Thu Sep 16 04:53:27 2010 UTC ()

NPF checkpoint:
- Add support for bi-directional NAT and redirection / port forwarding.
- Finish filtering on ICMP type/code and add filtering on TCP flags.
- Add support for TCP reset (RST) or ICMP destination unreachable on block.
- Fix a bunch of bugs; misc cleanup.


(rmind)

diff -r1.3 -r1.4 src/share/man/man9/npf_ncode.9
diff -r1.1 -r1.2 src/sys/modules/npf/Makefile
diff -r1.1 -r1.2 src/sys/net/npf/files.npf
diff -r1.1 -r1.2 src/sys/net/npf/npf.h
diff -r1.1 -r1.2 src/sys/net/npf/npf_alg_icmp.c
diff -r1.1 -r1.2 src/sys/net/npf/npf_ctl.c
diff -r1.1 -r1.2 src/sys/net/npf/npf_handler.c
diff -r1.1 -r1.2 src/sys/net/npf/npf_impl.h
diff -r1.1 -r1.2 src/sys/net/npf/npf_inet.c
diff -r1.1 -r1.2 src/sys/net/npf/npf_instr.c
diff -r1.1 -r1.2 src/sys/net/npf/npf_mbuf.c
diff -r1.1 -r1.2 src/sys/net/npf/npf_nat.c
diff -r1.1 -r1.2 src/sys/net/npf/npf_ncode.h
diff -r1.1 -r1.2 src/sys/net/npf/npf_processor.c
diff -r1.1 -r1.2 src/sys/net/npf/npf_ruleset.c
diff -r1.1 -r1.2 src/sys/net/npf/npf_session.c
diff -r0 -r1.1 src/sys/net/npf/npf_sendpkt.c
diff -r1.1 -r1.2 src/usr.sbin/npf/npfctl/npf.conf.5
diff -r1.1 -r1.2 src/usr.sbin/npf/npfctl/npf_ncgen.c
diff -r1.1 -r1.2 src/usr.sbin/npf/npfctl/npf_parser.c
diff -r1.1 -r1.2 src/usr.sbin/npf/npfctl/npfctl.h
diff -r1.2 -r1.3 src/usr.sbin/npf/npfctl/npf_data.c

--- src/share/man/man9/Attic/npf_ncode.9 2010/08/24 23:55:05	1.3
+++ src/share/man/man9/Attic/npf_ncode.9 2010/09/16 04:53:27	1.4

 @@ -1,14 +1,14 @@
-.\"	$NetBSD: npf_ncode.9,v 1.3 2010/08/24 23:55:05 rmind Exp $
+.\"	$NetBSD: npf_ncode.9,v 1.4 2010/09/16 04:53:27 rmind Exp $
 .\"
 .\" Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
 .\" All rights reserved.
 .\"
 .\" This material is based upon work partially supported by The
 .\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 @@ -17,27 +17,27 @@
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 .\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 22, 2010
+.Dd September 16, 2010
 .Dt NPF_NCODE 9
 .Os
 .Sh NAME
 .Nm npf_ncode
 .Nd NPF n-code processor
 .Sh SYNOPSIS
 .In net/npf_ncode.h
 .Ft int
 .Fn npf_ncode_process \
 "npf_cache_t *npc" "const void *ncode" "nbuf_t *nbuf" "int layer"
 .Ft int
 .Fn npf_ncode_validate "const void *ncode" "size_t sz" "int *errat"
 .\" -----
 @@ -210,47 +210,52 @@ Return value to advance to layer 3 heade
 .\" -
 .It Sy 0x90 NPF_OPCODE_IP4MASK <s/d>, <network address>, <subnet mask>
 Match passed network address with subnet mask against source or destination
 address in the IPv4 header.
 Address and mask should be in network byte order.
 Value of first argument indicates whether source (if 0x1) or destination
 (if 0x0) address should be matched.
 .It Sy 0x91 NPF_OPCODE_IP4TABLE <s/d>, <table id>
 Match the source or destination address with NPF table contents
 specified by table ID.
 Value of the first argument indicates whether source (if 0x1) or
 destination (if 0x0) address should be matched.
 .\" -
-.It Sy 0x92 NPF_OPCODE_ICMP4 <type> <code>
+.It Sy 0x92 NPF_OPCODE_ICMP4 <type/code>
-Match ICMP type and code of the packet, unless a value of ~0 (all bits set)
+Match that packet is ICMP and compare type and code values, if required.
-is passed, which indicates that comparison should not be performed.
+Highest 32nd and 31st bits indicate whether the type and code values,
 accordingly, should be compared.
 If comparison is required, the type and code values are represented by
 lower 16 bits.
 The higher 8 bits represent type, and the lower 8 bits code number.
 .\" -
 .It Sy 0xa0 NPF_OPCODE_TCP_PORT	<s/d>, <port range>
-Match the source or destination port with a specified port range.
+Match the TCP source or destination port with a specified port range.
 The higher 16 bits of the second argument represent the "from" and
 the lower 16 bits represent the "to" values of the range.
 The 32-bit port range value is in host byte order, however the actual
 "from" and "to" values should be in network byte order.
 The value of the first argument indicates whether source (if 0x1) or
 destination (if 0x0) port should be matched.
 .\" -
 .It Sy 0xa1 NPF_OPCODE_UDP_PORT <s/d>, <port range>
-Match the source or destination port with a specified port range.
+Equivalent of
-The higher 16 bits of the second argument represent the "from" and
+.Dv NPF_OPCODE_TCP_PORT ,
-the lower 16 bits represent the "to" values of range.
+but for UDP protocol.
-The 32-bit port range value is in host byte order, however the actual
+.\" -
-"from" and "to" values should be in network byte order.
+.It Sy 0xa2 NPF_OPCODE_TCP_FLAGS <fl/mask>
-The value of the first argument indicates whether source (if 0x1) or
+Match the TCP flags with the a specified flags and mask,
-destination (if 0x0) port should be matched.
+represented by the lower 16 bits.
 The higher 8 bits represent flags and the lower 8 bits mask to apply.
 .El
 .\" -----
 .Sh CODE REFERENCES
 This section describes places within the
 .Nx
 source tree where actual code implementing the
 .Nm
 subsystem
 can be found.
 All pathnames are relative to
 .Pa /usr/src .
 .Pp
 The

--- src/sys/modules/npf/Makefile 2010/08/22 18:56:22	1.1
+++ src/sys/modules/npf/Makefile 2010/09/16 04:53:27	1.2

 @@ -1,13 +1,13 @@
-# $NetBSD: Makefile,v 1.1 2010/08/22 18:56:22 rmind Exp $
+# $NetBSD: Makefile,v 1.2 2010/09/16 04:53:27 rmind Exp $
 .include "../Makefile.inc"
 .PATH:		${S}/net/npf
 KMOD=		npf
 SRCS=		npf.c npf_ctl.c npf_handler.c npf_instr.c npf_mbuf.c
 SRCS+=		npf_processor.c npf_ruleset.c npf_tableset.c npf_inet.c
-SRCS+=		npf_session.c npf_nat.c npf_alg.c
+SRCS+=		npf_session.c npf_nat.c npf_sendpkt.c npf_alg.c
 .include <bsd.kmodule.mk>

--- src/sys/net/npf/files.npf 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/files.npf 2010/09/16 04:53:27	1.2

 @@ -1,23 +1,28 @@
-# $NetBSD: files.npf,v 1.1 2010/08/22 18:56:22 rmind Exp $
+# $NetBSD: files.npf,v 1.2 2010/09/16 04:53:27 rmind Exp $
+#
 # Public Domain.
+#
+#
 # NPF pseudo device and modules.
+#
 defpseudo	npf:	ifnet
 # Core
 file	net/npf/npf.c				npf
 file	net/npf/npf_ctl.c			npf
 file	net/npf/npf_handler.c			npf
 file	net/npf/npf_instr.c			npf
 file	net/npf/npf_mbuf.c			npf
 file	net/npf/npf_processor.c			npf
 file	net/npf/npf_ruleset.c			npf
 file	net/npf/npf_tableset.c			npf
 file	net/npf/npf_inet.c			npf
 file	net/npf/npf_session.c			npf
 file	net/npf/npf_nat.c			npf
 file	net/npf/npf_alg.c			npf
 file	net/npf/npf_sendpkt.c			npf
 # ALGs
 file	net/npf/npf_alg_icmp.c			npf

--- src/sys/net/npf/npf.h 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/npf.h 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf.h,v 1.1 2010/08/22 18:56:22 rmind Exp $	*/
+/*	$NetBSD: npf.h,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -71,27 +71,26 @@ typedef void			nbuf_t;
  */
 #define	NPC_IP46	0x01	/* IPv4,6 packet with known protocol. */
 #define	NPC_IP6VER	0x02	/* If NPI_IP46, then: 0 - IPv4, 1 - IPv6. */
 #define	NPC_ADDRS	0x04	/* Known source and destination addresses. */
 #define	NPC_PORTS	0x08	/* Known ports (for TCP/UDP cases). */
 #define	NPC_ICMP	0x10	/* ICMP with known type and code. */
 #define	NPC_ICMP_ID	0x20	/* ICMP with query ID. */
 /* XXX: Optimise later, pack in unions, perhaps bitfields, etc. */
 typedef struct {
 	uint32_t		npc_info;
 	int			npc_dir;
 	uint8_t			npc_elen;
 	/* NPC_IP46 */
 	uint8_t			npc_proto;
 	uint16_t		npc_hlen;
 	uint16_t		npc_ipsum;
 	/* NPC_ADDRS */
 	in_addr_t		npc_srcip;
 	in_addr_t		npc_dstip;
 	/* NPC_PORTS */
 	in_port_t		npc_sport;
 	in_port_t		npc_dport;
 	uint8_t			npc_tcp_flags;
 	/* NPC_ICMP */
 	uint8_t			npc_icmp_type;
 @@ -117,40 +116,49 @@ int		nbuf_store_datum(nbuf_t *, void *,
 int		nbuf_add_tag(nbuf_t *, uint32_t, uint32_t);
 int		nbuf_find_tag(nbuf_t *, uint32_t, void **);
 /* Ruleset interface. */
 npf_rule_t *	npf_rule_alloc(int, pri_t, int, void *, size_t);
 void		npf_rule_free(npf_rule_t *);
 void		npf_activate_rule(npf_rule_t *);
 void		npf_deactivate_rule(npf_rule_t *);
 npf_hook_t *	npf_hook_register(npf_rule_t *,
 		    void (*)(const npf_cache_t *, void *), void *);
 void		npf_hook_unregister(npf_rule_t *, npf_hook_t *);
-#endif
+#endif	/* _KERNEL */
 /* Rule attributes. */
 #define	NPF_RULE_PASS			0x0001
 #define	NPF_RULE_COUNT			0x0002
 #define	NPF_RULE_FINAL			0x0004
 #define	NPF_RULE_LOG			0x0008
 #define	NPF_RULE_DEFAULT		0x0010
 #define	NPF_RULE_KEEPSTATE		0x0020
 #define	NPF_RULE_RETRST			0x0040
 #define	NPF_RULE_RETICMP		0x0080
 #define	NPF_RULE_IN			0x1000
 #define	NPF_RULE_OUT			0x2000
 #define	NPF_RULE_DIMASK			0x3000
 /* Address translation types and flags. */
 #define	NPF_NATIN			1
 #define	NPF_NATOUT			2
 #define	NPF_NAT_PORTS			0x01
 #define	NPF_NAT_PORTMAP			0x02
 /* Table types. */
 #define	NPF_TABLE_HASH			1
 #define	NPF_TABLE_RBTREE		2
 /* Layers. */
 #define	NPF_LAYER_2			2
 #define	NPF_LAYER_3			3
 /* XXX mbuf.h: just for now. */
 #define	PACKET_TAG_NPF			10
 /*
  * IOCTL structures.
 @@ -166,14 +174,14 @@ typedef struct npf_ioctl_table {
 	in_addr_t		nct_mask;
 	int			_reserved;
 } npf_ioctl_table_t;
 /*
  * IOCTL operations.
  */
 #define	IOC_NPF_VERSION		_IOR('N', 100, int)
 #define	IOC_NPF_SWITCH		_IOW('N', 101, int)
 #define	IOC_NPF_RELOAD		_IOW('N', 102, struct plistref)
 #define	IOC_NPF_TABLE		_IOW('N', 103, struct npf_ioctl_table)
-#endif
+#endif	/* _NPF_H_ */

