openvpn/clinat_8c_source.html

/*

 *  OpenVPN -- An application to securely tunnel IP networks

 *             over a single TCP/UDP port, with support for SSL/TLS-based

 *             session authentication and key exchange,

 *             packet encryption, packet authentication, and

 *             packet compression.

 *

 *  Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>

 *

 *  This program is free software; you can redistribute it and/or modify

 *  it under the terms of the GNU General Public License version 2

 *  as published by the Free Software Foundation.

 *

 *  This program is distributed in the hope that it will be useful,

 *  but WITHOUT ANY WARRANTY; without even the implied warranty of

 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 *  GNU General Public License for more details.

 *

 *  You should have received a copy of the GNU General Public License along

 *  with this program; if not, write to the Free Software Foundation, Inc.,

 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

 */


#ifdef HAVE_CONFIG_H

#include "config.h"

#endif


#include "syshead.h"


#include "clinat.h"

#include "proto.h"

#include "socket.h"

#include "memdbg.h"


static bool


add_entry(struct client_nat_option_list *dest,

          const struct client_nat_entry *e)

{

    if (dest->n >= MAX_CLIENT_NAT)

    {

        msg(M_WARN, "WARNING: client-nat table overflow (max %d entries)", MAX_CLIENT_NAT);

        return false;

    }

    else

    {

        dest->entries[dest->n++] = *e;

        return true;

    }

}


void


print_client_nat_list(const struct client_nat_option_list *list, int msglevel)

{

    struct gc_arena gc = gc_new();

    int i;


    msg(msglevel, "*** CNAT list");

    if (list)

    {

        for (i = 0; i < list->n; ++i)

        {

            const struct client_nat_entry *e = &list->entries[i];

            msg(msglevel, "  CNAT[%d] t=%d %s/%s/%s",

                i,

                e->type,

                print_in_addr_t(e->network, IA_NET_ORDER, &gc),

                print_in_addr_t(e->netmask, IA_NET_ORDER, &gc),

                print_in_addr_t(e->foreign_network, IA_NET_ORDER, &gc));

        }

    }

    gc_free(&gc);

}


struct client_nat_option_list *


new_client_nat_list(struct gc_arena *gc)

{

    struct client_nat_option_list *ret;

    ALLOC_OBJ_CLEAR_GC(ret, struct client_nat_option_list, gc);

    return ret;

}


struct client_nat_option_list *


clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)

{

    struct client_nat_option_list *ret;

    ALLOC_OBJ_GC(ret, struct client_nat_option_list, gc);

    *ret = *src;

    return ret;

}


void


copy_client_nat_option_list(struct client_nat_option_list *dest,

                            const struct client_nat_option_list *src)

{

    int i;

    for (i = 0; i < src->n; ++i)

    {

        if (!add_entry(dest, &src->entries[i]))

        {

            break;

        }

    }

}


void


add_client_nat_to_option_list(struct client_nat_option_list *dest,

                              const char *type,

                              const char *network,

                              const char *netmask,

                              const char *foreign_network,

                              int msglevel)

{

    struct client_nat_entry e;

    bool ok;


    if (!strcmp(type, "snat"))

    {

        e.type = CN_SNAT;

    }

    else if (!strcmp(type, "dnat"))

    {

        e.type = CN_DNAT;

    }

    else

    {

        msg(msglevel, "client-nat: type must be 'snat' or 'dnat'");

        return;

    }


    e.network = getaddr(0, network, 0, &ok, NULL);

    if (!ok)

    {

        msg(msglevel, "client-nat: bad network: %s", network);

        return;

    }

    e.netmask = getaddr(0, netmask, 0, &ok, NULL);

    if (!ok)

    {

        msg(msglevel, "client-nat: bad netmask: %s", netmask);

        return;

    }

    e.foreign_network = getaddr(0, foreign_network, 0, &ok, NULL);

    if (!ok)

    {

        msg(msglevel, "client-nat: bad foreign network: %s", foreign_network);

        return;

    }


    add_entry(dest, &e);

