpn_udphdr::check
uint16_t check
Definition proto.h:159

syshead.h

i
int i
Definition test_push_update_msg.c:120

gc
struct gc_arena gc
Definition test_ssl.c:154