--- src/sys/net/npf/npf_alg_icmp.c 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/npf_alg_icmp.c 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_alg_icmp.c,v 1.1 2010/08/22 18:56:22 rmind Exp $	*/
+/*	$NetBSD: npf_alg_icmp.c,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -25,27 +25,27 @@
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF ALG for ICMP and traceroute translations.
  */
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.2 2010/09/16 04:53:27 rmind Exp $");
 #include <sys/param.h>
 #include <sys/kernel.h>
 #endif
 #include <sys/module.h>
 #include <sys/pool.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
 #include <netinet/ip_icmp.h>
 @@ -218,31 +218,26 @@ npfa_icmp_session(npf_cache_t *npc, nbuf
+{
 	npf_cache_t *key = keyptr;
 	void *n_ptr;
 	/* ICMP? Get unique identifiers from ICMP packet. */
 	if (npc->npc_proto != IPPROTO_ICMP) {
 		return false;
+	}
 	KASSERT(npf_iscached(npc, NPC_IP46 | NPC_ICMP));
 	key->npc_info = NPC_ICMP;
 	/* Advance to ICMP header. */
 	n_ptr = nbuf_dataptr(nbuf);
 #ifdef _NPF_TESTING
 	if (npc->npc_elen && /* XXX */
 	    (n_ptr = nbuf_advance(&nbuf, n_ptr, npc->npc_elen)) == NULL)
 		return false;
 #endif
 	if ((n_ptr = nbuf_advance(&nbuf, n_ptr, npc->npc_hlen)) == NULL) {
 		return false;
+	}
 	/* Fetch into the separate (key) cache. */
 	if (!npf_icmp_uniqid(npc->npc_icmp_type, key, nbuf, n_ptr)) {
 		return false;
+	}
 	if (npf_iscached(key, NPC_ICMP_ID)) {
 		/* Construct the key. */
 		key->npc_proto = npc->npc_proto;
 		key->npc_dir = npc->npc_dir;
 @@ -307,27 +302,27 @@ npfa_icmp_natin(npf_cache_t *npc, nbuf_t
 	    offsetof(struct icmp, icmp_cksum);
 	if ((n_ptr = nbuf_advance(&nbuf, n_ptr, offby)) == NULL) {
 		return false;
+	}
 	/*
 	 * Rewrite source IP address and port of the embedded IP header,
 	 * which represents original packet - therefore passing PFIL_OUT.
 	 */
 	npf_nat_t *nt = ntptr;
 	in_addr_t addr;
 	in_port_t port;
-	npf_nat_getlocal(nt, &addr, &port);
+	npf_nat_getorig(nt, &addr, &port);
 	if (!npf_rwrip(&enpc, nbuf, n_ptr, PFIL_OUT, addr)) {
 		return false;
+	}
 	if (!npf_rwrport(&enpc, nbuf, n_ptr, PFIL_OUT, port, addr)) {
 		return false;
+	}
 	/*
 	 * Fixup and update ICMP checksum.
 	 * Note: npf_rwrip() has updated the IP checksum.
 	 */
 	cksum = npf_fixup32_cksum(cksum, enpc.npc_srcip, addr);

--- src/sys/net/npf/npf_ctl.c 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/npf_ctl.c 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_ctl.c,v 1.1 2010/08/22 18:56:22 rmind Exp $	*/
+/*	$NetBSD: npf_ctl.c,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -31,27 +31,27 @@
 /*
  * NPF device control.
+ *
  * Implementation of (re)loading, construction of tables and rules.
  * NPF proplib(9) dictionary consumer.
+ *
  * TODO:
  * - Consider implementing 'sync' functionality.
  */
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.2 2010/09/16 04:53:27 rmind Exp $");
 #include <sys/param.h>
 #include <sys/conf.h>
 #include <sys/kernel.h>
 #endif
 #include <prop/proplib.h>
 #include "npf_ncode.h"
 #include "npf_impl.h"
 /*
  * npfctl_switch: enable or disable packet inspection.
 @@ -318,48 +318,62 @@ npf_mk_natlist(npf_ruleset_t *nset, prop
 	/* NAT policies - array. */
 	if (prop_object_type(natlist) != PROP_TYPE_ARRAY)
 		return EINVAL;
 	it = prop_array_iterator(natlist);
 	if (it == NULL)
 		return ENOMEM;
 	error = 0;
 	while ((natdict = prop_object_iterator_next(it)) != NULL) {
 		prop_object_t obj;
 		npf_natpolicy_t *np;
 		npf_rule_t *rl;
-		in_addr_t gip;
+		in_addr_t taddr;
 		in_port_t tport;
 		int type, flags;
 		/* NAT policy - dictionary. */
 		if (prop_object_type(natdict) != PROP_TYPE_DICTIONARY) {
 			error = EINVAL;
 			break;
+		}
-		/* Gateway IP. */
+		/* Translation type. */
-		obj = prop_dictionary_get(natdict, "gateway_ip");
+		obj = prop_dictionary_get(natdict, "type");
-		gip = (in_addr_t)prop_number_integer_value(obj);
+		type = prop_number_integer_value(obj);
 		/* Translation type. */
 		obj = prop_dictionary_get(natdict, "flags");
 		flags = prop_number_integer_value(obj);
 		/* Translation IP. */
 		obj = prop_dictionary_get(natdict, "translation_ip");
 		taddr = (in_addr_t)prop_number_integer_value(obj);
 		/* Translation port (for redirect case). */
 		obj = prop_dictionary_get(natdict, "translation_port");
 		tport = (in_addr_t)prop_number_integer_value(obj);
 		/*
 		 * NAT policies are standard rules, plus additional
 		 * information for translation.  Make a rule.
 		 */
 		error = npf_mk_singlerule(natdict, nset, &rl);
 		if (error)
 			break;
 		/* Allocate a new NAT policy and assign to the rule. */
-		np = npf_nat_newpolicy(gip);
+		np = npf_nat_newpolicy(type, flags, taddr, tport);
 		if (np == NULL) {
 			error = ENOMEM;
 			break;
+		}
 		npf_rule_setnat(rl, np);
+	}
 	prop_object_iterator_release(it);
 	/*
 	 * Note: in a case of error, caller will free entire NAT ruleset
 	 * with assigned NAT policies.
 	 */
 	return error;
+}
 @@ -392,27 +406,27 @@ npfctl_reload(u_long cmd, void *data)
 #endif
 	/* Version. */
 	ver = prop_dictionary_get(dict, "version");
 	if (ver == NULL || prop_number_integer_value(ver) != NPF_VERSION) {
 		error = EINVAL;
 		goto fail;
+	}
 	/* XXX: Hard way for now. */
 	(void)npf_session_tracking(false);
 	/* NAT policies. */
 	nset = npf_ruleset_create();
-	natlist = prop_dictionary_get(dict, "nat");
+	natlist = prop_dictionary_get(dict, "translation");
 	error = npf_mk_natlist(nset, natlist);
 	if (error)
 		goto fail;
 	/* Tables. */
 	tblset = npf_tableset_create();
 	tables = prop_dictionary_get(dict, "tables");
 	error = npf_mk_tables(tblset, tables);
 	if (error)
 		goto fail;
 	/* Rules. */
 	rlset = npf_ruleset_create();
 @@ -445,27 +459,27 @@ fail:
 	if (nset) {
 		npf_ruleset_destroy(nset);
+	}
 	if (rlset) {
 		npf_ruleset_destroy(rlset);
+	}
 	if (tblset) {
 		npf_tableset_destroy(tblset);
+	}
 	return error;
+}
 /*
- * npf_table_ctl: add, remove or query entries in the specified table.
+ * npfctl_table: add, remove or query entries in the specified table.
+ *
  * For maximum performance, interface is avoiding proplib(3)'s overhead.
  */
 int
 npfctl_table(void *data)
+{
 	npf_ioctl_table_t *nct = data;
 	int error;
 	switch (nct->nct_action) {
 	case NPF_IOCTL_TBLENT_ADD:
 		error = npf_table_add_v4cidr(NULL, nct->nct_tid,
 		    nct->nct_addr, nct->nct_mask);