}


#if 0

static void

print_checksum(struct openvpn_iphdr *iph, const char *prefix)

{

    uint16_t *sptr;

    unsigned int sum = 0;

    int i = 0;

    for (sptr = (uint16_t *)iph; (uint8_t *)sptr < (uint8_t *)iph + sizeof(struct openvpn_iphdr); sptr++)

    {

        i += 1;

        sum += *sptr;

    }

    msg(M_INFO, "** CKSUM[%d] %s %08x", i, prefix, sum);

}

#endif


static void


print_pkt(struct openvpn_iphdr *iph, const char *prefix, const int direction, const int msglevel)

{

    struct gc_arena gc = gc_new();


    char *dirstr = "???";

    if (direction == CN_OUTGOING)

    {

        dirstr = "OUT";

    }

    else if (direction == CN_INCOMING)

    {

        dirstr = "IN";

    }


    msg(msglevel, "** CNAT %s %s %s -> %s",

        dirstr,

        prefix,

        print_in_addr_t(iph->saddr, IA_NET_ORDER, &gc),

        print_in_addr_t(iph->daddr, IA_NET_ORDER, &gc));


    gc_free(&gc);

}


void


client_nat_transform(const struct client_nat_option_list *list,

                     struct buffer *ipbuf,

                     const int direction)

{

    struct ip_tcp_udp_hdr *h = (struct ip_tcp_udp_hdr *) BPTR(ipbuf);

    int i;

    uint32_t addr, *addr_ptr;

    const uint32_t *from, *to;

    int accumulate = 0;

    unsigned int amask;

    unsigned int alog = 0;


    if (check_debug_level(D_CLIENT_NAT))

    {

        print_pkt(&h->ip, "BEFORE", direction, D_CLIENT_NAT);

    }


    for (i = 0; i < list->n; ++i)

    {

        const struct client_nat_entry *e = &list->entries[i]; /* current NAT rule */

        if (e->type ^ direction)

        {

            addr = *(addr_ptr = &h->ip.daddr);

            amask = 2;

        }

        else

        {

            addr = *(addr_ptr = &h->ip.saddr);

            amask = 1;

        }

        if (direction)

        {

            from = &e->foreign_network;

            to = &e->network;

        }

        else

        {

            from = &e->network;

            to = &e->foreign_network;

        }


        if (((addr & e->netmask) == *from) && !(amask & alog))

        {

            /* pre-adjust IP checksum */

            ADD_CHECKSUM_32(accumulate, addr);


            /* do NAT transform */

            addr = (addr & ~e->netmask) | *to;


            /* post-adjust IP checksum */

            SUB_CHECKSUM_32(accumulate, addr);


            /* write the modified address to packet */

            *addr_ptr = addr;


            /* mark as modified */

            alog |= amask;

        }

    }

    if (alog)

    {

        if (check_debug_level(D_CLIENT_NAT))

        {

            print_pkt(&h->ip, "AFTER", direction, D_CLIENT_NAT);

        }


        ADJUST_CHECKSUM(accumulate, h->ip.check);


        if (h->ip.protocol == OPENVPN_IPPROTO_TCP)

        {

            if (BLEN(ipbuf) >= sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_tcphdr))

            {

                ADJUST_CHECKSUM(accumulate, h->u.tcp.check);

            }

        }

        else if (h->ip.protocol == OPENVPN_IPPROTO_UDP)

        {

            if (BLEN(ipbuf) >= sizeof(struct openvpn_iphdr) + sizeof(struct openvpn_udphdr))

            {

                ADJUST_CHECKSUM(accumulate, h->u.udp.check);