--- src/sys/net/npf/npf_handler.c 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/npf_handler.c 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_handler.c,v 1.1 2010/08/22 18:56:22 rmind Exp $	*/
+/*	$NetBSD: npf_handler.c,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -25,124 +25,141 @@
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF packet handler.
  */
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.2 2010/09/16 04:53:27 rmind Exp $");
 #include <sys/param.h>
 #include <sys/systm.h>
 #endif
 #include <sys/mbuf.h>
 #include <sys/mutex.h>
 #include <net/if.h>
 #include <net/pfil.h>
 #include <sys/socketvar.h>
 #include "npf_impl.h"
 /*
  * If npf_ph_if != NULL, pfil hooks are registers.  If NULL, not registered.
  * Used to check the state.  Locked by: softnet_lock + KERNEL_LOCK (XXX).
  */
 static struct pfil_head *	npf_ph_if = NULL;
 static struct pfil_head *	npf_ph_inet = NULL;
 static bool			default_pass = true;
 int	npf_packet_handler(void *, struct mbuf **, struct ifnet *, int);
 /*
  * npf_ifhook: hook handling interface changes.
  */
 static int
 npf_ifhook(void *arg, struct mbuf **mp, struct ifnet *ifp, int di)
+{
 	return 0;
+}
 /*
- * npf_packet_handler: main packet handling routine.
+ * npf_packet_handler: main packet handling routine for layer 3.
+ *
  * Note: packet flow and inspection logic is in strict order.
  */
 int
 npf_packet_handler(void *arg, struct mbuf **mp, struct ifnet *ifp, int di)
+{
 	const int layer = (const int)(long)arg;
 	nbuf_t *nbuf = *mp;
 	npf_cache_t npc;
 	npf_session_t *se;
 	npf_rule_t *rl;
-	int error;
+	bool keepstate;
 	int retfl, error;
 	/*
 	 * Initialise packet information cache.
 	 * Note: it is enough to clear the info bits.
 	 */
 	npc.npc_info = 0;
 	error = 0;
 	retfl = 0;
 	/* Inspect the list of sessions. */
-	se = npf_session_inspect(&npc, nbuf, ifp, di, layer);
+	se = npf_session_inspect(&npc, nbuf, ifp, di);
-	/* Inbound NAT. */
+	/* If "passing" session found - skip the ruleset inspection. */
-	if ((di & PFIL_IN) && (error = npf_natin(&npc, se, nbuf, layer)) != 0) {
+	if (se && npf_session_pass(se)) {
-		goto out;
+		goto pass;
+	}
-	/* If session found - we pass this packet. */
+	/* Inspect the ruleset using this packet. */
-	if (se && npf_session_pass(se)) {
+	rl = npf_ruleset_inspect(&npc, nbuf, ifp, di, NPF_LAYER_3);
-		error = 0;
+	if (rl == NULL) {
-	} else {
+		if (default_pass) {
-		/* Inspect ruleset using this packet. */
+			goto pass;
 		rl = npf_ruleset_inspect(&npc, nbuf, ifp, di, layer);
 		if (rl != NULL) {
 			bool keepstate;
 			/* Apply the rule. */
 			error = npf_rule_apply(&npc, rl, &keepstate);
 			if (error) {
 				goto out;
 			/* Establish a session, if required. */
 			if (keepstate) {
 				se = npf_session_establish(&npc, NULL, di);
+		}
-		/* No rules or "default" rule - pass. */
+		error = ENETUNREACH;
 		goto out;
+	}
-	/* Outbound NAT. */
+	/* Apply the rule. */
-	if (di & PFIL_OUT) {
+	error = npf_rule_apply(&npc, rl, &keepstate, &retfl);
-		error = npf_natout(&npc, se, nbuf, ifp, layer);
+	if (error) {
 		goto out;
+	}
 	/* Establish a "pass" session, if required. */
 	if (keepstate && !se) {
 		se = npf_session_establish(&npc, NULL, di);
 		if (se == NULL) {
 			error = ENOMEM;
 			goto out;
+		}
 		npf_session_setpass(se);
+	}
 pass:
 	KASSERT(error == 0);
 	/*
 	 * Perform NAT.
 	 */
 	error = npf_do_nat(&npc, se, nbuf, ifp, di);
 out:
 	/* Release reference on session. */
 	if (se != NULL) {
 		npf_session_release(se);
+	}
 	/*
 	 * If error is set - drop the packet.
-	 * Normally, ENETUNREACH is used to "block".
+	 * Normally, ENETUNREACH is used for "block".
 	 */
 	if (error) {
 		/*
 		 * Depending on flags and protocol, return TCP reset (RST)
 		 * or ICMP destination unreachable
 		 */
 		if (retfl) {
 			npf_return_block(&npc, nbuf, retfl);
+		}
 		m_freem(*mp);
 		*mp = NULL;
+	}
 	return error;
+}
 /*
  * npf_register_pfil: register pfil(9) hooks.
  */
 int
 npf_register_pfil(void)
+{
 	int error;
 @@ -161,46 +178,46 @@ npf_register_pfil(void)
 	npf_ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
 	if (npf_ph_if == NULL || npf_ph_inet == NULL) {
 		npf_ph_if = NULL;
 		error = ENOENT;
 		goto fail;
+	}
 	/* Interface re-config or attach/detach hook. */
 	error = pfil_add_hook(npf_ifhook, NULL,
 	    PFIL_WAITOK | PFIL_IFADDR | PFIL_IFNET, npf_ph_if);
 	KASSERT(error == 0);
 	/* Packet IN/OUT handler on all interfaces and IP layer. */
-	error = pfil_add_hook(npf_packet_handler, (void *)NPF_LAYER_3,
+	error = pfil_add_hook(npf_packet_handler, NULL,
 	    PFIL_WAITOK | PFIL_ALL, npf_ph_inet);
 	KASSERT(error == 0);
 fail:
 	KERNEL_UNLOCK_ONE(NULL);
 	mutex_exit(softnet_lock);
 	return error;
+}
 /*
  * npf_unregister: unregister pfil(9) hooks.
  */
 void
 npf_unregister_pfil(void)
+{
 	mutex_enter(softnet_lock);
 	KERNEL_LOCK(1, NULL);
 	if (npf_ph_if) {
-		(void)pfil_remove_hook(npf_packet_handler, (void *)NPF_LAYER_3,
+		(void)pfil_remove_hook(npf_packet_handler, NULL,
 		    PFIL_ALL, npf_ph_inet);
 		(void)pfil_remove_hook(npf_ifhook, NULL,
 		    PFIL_IFADDR | PFIL_IFNET, npf_ph_if);
 		npf_ph_if = NULL;
+	}
 	KERNEL_UNLOCK_ONE(NULL);
 	mutex_exit(softnet_lock);
+}

--- src/sys/net/npf/npf_impl.h 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/npf_impl.h 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_impl.h,v 1.1 2010/08/22 18:56:22 rmind Exp $	*/
+/*	$NetBSD: npf_impl.h,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -88,48 +88,51 @@ typedef bool	(*npf_algfunc_t)(npf_cache_
 /* NPF control. */
 int		npfctl_switch(void *);
 int		npfctl_reload(u_long, void *);
 int		npfctl_table(void *);
 /* Packet filter hooks. */
 int		npf_register_pfil(void);
 void		npf_unregister_pfil(void);
 /* Protocol helpers. */
 bool		npf_ip4_proto(npf_cache_t *, nbuf_t *, void *);
 bool		npf_fetch_ip4addrs(npf_cache_t *, nbuf_t *, void *);
 bool		npf_fetch_ports(npf_cache_t *, nbuf_t *, void *, const int);
 bool		npf_fetch_tcpfl(npf_cache_t *, nbuf_t *, void *);
 bool		npf_fetch_icmp(npf_cache_t *, nbuf_t *, void *);
-bool		npf_cache_all_ip4(npf_cache_t *, nbuf_t *, const int);
+bool		npf_cache_all(npf_cache_t *, nbuf_t *);
 bool		npf_rwrport(npf_cache_t *, nbuf_t *, void *, const int,
 		    in_port_t, in_addr_t);
 bool		npf_rwrip(npf_cache_t *, nbuf_t *, void *, const int, in_addr_t);
 uint16_t	npf_fixup16_cksum(uint16_t, uint16_t, uint16_t);
 uint16_t	npf_fixup32_cksum(uint16_t, uint32_t, uint32_t);
 void		npf_return_block(npf_cache_t *, nbuf_t *, const int);
 /* Complex instructions. */
 int		npf_match_ether(nbuf_t *, int, int, uint16_t, uint32_t *);
 int		npf_match_ip4table(npf_cache_t *, nbuf_t *, void *,
 		    const int, const u_int);
 int		npf_match_ip4mask(npf_cache_t *, nbuf_t *, void *,
 		    const int, in_addr_t, in_addr_t);
 int		npf_match_tcp_ports(npf_cache_t *, nbuf_t *, void *,
 		    const int, const uint32_t);
 int		npf_match_udp_ports(npf_cache_t *, nbuf_t *, void *,
 		    const int, const uint32_t);
-int		npf_match_icmp4(npf_cache_t *, nbuf_t *, void *,
+int		npf_match_icmp4(npf_cache_t *, nbuf_t *, void *, const uint32_t);
-		    const int, const int);
+int		npf_match_tcpfl(npf_cache_t *, nbuf_t *, void *, const uint32_t);
 /* Tableset interface. */
 int		npf_tableset_sysinit(void);
 void		npf_tableset_sysfini(void);
 npf_tableset_t *npf_tableset_create(void);
 void		npf_tableset_destroy(npf_tableset_t *);
 int		npf_tableset_insert(npf_tableset_t *, npf_table_t *);
 npf_tableset_t *npf_tableset_reload(npf_tableset_t *);
 npf_table_t *	npf_table_create(u_int, int, size_t);
 void		npf_table_destroy(npf_table_t *);
 void		npf_table_ref(npf_table_t *);
 @@ -147,63 +150,59 @@ int		npf_table_match_v4addr(u_int, in_ad
 /* Ruleset interface. */
 int		npf_ruleset_sysinit(void);
 void		npf_ruleset_sysfini(void);
 npf_ruleset_t *	npf_ruleset_create(void);
 void		npf_ruleset_destroy(npf_ruleset_t *);
 void		npf_ruleset_insert(npf_ruleset_t *, npf_rule_t *);
 void		npf_ruleset_reload(npf_ruleset_t *, npf_tableset_t *);
 npf_rule_t *	npf_ruleset_match(npf_ruleset_t *, npf_cache_t *, nbuf_t *,
 		    struct ifnet *, const int, const int);
 npf_rule_t *	npf_ruleset_inspect(npf_cache_t *, nbuf_t *,
 		    struct ifnet *, const int, const int);
-int		npf_rule_apply(const npf_cache_t *, npf_rule_t *, bool *);
+int		npf_rule_apply(const npf_cache_t *, npf_rule_t *, bool *, int *);
 npf_ruleset_t *	npf_rule_subset(npf_rule_t *);
 npf_natpolicy_t *npf_rule_getnat(const npf_rule_t *);
 void		npf_rule_setnat(npf_rule_t *, npf_natpolicy_t *);
 /* State handling interface. */
 int		npf_session_sysinit(void);
 void		npf_session_sysfini(void);
 int		npf_session_tracking(bool);
 npf_session_t *	npf_session_inspect(npf_cache_t *, nbuf_t *,
-		    struct ifnet *, const int, const int);
+		    struct ifnet *, const int);
 npf_session_t *	npf_session_establish(const npf_cache_t *,
 		    npf_nat_t *, const int);
 void		npf_session_release(npf_session_t *);
 bool		npf_session_pass(const npf_session_t *);
 void		npf_session_setpass(npf_session_t *);
 npf_nat_t *	npf_session_retnat(const npf_session_t *);
 void		npf_session_link(npf_session_t *, npf_session_t *);
-npf_nat_t *	npf_session_retlinknat(const npf_session_t *);
+npf_nat_t *	npf_session_retnat(npf_session_t *, const int, bool *);
 /* NAT. */
 void		npf_nat_sysinit(void);
 void		npf_nat_sysfini(void);
-npf_natpolicy_t *npf_nat_newpolicy(in_addr_t);
+npf_natpolicy_t *npf_nat_newpolicy(int, int, in_addr_t, in_port_t);
 void		npf_nat_freepolicy(npf_natpolicy_t *);
 void		npf_nat_flush(void);
 void		npf_nat_reload(npf_ruleset_t *);
-int		npf_natout(npf_cache_t *, npf_session_t *, nbuf_t *,
+int		npf_do_nat(npf_cache_t *, npf_session_t *, nbuf_t *,
 		    struct ifnet *, const int);
 int		npf_natin(npf_cache_t *, npf_session_t *, nbuf_t *, const int);
 void		npf_nat_expire(npf_nat_t *);
-void		npf_nat_getlocal(npf_nat_t *, in_addr_t *, in_port_t *);
+void		npf_nat_getorig(npf_nat_t *, in_addr_t *, in_port_t *);
 void		npf_nat_setalg(npf_nat_t *, npf_alg_t *, uintptr_t);
 /* ALG interface. */
 void		npf_alg_sysinit(void);
 void		npf_alg_sysfini(void);
 npf_alg_t *	npf_alg_register(npf_algfunc_t, npf_algfunc_t,
 		    npf_algfunc_t, npf_algfunc_t);
 int		npf_alg_unregister(npf_alg_t *);
 void		npf_alg_match(npf_cache_t *, nbuf_t *, npf_nat_t *);
 void		npf_alg_exec(npf_cache_t *, nbuf_t *, npf_nat_t *, const int );
 bool		npf_alg_sessionid(npf_cache_t *, nbuf_t *, npf_cache_t *);
 /* Debugging routines. */

--- src/sys/net/npf/npf_inet.c 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/npf_inet.c 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_inet.c,v 1.1 2010/08/22 18:56:22 rmind Exp $	*/
+/*	$NetBSD: npf_inet.c,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -25,27 +25,27 @@
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * Various procotol related helper routines.
  */
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.2 2010/09/16 04:53:27 rmind Exp $");
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
 #include <netinet/ip_icmp.h>
 #include <net/if.h>
 #include <net/ethertypes.h>
 @@ -232,59 +232,51 @@ npf_fetch_icmp(npf_cache_t *npc, nbuf_t
 	/* ICMP code. */
 	offby = offsetof(struct icmp, icmp_code);
 	if ((n_ptr = nbuf_advance(&nbuf, n_ptr, offby)) == NULL)
 		return false;
 	if (nbuf_fetch_datum(nbuf, n_ptr, sizeof(uint8_t), &npc->npc_icmp_code))
 		return false;
 	/* Mark as cached. */
 	npc->npc_icmp_type = type;
 	npc->npc_info |= NPC_ICMP;
 	return true;
+}
-static inline bool
+/*
  * npf_fetch_tcpfl: fetch TCP flags and store into the cache.
  */
 bool
 npf_fetch_tcpfl(npf_cache_t *npc, nbuf_t *nbuf, void *n_ptr)
+{
 	u_int offby;
 	/* Get TCP flags. */
 	offby = npc->npc_hlen + offsetof(struct tcphdr, th_flags);
 	if ((n_ptr = nbuf_advance(&nbuf, n_ptr, offby)) == NULL)
 		return false;
 	if (nbuf_fetch_datum(nbuf, n_ptr, sizeof(uint8_t), &npc->npc_tcp_flags))
 		return false;
 	return true;
+}
 /*
- * npf_cache_all_ip4: general routine to cache all relevant IPv4 and
+ * npf_cache_all: general routine to cache all relevant IPv4 and
  * TCP, UDP or ICMP data.
  */
 bool
-npf_cache_all_ip4(npf_cache_t *npc, nbuf_t *nbuf, const int layer)
+npf_cache_all(npf_cache_t *npc, nbuf_t *nbuf)
+{
 	void *n_ptr = nbuf_dataptr(nbuf);
 	u_int offby;
 	if (layer == NPF_LAYER_2) {
 		/* Ethernet: match if ETHERTYPE_IP and if so - advance. */
 		if (npf_match_ether(nbuf, 1, 0, ETHERTYPE_IP, &offby))
 			return false;
 		if ((n_ptr = nbuf_advance(&nbuf, n_ptr, offby)) == NULL)
 			return false;
 		/* Cache Ethernet header length. XXX */
 		npc->npc_elen = offby;
 	/* IPv4: get protocol, source and destination addresses. */
 	if (!npf_iscached(npc, NPC_IP46) && !npf_ip4_proto(npc, nbuf, n_ptr)) {
 		return false;
+	}
 	if (!npf_iscached(npc, NPC_ADDRS) &&
 	    !npf_fetch_ip4addrs(npc, nbuf, n_ptr)) {
 		return false;
+	}
 	switch (npc->npc_proto) {
 	case IPPROTO_TCP:
 		/* TCP flags. */
 		if (!npf_fetch_tcpfl(npc, nbuf, n_ptr)) {

--- src/sys/net/npf/Attic/npf_instr.c 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/Attic/npf_instr.c 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_instr.c,v 1.1 2010/08/22 18:56:22 rmind Exp $	*/
+/*	$NetBSD: npf_instr.c,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -25,27 +25,27 @@
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF complex instructions.
  */
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.2 2010/09/16 04:53:27 rmind Exp $");
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <net/if.h>
 #include <net/ethertypes.h>
 #include <net/if_ether.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
 #endif
 #include "npf_impl.h"
 @@ -171,39 +171,63 @@ npf_match_udp_ports(npf_cache_t *npc, nb
+		}
 		KASSERT(npf_iscached(npc, NPC_PORTS));
+	}
 	p = sd ? npc->npc_sport : npc->npc_dport;
 	/* Match against the port range. */
 	return NPF_PORTRANGE_MATCH(prange, p) ? 0 : -1;
+}
 /*
  * npf_match_icmp4: match ICMPv4 packet.
  */
 int
-npf_match_icmp4(npf_cache_t *npc, nbuf_t *nbuf, void *n_ptr,
+npf_match_icmp4(npf_cache_t *npc, nbuf_t *nbuf, void *n_ptr, const uint32_t tc)
     const int type, const int code)
+{
 	if (!npf_iscached(npc, NPC_ICMP)) {
 		/* Perform checks, advance to ICMP header. */
 		if (!npf_iscached(npc, NPC_IP46) &&
 		    !npf_ip4_proto(npc, nbuf, n_ptr)) {
 			return -1;
+		}
 		n_ptr = nbuf_advance(&nbuf, n_ptr, npc->npc_hlen);
 		if (n_ptr == NULL || npc->npc_proto != IPPROTO_ICMP) {
 			return -1;
+		}
 		if (!npf_fetch_icmp(npc, nbuf, n_ptr)) {
 			return -1;
+		}
 		KASSERT(npf_iscached(npc, NPC_ICMP));
+	}
-	/* Match, if required. */
+	/* Match code/type, if required. */
-	if (type != ~0 && type != npc->npc_icmp_type)
+	if ((1 << 31) & tc) {
 		const uint8_t type = (tc >> 8) & 0xff;
 		if (type != npc->npc_icmp_type) {
 			return -1;
+		}
+	}
 	if ((1 << 30) & tc) {
 		const uint8_t code = tc & 0xff;
 		if (code != npc->npc_icmp_code) {
 			return -1;
+		}
+	}
 	return 0;
+}
 /*
  * npf_match_tcpfl: match TCP flags.
  */
 int
 npf_match_tcpfl(npf_cache_t *npc, nbuf_t *nbuf, void *n_ptr, const uint32_t fl)
+{
 	const uint8_t tcpfl = (fl >> 8) & 0xff, mask = fl & 0xff;
 	if (!npf_iscached(npc, NPC_IP46) && !npf_ip4_proto(npc, nbuf, n_ptr)) {
 		return -1;
 	if (code != ~0 && code != npc->npc_icmp_code)
 	if (!npf_fetch_tcpfl(npc, nbuf, n_ptr)) {
 		return -1;
 	return 0;
 	return ((npc->npc_tcp_flags & mask) == tcpfl) ? 0 : -1;
+}

--- src/sys/net/npf/npf_mbuf.c 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/npf_mbuf.c 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_mbuf.c,v 1.1 2010/08/22 18:56:22 rmind Exp $	*/
+/*	$NetBSD: npf_mbuf.c,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -28,27 +28,27 @@
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF network buffer management interface.
+ *
  * Network buffer in NetBSD is mbuf.  Internal mbuf structures are
  * abstracted within this source.
  */
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_mbuf.c,v 1.2 2010/09/16 04:53:27 rmind Exp $");
 #endif
 #include <sys/param.h>
 #include <sys/mbuf.h>
 #include "npf_impl.h"
 /*
  * nbuf_dataptr: return a pointer to data in nbuf.
  */
 void *
 nbuf_dataptr(nbuf_t *nbuf)
+{
 @@ -122,56 +122,58 @@ nbuf_rw_datum(const int wr, nbuf_t *nbuf
 	off = (uintptr_t)n_ptr - mtod(m, uintptr_t);
 	KASSERT(off < m->m_len);
 	wmark = m->m_len;
 	/* Is datum overlapping? */
 	end = off + len;
 	while (__predict_false(end > wmark)) {
 		u_int l;
 		/* Get the part of current mbuf. */
 		l = m->m_len - off;
 		KASSERT(l < len);
 		len -= l;
-		if (wr) {
+		if (wr == NBUF_DATA_WRITE) {
 			while (l--)
 				*d++ = *b++;
 		} else {
 			KASSERT(wr == NBUF_DATA_READ);
 			while (l--)
 				*b++ = *d++;
+		}
 		KASSERT(len > 0);
 		/* Take next mbuf and continue. */
 		m = m->m_next;
 		if (__predict_false(m == NULL)) {
 			/*
 			 * If out of chain, then offset with datum
 			 * length exceed the packet length.
 			 */
 			return EINVAL;
+		}
 		wmark += m->m_len;
 		d = mtod(m, uint8_t *);
 		off = 0;
+	}
 	KASSERT(n_ptr == d || mtod(m, uint8_t *) == d);
 	KASSERT(len <= m->m_len);
 	/* Non-overlapping case: fetch the actual data. */
-	if (wr) {
+	if (wr == NBUF_DATA_WRITE) {
 		while (len--)
 			*d++ = *b++;
 	} else {
 		KASSERT(wr == NBUF_DATA_READ);
 		while (len--)
 			*b++ = *d++;
+	}
 	return 0;
+}
 /*
  * nbuf_{fetch|store}_datum: read/write absraction calls on nbuf_rw_datum().
  */
 int
 nbuf_fetch_datum(nbuf_t *nbuf, void *n_ptr, size_t len, void *buf)
+{