            }

        }

    }

}


BPTR
#define BPTR(buf)
Definition buffer.h:124

ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1097

BLEN
#define BLEN(buf)
Definition buffer.h:127

ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1092

gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033

gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1025

print_client_nat_list
void print_client_nat_list(const struct client_nat_option_list *list, int msglevel)
Definition clinat.c:52

client_nat_transform
void client_nat_transform(const struct client_nat_option_list *list, struct buffer *ipbuf, const int direction)
Definition clinat.c:193

print_pkt
static void print_pkt(struct openvpn_iphdr *iph, const char *prefix, const int direction, const int msglevel)
Definition clinat.c:169

add_entry
static bool add_entry(struct client_nat_option_list *dest, const struct client_nat_entry *e)
Definition clinat.c:36

add_client_nat_to_option_list
void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, int msglevel)
Definition clinat.c:106

new_client_nat_list
struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc)
Definition clinat.c:75

clone_client_nat_option_list
struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)
Definition clinat.c:83

copy_client_nat_option_list
void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src)
Definition clinat.c:92

clinat.h

CN_INCOMING
#define CN_INCOMING
Definition clinat.h:32

CN_SNAT
#define CN_SNAT
Definition clinat.h:35

MAX_CLIENT_NAT
#define MAX_CLIENT_NAT
Definition clinat.h:29

CN_OUTGOING
#define CN_OUTGOING
Definition clinat.h:31

CN_DNAT
#define CN_DNAT
Definition clinat.h:36

M_INFO
#define M_INFO
Definition errlevel.h:55

D_CLIENT_NAT
#define D_CLIENT_NAT
Definition errlevel.h:116

memdbg.h

check_debug_level
static bool check_debug_level(unsigned int level)
Definition error.h:220

msg
#define msg(flags,...)
Definition error.h:144

M_WARN
#define M_WARN
Definition error.h:91

proto.h

SUB_CHECKSUM_32
#define SUB_CHECKSUM_32(acc, u32)
Definition proto.h:231

ADJUST_CHECKSUM
#define ADJUST_CHECKSUM(acc, cksum)
Definition proto.h:211

OPENVPN_IPPROTO_UDP
#define OPENVPN_IPPROTO_UDP
Definition proto.h:108

OPENVPN_IPPROTO_TCP
#define OPENVPN_IPPROTO_TCP
Definition proto.h:107

ADD_CHECKSUM_32
#define ADD_CHECKSUM_32(acc, u32)
Definition proto.h:226

print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket.c:2974

getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:195

socket.h

IA_NET_ORDER
#define IA_NET_ORDER
Definition socket.h:402

buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61

client_nat_entry
Definition clinat.h:34

client_nat_entry::type
int type
Definition clinat.h:37

client_nat_entry::network
in_addr_t network
Definition clinat.h:38

client_nat_entry::foreign_network
in_addr_t foreign_network
Definition clinat.h:40

client_nat_entry::netmask
in_addr_t netmask
Definition clinat.h:39

client_nat_option_list
Definition clinat.h:43

client_nat_option_list::n
int n
Definition clinat.h:44

client_nat_option_list::entries
struct client_nat_entry entries[MAX_CLIENT_NAT]
Definition clinat.h:45

gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117

gc_arena::list
struct gc_entry * list
First element of the linked list of gc_entry structures.
Definition buffer.h:118

ip_tcp_udp_hdr
Definition proto.h:193

ip_tcp_udp_hdr::u
union ip_tcp_udp_hdr::@18 u

ip_tcp_udp_hdr::ip
struct openvpn_iphdr ip
Definition proto.h:194

ip_tcp_udp_hdr::udp
struct openvpn_udphdr udp
Definition proto.h:197

ip_tcp_udp_hdr::tcp
struct openvpn_tcphdr tcp
Definition proto.h:196

openvpn_iphdr
Definition proto.h:92

openvpn_iphdr::saddr
uint32_t saddr
Definition proto.h:113

openvpn_iphdr::daddr
uint32_t daddr
Definition proto.h:114

openvpn_iphdr::protocol
uint8_t protocol
Definition proto.h:110

openvpn_iphdr::check
uint16_t check
Definition proto.h:112

openvpn_tcphdr
Definition proto.h:164

openvpn_tcphdr::check
uint16_t check
Definition proto.h:184

openvpn_udphdr
Definition proto.h:154

openvpn_udphdr::check
uint16_t check
Definition proto.h:158

syshead.h

gc
struct gc_arena gc
Definition test_ssl.c:155