--- src/sys/net/npf/npf_nat.c 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/npf_nat.c 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_nat.c,v 1.1 2010/08/22 18:56:22 rmind Exp $	*/
+/*	$NetBSD: npf_nat.c,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -29,49 +29,65 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF network address port translation (NAPT).
  * Described in RFC 2663, RFC 3022.  Commonly just "NAT".
+ *
  * Overview
+ *
  *	There are few mechanisms: NAT policy, port map and translation.
  *	NAT module has a separate ruleset, where rules contain associated
  *	NAT policy, thus flexible filter criteria can be used.
+ *
  * Translation types
+ *
  *	There are two types of translation: outbound (NPF_NATOUT) and
  *	inbound (NPF_NATIN).  It should not be confused with connection
  *	direction.
+ *
  *	Outbound NAT rewrites:
  *	- Source on "forwards" stream.
  *	- Destination on "backwards" stream.
  *	Inbound NAT rewrites:
  *	- Destination on "forwards" stream.
  *	- Source on "backwards" stream.
+ *
  *	It should be noted that bi-directional NAT is a combined outbound
  *	and inbound translation, therefore constructed as two policies.
+ *
  * NAT policies and port maps
+ *
- *	NAT policy is applied when a packet matches the rule.  Apart from
+ *	NAT (translation) policy is applied when a packet matches the rule.
- *	filter criteria, NAT policy has a translation (gateway) IP address
+ *	Apart from filter criteria, NAT policy has a translation IP address
  *	and associated port map.  Port map is a bitmap used to reserve and
  *	use unique TCP/UDP ports for translation.  Port maps are unique to
  *	the IP addresses, therefore multiple NAT policies with the same IP
  *	will share the same port map.
+ *
  * NAT sessions and translation entries
+ *
  *	NAT module relies on session management module.  Each "NAT" session
- *	has an associated translation entry (npf_nat_t).  It contains local
+ *	has an associated translation entry (npf_nat_t).  It contains saved
  *	i.e. original IP address with port and translation port, allocated
  *	from the port map.  Each NAT translation entry is associated with
  *	the policy, which contains translation IP address.  Allocated port
  *	is returned to the port map and translation entry destroyed when
  *	"NAT" session expires.
  */
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.2 2010/09/16 04:53:27 rmind Exp $");
 #include <sys/param.h>
 #include <sys/kernel.h>
 #endif
 #include <sys/atomic.h>
 #include <sys/bitops.h>
 #include <sys/kmem.h>
 #include <sys/pool.h>
 #include <net/pfil.h>
 #include <netinet/in.h>
 #include "npf_impl.h"
 @@ -84,46 +100,49 @@ typedef struct {
 	uint32_t			p_bitmap[0];
 } npf_portmap_t;
 /* Portmap range: [ 1024 .. 65535 ] */
 #define	PORTMAP_FIRST			(1024)
 #define	PORTMAP_SIZE			((65536 - PORTMAP_FIRST) / 32)
 #define	PORTMAP_FILLED			((uint32_t)~0)
 #define	PORTMAP_MASK			(31)
 #define	PORTMAP_SHIFT			(5)
 /* NAT policy structure. */
 struct npf_natpolicy {
 	LIST_ENTRY(npf_natpolicy)	n_entry;
-	in_addr_t			n_gw_ip;
+	int				n_type;
 	int				n_flags;
 	in_addr_t			n_taddr;
 	in_port_t			n_tport;
 	npf_portmap_t *			n_portmap;
 };
 /* NAT translation entry for a session. */
 struct npf_nat {
 	npf_natpolicy_t *		nt_natpolicy;
-	/* Local address and port (for backwards translation). */
+	/* Original address and port (for backwards translation). */
-	in_addr_t			nt_laddr;
+	in_addr_t			nt_oaddr;
-	in_port_t			nt_lport;
+	in_port_t			nt_oport;
-	/* Translation port (for forwards). */
+	/* Translation port (for redirects). */
 	in_port_t			nt_tport;
 	/* ALG (if any) associated with this NAT entry. */
 	npf_alg_t *			nt_alg;
 	uintptr_t			nt_alg_arg;
 };
-static npf_ruleset_t *			nat_ruleset;
+static npf_ruleset_t *			nat_ruleset	__read_mostly;
-static LIST_HEAD(, npf_natpolicy)	nat_policy_list;
+static LIST_HEAD(, npf_natpolicy)	nat_policy_list	__read_mostly;
-static pool_cache_t			nat_cache;
+static pool_cache_t			nat_cache	__read_mostly;
 /*
  * npf_nat_sys{init,fini}: initialise/destroy NAT subsystem structures.
  */
 void
 npf_nat_sysinit(void)
+{
 	nat_cache = pool_cache_init(sizeof(npf_nat_t), coherency_unit,
 , 0, "npfnatpl", NULL, IPL_NET, NULL, NULL, NULL);
 	KASSERT(nat_cache != NULL);
 	nat_ruleset = npf_ruleset_create();
 @@ -131,86 +150,96 @@ npf_nat_sysinit(void)
+}
 void
 npf_nat_sysfini(void)
+{
 	/* Flush NAT policies. */
 	npf_nat_reload(NULL);
 	KASSERT(LIST_EMPTY(&nat_policy_list));
 	pool_cache_destroy(nat_cache);
+}
 /*
- * npf_nat_newpolicy: allocate a new NAT policy.
+ * npf_nat_newpolicy: create a new NAT policy.
+ *
  * => Shares portmap if policy is on existing translation address.
  * => XXX: serialise at upper layer.
  */
 npf_natpolicy_t *
-npf_nat_newpolicy(in_addr_t gip)
+npf_nat_newpolicy(int type, int flags, in_addr_t taddr, in_port_t tport)
+{
 	npf_natpolicy_t *np, *it;
 	npf_portmap_t *pm;
 	np = kmem_zalloc(sizeof(npf_natpolicy_t), KM_SLEEP);
 	if (np == NULL) {
 		return NULL;
+	}
-	np->n_gw_ip = gip;
+	KASSERT(type == NPF_NATIN || type == NPF_NATOUT);
 	np->n_type = type;
 	np->n_flags = flags;
 	np->n_taddr = taddr;
 	np->n_tport = tport;
 	/* Search for a NAT policy using the same translation address. */
 	pm = NULL;
 	if ((flags & NPF_NAT_PORTMAP) == 0) {
 		goto nopm;
+	}
 	/* Search for a NAT policy using the same translation address. */
 	LIST_FOREACH(it, &nat_policy_list, n_entry) {
-		if (it->n_gw_ip != np->n_gw_ip)
+		if (it->n_taddr != np->n_taddr)
 			continue;
 		pm = it->n_portmap;
 		break;
+	}
 	if (pm == NULL) {
 		/* Allocate a new port map for the NAT policy. */
 		pm = kmem_zalloc(sizeof(npf_portmap_t) +
 		    (PORTMAP_SIZE * sizeof(uint32_t)), KM_SLEEP);
 		if (pm == NULL) {
 			kmem_free(np, sizeof(npf_natpolicy_t));
 			return NULL;
+		}
 		pm->p_refcnt = 1;
 		KASSERT((uintptr_t)pm->p_bitmap == (uintptr_t)pm + sizeof(*pm));
 	} else {
 		/* Share the port map. */
 		pm->p_refcnt++;
+	}
 nopm:
 	np->n_portmap = pm;
 	/*
 	 * Note: old policies with new might co-exist in the list,
 	 * while reload is in progress, but that is not an issue.
 	 */
 	LIST_INSERT_HEAD(&nat_policy_list, np, n_entry);
 	return np;
+}
 /*
  * npf_nat_freepolicy: free NAT policy and, on last reference, free portmap.
+ *
  * => Called from npf_rule_free() during the reload via npf_nat_reload().
  */
 void
 npf_nat_freepolicy(npf_natpolicy_t *np)
+{
 	npf_portmap_t *pm = np->n_portmap;
 	LIST_REMOVE(np, n_entry);
-	if (--pm->p_refcnt == 0) {
+	if (pm && --pm->p_refcnt == 0) {
 		KASSERT((np->n_flags & NPF_NAT_PORTMAP) != 0);
 		kmem_free(pm, sizeof(npf_portmap_t) +
 		    (PORTMAP_SIZE * sizeof(uint32_t)));
+	}
 	kmem_free(np, sizeof(npf_natpolicy_t));
+}
 /*
  * npf_nat_reload: activate new ruleset of NAT policies and destroy old.
+ *
  * => Destruction of ruleset will perform npf_nat_freepolicy() for each policy.
  */
 void
 npf_nat_reload(npf_ruleset_t *nset)
 @@ -235,27 +264,27 @@ npf_nat_getport(npf_natpolicy_t *np)
 	npf_portmap_t *pm = np->n_portmap;
 	u_int n = PORTMAP_SIZE, idx, bit;
 	uint32_t map, nmap;
 	idx = arc4random() % PORTMAP_SIZE;
 	for (;;) {
 		KASSERT(idx < PORTMAP_SIZE);
 		map = pm->p_bitmap[idx];
 		if (__predict_false(map == PORTMAP_FILLED)) {
 			if (n-- == 0) {
 				/* No space. */
 				return 0;
+			}
-			/* This bitmap is sfilled, next. */
+			/* This bitmap is filled, next. */
 			idx = (idx ? idx : PORTMAP_SIZE) - 1;
 			continue;
+		}
 		bit = ffs32(~map) - 1;
 		nmap = map | (1 << bit);
 		if (atomic_cas_32(&pm->p_bitmap[idx], map, nmap) == map) {
 			/* Success. */
 			break;
+		}
+	}
 	return htons(PORTMAP_FIRST + (idx << PORTMAP_SHIFT) + bit);
+}
 @@ -272,279 +301,326 @@ npf_nat_putport(npf_natpolicy_t *np, in_
 	u_int idx, bit;
 	port = ntohs(port) - PORTMAP_FIRST;
 	idx = port >> PORTMAP_SHIFT;
 	bit = port & PORTMAP_MASK;
 	do {
 		map = pm->p_bitmap[idx];
 		KASSERT(map | (1 << bit));
 		nmap = map & ~(1 << bit);
 	} while (atomic_cas_32(&pm->p_bitmap[idx], map, nmap) != map);
+}
 /*
- * npf_natout:
+ * npf_nat_inspect: inspect packet against NAT ruleset and return a policy.
  *	- Inspect packet for a NAT policy, unless session with NAT
  *	  association already exists.
  *	- Perform "forwards" translation: rewrite source address, etc.
  *	- Establish sessions or if already exists, associate NAT policy.
  */
-int
+static npf_natpolicy_t *
-npf_natout(npf_cache_t *npc, npf_session_t *se, nbuf_t *nbuf,
+npf_nat_inspect(npf_cache_t *npc, nbuf_t *nbuf, struct ifnet *ifp, const int di)
     struct ifnet *ifp, const int layer)
 	npf_rule_t *rl;
 	rl = npf_ruleset_match(nat_ruleset, npc, nbuf, ifp, di, NPF_LAYER_3);
 	return rl ? npf_rule_getnat(rl) : NULL;
+}
 /*
  * npf_nat_create: create a new NAT translation entry.
  */
 static npf_nat_t *
 npf_nat_create(npf_cache_t *npc, npf_natpolicy_t *np)
+{
 	const int proto = npc->npc_proto;
 	npf_nat_t *nt;
 	/* New NAT association. */
 	nt = pool_cache_get(nat_cache, PR_NOWAIT);
 	if (nt == NULL){
 		return NULL;
+	}
 	nt->nt_natpolicy = np;
 	nt->nt_alg = NULL;
 	/* Save the original address which may be rewritten. */
 	if (np->n_type == NPF_NATOUT) {
 		/* Source (local) for Outbound NAT. */
 		nt->nt_oaddr = npc->npc_srcip;
 	} else {
 		/* Destination (external) for Inbound NAT. */
 		KASSERT(np->n_type == NPF_NATIN);
 		nt->nt_oaddr = npc->npc_dstip;
+	}
 	/*
 	 * Port translation, if required, and if it is TCP/UDP.
 	 */
 	if ((np->n_flags & NPF_NAT_PORTS) == 0 ||
 	    (proto != IPPROTO_TCP && proto != IPPROTO_UDP)) {
 		nt->nt_oport = 0;
 		nt->nt_tport = 0;
 		return nt;
+	}
 	/* Save a relevant TCP/UDP port. */
 	KASSERT(npf_iscached(npc, NPC_PORTS));
 	if (np->n_type == NPF_NATOUT) {
 		nt->nt_oport = npc->npc_sport;
 	} else {
 		nt->nt_oport = npc->npc_dport;
+	}
 	/* Get a new port for translation. */
 	if ((np->n_flags & NPF_NAT_PORTMAP) != 0) {
 		nt->nt_tport = npf_nat_getport(np);
 	} else {
 		nt->nt_tport = np->n_tport;
+	}
 	return nt;
+}
 /*
  * npf_nat_translate: perform address and/or port translation.
  */
 static int
 npf_nat_translate(npf_cache_t *npc, nbuf_t *nbuf, npf_nat_t *nt,
     const bool forw, const int di)
+{
 	const npf_natpolicy_t *np = nt->nt_natpolicy;
 	void *n_ptr = nbuf_dataptr(nbuf);
-	npf_session_t *nse = NULL; /* XXXgcc */
+	in_addr_t addr;
 	in_port_t port;
 	KASSERT(npf_iscached(npc, NPC_IP46 | NPC_ADDRS));
 	if (forw) {
 		/* "Forwards" stream: use translation address/port. */
 		KASSERT(
 		    (np->n_type == NPF_NATIN && di == PFIL_IN) ^
 		    (np->n_type == NPF_NATOUT && di == PFIL_OUT)
 		);
 		addr = np->n_taddr;
 		port = nt->nt_tport;
 	} else {
 		/* "Backwards" stream: use original address/port. */
 		KASSERT(
 		    (np->n_type == NPF_NATIN && di == PFIL_OUT) ^
 		    (np->n_type == NPF_NATOUT && di == PFIL_IN)
 		);
 		addr = nt->nt_oaddr;
 		port = nt->nt_oport;
+	}
 	/* Execute ALG hooks first. */
 	npf_alg_exec(npc, nbuf, nt, di);
 	/*
 	 * Address translation: rewrite source/destination address, depending
 	 * on direction (PFIL_OUT - for source, PFIL_IN - for destination).
 	 * Note: cache will be used in npf_rwrport(), update only in the end.
 	 */
 	if (!npf_rwrip(npc, nbuf, n_ptr, di, addr)) {
 		return EINVAL;
+	}
 	if ((np->n_flags & NPF_NAT_PORTS) == 0) {
 		/* Cache new address. */
 		if (di == PFIL_OUT) {
 			npc->npc_srcip = addr;
 		} else {
 			npc->npc_dstip = addr;
+		}
 		return 0;
+	}
 	switch (npc->npc_proto) {
 	case IPPROTO_TCP:
 	case IPPROTO_UDP:
 		KASSERT(npf_iscached(npc, NPC_PORTS));
 		/* Rewrite source/destination port. */
 		if (!npf_rwrport(npc, nbuf, n_ptr, di, port, addr)) {
 			return EINVAL;
+		}
 		break;
 	case IPPROTO_ICMP:
 		/* None. */
 		break;
 	default:
 		return ENOTSUP;
+	}
 	/* Cache new address and port. */
 	if (di == PFIL_OUT) {
 		npc->npc_srcip = addr;
 		npc->npc_sport = port;
 	} else {
 		npc->npc_dstip = addr;
 		npc->npc_dport = port;
+	}
 	return 0;
+}
 /*
  * npf_do_nat:
  *	- Inspect packet for a NAT policy, unless a session with a NAT
  *	  association already exists.  In such case, determine whether is
  *	  is a "forwards" or "backwards" stream.
  *	- Perform translation: rewrite source address if "forwards" stream
  *	  and destination address if "backwards".
  *	- Establish sessions or, if already exists, associate a NAT policy.
  */
 int
 npf_do_nat(npf_cache_t *npc, npf_session_t *se, nbuf_t *nbuf,
     struct ifnet *ifp, const int di)
+{
 	npf_session_t *nse = NULL;
 	npf_natpolicy_t *np;
 	npf_nat_t *nt;
 	npf_rule_t *rl;
 	in_addr_t gwip;
 	in_port_t tport;
 	int error;
-	bool new;
+	bool forw, new;
 	/* All relevant IPv4 data should be already cached. */
 	if (!npf_iscached(npc, NPC_IP46 | NPC_ADDRS)) {
 		return 0;
+	}
-	/* Detect if there is a linked session pointing to the NAT entry. */
+	/*
-	nt = se ? npf_session_retlinknat(se) : NULL;
+	 * Return the NAT entry associated with the session, if any.
-	if (nt) {
+	 * Assumptions:
 	 * - If associated via linked session, then "forwards" stream.
 	 * - If associated directly, then "backwards" stream.
 	 */
 	if (se && (nt = npf_session_retnat(se, di, &forw)) != NULL) {
 		np = nt->nt_natpolicy;
 		new = false;
-		goto skip;
+		goto translate;
+	}
-	/* Inspect packet against NAT ruleset, return a policy. */
+	/* Inspect the packet for a NAT policy, if there is no session. */
-	rl = npf_ruleset_match(nat_ruleset, npc, nbuf, ifp, PFIL_OUT, layer);
+	np = npf_nat_inspect(npc, nbuf, ifp, di);
 	np = rl ? npf_rule_getnat(rl) : NULL;
 	if (np == NULL) {
 		/* If packet does not match - done. */
 		return 0;
+	}
 	forw = true;
-	/* New NAT association. */
+	/* Create a new NAT translation entry. */
-	nt = pool_cache_get(nat_cache, PR_NOWAIT);
+	nt = npf_nat_create(npc, np);
-	if (nt == NULL){
+	if (nt == NULL) {
 		return ENOMEM;
+	}
 	nt->nt_natpolicy = np;
 	nt->nt_alg = NULL;
 	new = true;
-	/* Save local (source) address. */
+	/*
-	nt->nt_laddr = npc->npc_srcip;
+	 * If there is no local session (no "keep state" rule - unusual, but
 	 * possible configuration), establish one before translation.  Note
-	if (proto == IPPROTO_TCP || proto == IPPROTO_UDP) {
+	 * that it is not a "pass" session, therefore passing of "backwards"
-		/* Also, save local TCP/UDP port. */
+	 * stream depends on other, stateless filtering rules.
-		KASSERT(npf_iscached(npc, NPC_PORTS));
+	 */
 		nt->nt_lport = npc->npc_sport;
 		/* Get a new port for translation. */
 		nt->nt_tport = npf_nat_getport(np);
 	} else {
 		nt->nt_lport = 0;
 		nt->nt_tport = 0;
 	/* Match any ALGs. */
 	npf_alg_exec(npc, nbuf, nt, PFIL_OUT);
 	/* If there is no local session, establish one before translation. */
 	if (se == NULL) {
-		nse = npf_session_establish(npc, NULL, PFIL_OUT);
+		nse = npf_session_establish(npc, NULL, di);
 		if (nse == NULL) {
 			error = ENOMEM;
 			goto out;
+		}
 		se = nse;
 	} else {
 		nse = NULL;
+	}
-skip:
+translate:
-	if (layer == NPF_LAYER_2 && /* XXX */
+	/* Perform the translation. */
-	    (n_ptr = nbuf_advance(&nbuf, n_ptr, npc->npc_elen)) == NULL)
+	error = npf_nat_translate(npc, nbuf, nt, forw, di);
-		return EINVAL;
+	if (error) {
 	/* Execute ALG hooks first. */
 	npf_alg_exec(npc, nbuf, nt, PFIL_OUT);
 	gwip = np->n_gw_ip;
 	tport = nt->nt_tport;
 	/*
 	 * Perform translation: rewrite source address et al.
 	 * Note: cache may be used in npf_rwrport(), update only in the end.
 	 */
 	if (!npf_rwrip(npc, nbuf, n_ptr, PFIL_OUT, gwip)) {
 		error = EINVAL;
 		goto out;
+	}
 	if (proto == IPPROTO_TCP || proto == IPPROTO_UDP) {
 		KASSERT(tport != 0);
 		if (!npf_rwrport(npc, nbuf, n_ptr, PFIL_OUT, tport, gwip)) {
 			error = EINVAL;
 			goto out;
 	/* Success: cache new address and port (if any). */
 	npc->npc_srcip = gwip;
 	npc->npc_sport = tport;
 	error = 0;
 	if (__predict_false(new)) {
 		npf_session_t *natse;
 		/*
 		 * Establish a new NAT session using translated address and
 		 * associate NAT translation data with this session.
+		 *
 		 * Note: packet now has a translated address in the cache.
 		 */
-		natse = npf_session_establish(npc, nt, PFIL_OUT);
+		natse = npf_session_establish(npc, nt, di);
 		if (natse == NULL) {
 			error = ENOMEM;
 			goto out;
+		}
 		/*
 		 * Link local session with NAT session, if no link already.
 		 */
 		npf_session_link(se, natse);
 		npf_session_release(natse);
 out:
 		if (error) {
 			if (nse != NULL) {
-				/* XXX: expire local session if new? */
+				/* XXX: Expire it?? */
+			}
 			/* Will free the structure and return the port. */
 			npf_nat_expire(nt);
+		}
 		if (nse != NULL) {
 			/* Drop the reference local session was new. */
 			npf_session_release(nse);
+		}
+	}
 	return error;
+}
 /*
- * npf_natin:
+ * npf_nat_getorig: return original IP address and port from translation entry.
  *	- Inspect packet for a session with associated NAT policy.
  *	- Perform "backwards" translation: rewrite destination address, etc.
  */
 int
 npf_natin(npf_cache_t *npc, npf_session_t *se, nbuf_t *nbuf, const int layer)
 	npf_nat_t *nt = se ? npf_session_retnat(se) : NULL;
 	if (nt == NULL) {
 		/* No association - no translation. */
 		return 0;
 	KASSERT(npf_iscached(npc, NPC_IP46 | NPC_ADDRS));
 	void *n_ptr = nbuf_dataptr(nbuf);
 	in_addr_t laddr = nt->nt_laddr;
 	in_port_t lport = nt->nt_lport;
 	if (layer == NPF_LAYER_2) {
 		n_ptr = nbuf_advance(&nbuf, n_ptr, npc->npc_elen);
 		if (n_ptr == NULL) {
 			return EINVAL;
 	/* Execute ALG hooks first. */
 	npf_alg_exec(npc, nbuf, nt, PFIL_IN);
 	/*
 	 * Address translation: rewrite destination address.
 	 * Note: cache will be used in npf_rwrport(), update only in the end.
 	 */
 	if (!npf_rwrip(npc, nbuf, n_ptr, PFIL_IN, laddr)) {
 		return EINVAL;
 	switch (npc->npc_proto) {
 	case IPPROTO_TCP:
 	case IPPROTO_UDP:
 		KASSERT(npf_iscached(npc, NPC_PORTS));
 		/* Rewrite destination port. */
 		if (!npf_rwrport(npc, nbuf, n_ptr, PFIL_IN, lport, laddr)) {
 			return EINVAL;
 		break;
 	case IPPROTO_ICMP:
 		/* None. */
 		break;
 	default:
 		return ENOTSUP;
 	/* Cache new address and port. */
 	npc->npc_dstip = laddr;
 	npc->npc_dport = lport;
 	return 0;
 /*
  * npf_nat_getlocal: return local IP address and port from translation entry.
  */
 void
-npf_nat_getlocal(npf_nat_t *nt, in_addr_t *addr, in_port_t *port)
+npf_nat_getorig(npf_nat_t *nt, in_addr_t *addr, in_port_t *port)
+{
-	*addr = nt->nt_laddr;
+	*addr = nt->nt_oaddr;
-	*port = nt->nt_lport;
+	*port = nt->nt_oport;
+}
 void
 npf_nat_setalg(npf_nat_t *nt, npf_alg_t *alg, uintptr_t arg)
+{
 	nt->nt_alg = alg;
 	nt->nt_alg_arg = arg;
+}
 /*
  * npf_nat_expire: free NAT-related data structures on session expiration.
  */
 void
 npf_nat_expire(npf_nat_t *nt)
+{
 	npf_natpolicy_t *np = nt->nt_natpolicy;
-	if (nt->nt_tport) {
+	if ((np->n_flags & NPF_NAT_PORTMAP) != 0) {
-		npf_natpolicy_t *np = nt->nt_natpolicy;
+		KASSERT(nt->nt_tport != 0);
 		npf_nat_putport(np, nt->nt_tport);
+	}
 	pool_cache_put(nat_cache, nt);
+}
 #if defined(DDB) || defined(_NPF_TESTING)
 void
 npf_nat_dump(npf_nat_t *nt)
+{
 	npf_natpolicy_t *np;
 	struct in_addr ip;
 	if (nt) {
 		np = nt->nt_natpolicy;
 		goto skip;
+	}
 	LIST_FOREACH(np, &nat_policy_list, n_entry) {
 skip:
-		ip.s_addr = np->n_gw_ip;
+		ip.s_addr = np->n_taddr;
-		printf("\tNAT policy: gw_ip = %s\n", inet_ntoa(ip));
+		printf("\tNAT policy: type = %d, flags = %d, taddr = %s\n",
 		    np->n_type, np->n_flags, inet_ntoa(ip));
 		if (nt == NULL) {
 			continue;
+		}
-		ip.s_addr = nt->nt_laddr;
+		ip.s_addr = nt->nt_oaddr;
-		printf("\tNAT: original address %s, lport %d, tport = %d\n",
+		printf("\tNAT: original address %s, oport %d, tport = %d\n",
-		    inet_ntoa(ip), ntohs(nt->nt_lport), ntohs(nt->nt_tport));
+		    inet_ntoa(ip), ntohs(nt->nt_oport), ntohs(nt->nt_tport));
 		if (nt->nt_alg) {
 			printf("\tNAT ALG = %p, ARG = %p\n",
 			    nt->nt_alg, (void *)nt->nt_alg_arg);
+		}
 		return;
+	}
+}
 #endif

--- src/sys/net/npf/Attic/npf_ncode.h 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/Attic/npf_ncode.h 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_ncode.h,v 1.1 2010/08/22 18:56:22 rmind Exp $	*/
+/*	$NetBSD: npf_ncode.h,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -93,15 +93,16 @@ void	npf_ncode_free(void *, size_t);
 /*
  * CISC-like n-code instructions.
  */
 #define	NPF_OPCODE_ETHER		0x80
 #define	NPF_OPCODE_IP4MASK		0x90
 #define	NPF_OPCODE_IP4TABLE		0x91
 #define	NPF_OPCODE_ICMP4		0x92
 #define	NPF_OPCODE_TCP_PORTS		0xa0
 #define	NPF_OPCODE_UDP_PORTS		0xa1
 #define	NPF_OPCODE_TCP_FLAGS		0xa2
 #endif

--- src/sys/net/npf/Attic/npf_processor.c 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/Attic/npf_processor.c 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_processor.c,v 1.1 2010/08/22 18:56:22 rmind Exp $	*/
+/*	$NetBSD: npf_processor.c,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -45,27 +45,27 @@
  * be fully optimized.
+ *
  * N-code memory address and thus instructions should be word aligned.
  * All processing is done in 32 bit words, since both instructions (their
  * codes) and arguments use 32 bits words.
+ *
  * TODO:
  * - There is some space for better a abstraction.  Duplicated opcode
  *   maintenance in npf_ncode_process() and nc_insn_check() might be avoided.
  */
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_processor.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_processor.c,v 1.2 2010/09/16 04:53:27 rmind Exp $");
 #endif
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/types.h>
 #include <sys/kmem.h>
 #include "npf_impl.h"
 #include "npf_ncode.h"
 /*
  * nc_fetch_word: fetch a word (32 bits) from the n-code and increase
  * instruction pointer by one word.
 @@ -144,27 +144,27 @@ npf_ncode_process(npf_cache_t *npc, cons
 	nbuf_t *	nbuf;
 	/* Data pointer in the current nbuf. */
 	void *		n_ptr;
 	/* Virtual registers. */
 	uint32_t	regs[NPF_NREGS];
 	/* Local, state variables. */
 	uint32_t d, i, n;
 	u_int lcount;
 	int cmpval;
 	i_ptr = ncode;
 	regs[0] = layer;
-	lcount = NPF_LOOP_LIMIT;	/* XXX */
+	lcount = NPF_LOOP_LIMIT;
 	cmpval = 0;
 	/* Note: offset = n_ptr - nbuf_dataptr(nbuf); */
 	nbuf = nbuf0;
 	n_ptr = nbuf_dataptr(nbuf);
 process_next:
 	/*
 	 * Loop must always start on instruction, therefore first word
 	 * should be an opcode.  Most used instructions are checked first.
 	 */
 	i_ptr = nc_fetch_word(i_ptr, &d);
 	if (__predict_true(NPF_CISC_OPCODE(d))) {
 @@ -294,30 +294,35 @@ cisc_like:
 		i_ptr = nc_fetch_double(i_ptr, &n, &i);
 		cmpval = npf_match_ip4table(npc, nbuf, n_ptr, n, i);
 		break;
 	case NPF_OPCODE_TCP_PORTS:
 		/* Source/destination, port range. */
 		i_ptr = nc_fetch_double(i_ptr, &n, &i);
 		cmpval = npf_match_tcp_ports(npc, nbuf, n_ptr, n, i);
 		break;
 	case NPF_OPCODE_UDP_PORTS:
 		/* Source/destination, port range. */
 		i_ptr = nc_fetch_double(i_ptr, &n, &i);
 		cmpval = npf_match_udp_ports(npc, nbuf, n_ptr, n, i);
 		break;
 	case NPF_OPCODE_TCP_FLAGS:
 		/* TCP flags/mask. */
 		i_ptr = nc_fetch_word(i_ptr, &n);
 		cmpval = npf_match_tcpfl(npc, nbuf, n_ptr, n);
 		break;
 	case NPF_OPCODE_ICMP4:
-		/* ICMP type, code. */
+		/* ICMP type/code. */
-		i_ptr = nc_fetch_double(i_ptr, &n, &i);
+		i_ptr = nc_fetch_word(i_ptr, &n);
-		cmpval = npf_match_icmp4(npc, nbuf, n_ptr, n, i);
+		cmpval = npf_match_icmp4(npc, nbuf, n_ptr, n);
 		break;
 	default:
 		/* Invalid instruction. */
 		KASSERT(false);
+	}
 	goto process_next;
 fail:
 	/* Failure case. */
 	return -1;
+}
 /*
  * nc_ptr_check: validate that instruction pointer is not out of range.
 @@ -437,28 +442,31 @@ jmp_check:
 		break;
 	case NPF_OPCODE_IP4MASK:
 		error = nc_ptr_check(&iptr, nc, sz, 3, NULL, 0);
 		break;
 	case NPF_OPCODE_IP4TABLE:
 		error = nc_ptr_check(&iptr, nc, sz, 2, NULL, 0);
 		break;
 	case NPF_OPCODE_TCP_PORTS:
 		error = nc_ptr_check(&iptr, nc, sz, 2, NULL, 0);
 		break;
 	case NPF_OPCODE_UDP_PORTS:
 		error = nc_ptr_check(&iptr, nc, sz, 2, NULL, 0);
 		break;
 	case NPF_OPCODE_TCP_FLAGS:
 		error = nc_ptr_check(&iptr, nc, sz, 1, NULL, 0);
 		break;
 	case NPF_OPCODE_ICMP4:
-		error = nc_ptr_check(&iptr, nc, sz, 2, NULL, 0);
+		error = nc_ptr_check(&iptr, nc, sz, 1, NULL, 0);
 		break;
 	default:
 		/* Invalid instruction. */
 		return NPF_ERR_OPCODE;
+	}
 	if (error) {
 		return error;
+	}
 	if ((u_int)regidx >= NPF_NREGS) {
 		/* Invalid register. */
 		return NPF_ERR_REG;
+	}
 	*adv = iptr - optr;

--- src/sys/net/npf/npf_ruleset.c 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/npf_ruleset.c 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_ruleset.c,v 1.1 2010/08/22 18:56:22 rmind Exp $	*/
+/*	$NetBSD: npf_ruleset.c,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -29,27 +29,27 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF ruleset module.
+ *
  * Lock order:
+ *
  *	ruleset_lock -> table_lock -> npf_table_t::t_lock
  */
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.2 2010/09/16 04:53:27 rmind Exp $");
 #include <sys/param.h>
 #include <sys/kernel.h>
 #endif
 #include <sys/atomic.h>
 #include <sys/kmem.h>
 #include <sys/pool.h>
 #include <sys/queue.h>
 #include <sys/rwlock.h>
 #include <sys/types.h>
 #include <net/if.h>
 @@ -220,26 +220,27 @@ npf_rule_alloc(int attr, pri_t pri, int
 		return NULL;
+	}
 	TAILQ_INIT(&rl->r_subset.rs_queue);
 	LIST_INIT(&rl->r_hooks);
 	rl->r_priority = pri;
 	rl->r_attr = attr;
 	rl->r_ifid = ifidx;
 	rl->r_ncode = nc;
 	rl->r_nc_size = sz;
 	rl->r_hitcount = 0;
 	rl->r_nat = NULL;
 	return rl;
+}
 #if 0
 /*
  * npf_activate_rule: activate rule by inserting it into the global ruleset.
  */
 void
 npf_activate_rule(npf_rule_t *rl)
+{
 	rw_enter(&ruleset_lock, RW_WRITER);
 	npf_ruleset_insert(ruleset, rl);
 	rw_exit(&ruleset_lock);
+}
 @@ -324,144 +325,146 @@ npf_hook_register(npf_rule_t *rl,
  * => Hook should have been registered in the rule.
  */
 void
 npf_hook_unregister(npf_rule_t *rl, npf_hook_t *hk)
+{
 	rw_enter(&ruleset_lock, RW_WRITER);
 	LIST_REMOVE(hk, hk_entry);
 	rw_exit(&ruleset_lock);
 	kmem_free(hk, sizeof(npf_hook_t));
+}
 /*
- * npf_ruleset_match: inspect the packet against the ruleset.
+ * npf_ruleset_match: inspect the packet against the given ruleset.
  * Loop for each rule in the set and perform run n-code processor of each
  * rule against the packet (nbuf chain).  If sub-ruleset found, inspect it.
+ *
- * => If found, ruleset is kept read-locked.
+ * Loop for each rule in the set and run n-code processor of each rule
- * => Caller should protect the nbuf chain.
+ * against the packet (nbuf chain).
  */
 npf_rule_t *
-npf_ruleset_match(npf_ruleset_t *rlset0, npf_cache_t *npc, nbuf_t *nbuf,
+npf_ruleset_match(npf_ruleset_t *rlset, npf_cache_t *npc, nbuf_t *nbuf,
     struct ifnet *ifp, const int di, const int layer)
+{
 	npf_rule_t *final_rl = NULL, *rl;
 	npf_ruleset_t *rlset = rlset0;
 	KASSERT(((di & PFIL_IN) != 0) ^ ((di & PFIL_OUT) != 0));
 reinspect:
 	TAILQ_FOREACH(rl, &rlset->rs_queue, r_entry) {
 		KASSERT(!final_rl || rl->r_priority >= final_rl->r_priority);
 		/* Match the interface. */
 		if (rl->r_ifid && rl->r_ifid != ifp->if_index) {
 			continue;
+		}
 		/* Match the direction. */
 		if ((rl->r_attr & NPF_RULE_DIMASK) != NPF_RULE_DIMASK) {
 			const int di_mask =
 			    (di & PFIL_IN) ? NPF_RULE_IN : NPF_RULE_OUT;
 			if ((rl->r_attr & di_mask) == 0)
 				continue;
+		}
 		/* Process the n-code, if any. */
 		const void *nc = rl->r_ncode;
 		if (nc && npf_ncode_process(npc, nc, nbuf, layer)) {
 			continue;
+		}
 		/* Set the matching rule and check for "final". */
 		final_rl = rl;
 		if (rl->r_attr & NPF_RULE_FINAL) {
-			goto final;
+			break;
 	/* Default, if no final rule. */
 	if (final_rl == NULL) {
 		rlset = rlset0;
 		final_rl = rlset->rs_default;
 	/* Inspect the sub-ruleset, if any. */
 	if (final_rl) {
 final:
 		if (TAILQ_EMPTY(&final_rl->r_subset.rs_queue)) {
 			return final_rl;
+		}
 		rlset = &final_rl->r_subset;
 		final_rl = NULL;
 		goto reinspect;
+	}
 	return final_rl;
+}
 /*
  * npf_ruleset_inspect: inspection of the main ruleset for filtering.
  * If sub-ruleset is found, inspect it.
+ *
  * => If found, ruleset is kept read-locked.
  * => Caller should protect the nbuf chain.
  */
 npf_rule_t *
 npf_ruleset_inspect(npf_cache_t *npc, nbuf_t *nbuf,
     struct ifnet *ifp, const int di, const int layer)
+{
 	npf_ruleset_t *rlset = ruleset;
 	npf_rule_t *rl;
 	bool defed;
 	defed = false;
 	rw_enter(&ruleset_lock, RW_READER);
-	rl = npf_ruleset_match(ruleset, npc, nbuf, ifp, di, layer);
+reinspect:
 	rl = npf_ruleset_match(rlset, npc, nbuf, ifp, di, layer);
 	/* If no final rule, then - default. */
 	if (rl == NULL && !defed) {
 		rl = ruleset->rs_default;
 		defed = true;
+	}
 	/* Inspect the sub-ruleset, if any. */
 	if (rl && !TAILQ_EMPTY(&rl->r_subset.rs_queue)) {
 		rlset = &rl->r_subset;
 		goto reinspect;
+	}
 	if (rl == NULL) {
 		rw_exit(&ruleset_lock);
+	}
 	return rl;
+}
 /*
  * npf_rule_apply: apply the rule i.e. run hooks and return appropriate value.
+ *
  * => Returns ENETUNREACH if "block" and 0 if "pass".
  * => Releases the ruleset lock.
  */
 int
-npf_rule_apply(const npf_cache_t *npc, npf_rule_t *rl, bool *keepstate)
+npf_rule_apply(const npf_cache_t *npc, npf_rule_t *rl,
     bool *keepstate, int *retfl)
+{
 	npf_hook_t *hk;
 	KASSERT(rw_lock_held(&ruleset_lock));
 	/* Update the "hit" counter. */
 	if (rl->r_attr & NPF_RULE_COUNT) {
 		atomic_inc_ulong(&rl->r_hitcount);
+	}
 	/* If not passing - drop the packet. */
 	if ((rl->r_attr & NPF_RULE_PASS) == 0) {
 		/* Determine whether any return message is needed. */
 		*retfl = rl->r_attr & (NPF_RULE_RETRST | NPF_RULE_RETICMP);
 		rw_exit(&ruleset_lock);
 		return ENETUNREACH;
+	}
 	/* Passing.  Run the hooks. */
 	LIST_FOREACH(hk, &rl->r_hooks, hk_entry) {
 		KASSERT(hk->hk_fn != NULL);
 		(*hk->hk_fn)(npc, hk->hk_arg);
+	}
 	*keepstate = (rl->r_attr & NPF_RULE_KEEPSTATE) != 0;
 	rw_exit(&ruleset_lock);
 	return 0;
+}
 #if defined(DDB) || defined(_NPF_TESTING)
 void
 npf_rulenc_dump(npf_rule_t *rl)
+{
 	uint32_t *op = rl->r_ncode;
 	size_t n = rl->r_nc_size;
-	do {
+	while (n) {
 		printf("\t> |0x%02x|\n", (uint32_t)*op);
 		op++;
 		n -= sizeof(*op);
 	} while (n);
 	printf("-> %s\n", (rl->r_attr & NPF_RULE_PASS) ? "pass" : "block");
+}
 #endif

--- src/sys/net/npf/Attic/npf_session.c 2010/08/22 18:56:22	1.1
+++ src/sys/net/npf/Attic/npf_session.c 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_session.c,v 1.1 2010/08/22 18:56:22 rmind Exp $	*/
+/*	$NetBSD: npf_session.c,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -24,26 +24,31 @@
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF session tracking for stateful filtering and translation.
+ *
  * Overview
+ *
  *	Session direction is identified by the direction of its first packet.
  *	Packets can be incoming or outgoing with respect to an interface.
  *	To describe the packet in the context of session direction, we will
  *	use the terms "forwards stream" and "backwards stream".
+ *
  *	There are two types of sessions: "pass" and "NAT".  The former are
  *	sessions created according to the rules with "keep state" attribute
  *	and are used for stateful filtering.  Such sessions indicate that
  *	packet of the "backwards" stream should be passed without inspection
  *	of the ruleset.
+ *
  *	NAT sessions are created according to the NAT policies.  Since they
  *	are used to perform translation, such sessions have 1:1 relationship
  *	with NAT translation structure via npf_session_t::s_nat.  Therefore,
  *	non-NULL value of npf_session_t::s_nat indicates this session type.
+ *
  * Session life-cycle
+ *
 @@ -70,64 +75,61 @@
  * External session identifiers
+ *
  *	Application-level gateways (ALGs) can inspect the packet and fill
  *	the packet cache (npf_cache_t) representing the IDs.  It is done
  *	via npf_alg_sessionid() call.  In such case, ALGs are responsible
  *	for correct filling of protocol, addresses and ports/IDs.
+ *
  * TODO:
  * - Session monitoring via descriptor.
  */
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_session.c,v 1.1 2010/08/22 18:56:22 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_session.c,v 1.2 2010/09/16 04:53:27 rmind Exp $");
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <netinet/in.h>
 #include <netinet/tcp.h>
 #endif
 #include <sys/atomic.h>
 #include <sys/condvar.h>
 #include <sys/hash.h>
 #include <sys/kmem.h>
 #include <sys/kthread.h>
 #include <sys/mutex.h>
 #include <net/pfil.h>
 #include <sys/pool.h>
 #include <sys/rwlock.h>
 #include <sys/queue.h>
 #include <sys/systm.h>
 #include <sys/types.h>
 #include "npf_impl.h"
 #define	NPF_SESSION_TCP		1
 #define	NPF_SESSION_UDP		2
 #define	NPF_SESSION_ICMP	3
 struct npf_session {
 	/* Session node / list entry and reference count. */
 	union {
 		struct rb_node		rbnode;
 		LIST_ENTRY(npf_session)	gclist;
 	} se_entry;
 	u_int				s_refcnt;
 	/* Session type.  Supported: TCP, UDP, ICMP. */
 	int				s_type;
 	int				s_direction;
-	int				s_state;
+	uint16_t			s_state;
 	uint16_t			s_flags;
 	/* NAT data associated with this session (if any). */
 	npf_nat_t *			s_nat;
 	npf_session_t *			s_nat_se;
 	/* Source and destination addresses. */
 	in_addr_t			s_src_addr;
 	in_addr_t			s_dst_addr;
 	/* Source and destination ports (TCP / UDP) or generic IDs. */
 	union {
 		in_port_t		port;
 		uint32_t		id;
 	} s_src;
 	union {
 		in_port_t		port;
 @@ -142,55 +144,57 @@ struct npf_session {
     (npf_session_t *)((uintptr_t)n - offsetof(npf_session_t, se_entry.rbnode))
 LIST_HEAD(npf_sesslist, npf_session);
 #define	SESS_HASH_BUCKETS		1024	/* XXX tune + make tunable */
 #define	SESS_HASH_MASK			(SESS_HASH_BUCKETS - 1)
 typedef struct {
 	struct rb_tree			sh_tree;
 	krwlock_t			sh_lock;
 	u_int				sh_count;
 } npf_sess_hash_t;
-/* XXX: give a separate cache-line to these. */
+static int				sess_tracking	__cacheline_aligned;
 static int				sess_tracking;
 /* Session hash table, lock and session cache. */
-static npf_sess_hash_t *		sess_hashtbl;
+static npf_sess_hash_t *		sess_hashtbl	__read_mostly;
-static pool_cache_t			sess_cache;
+static pool_cache_t			sess_cache	__read_mostly;
 static kmutex_t				sess_lock;
 static kcondvar_t			sess_cv;
 static lwp_t *				sess_gc_lwp;
 #define	SESS_GC_INTERVAL		5		/* 5 sec */
 /* Session expiration table.  XXX: TCP close: 2 * tcp_msl (e.g. 120)?  Maybe. */
 static const u_int sess_expire_table[ ] = {
-	[NPF_SESSION_TCP]		= 600,		/* 10 min */
+	[IPPROTO_TCP]		= 600,		/* 10 min */
-	[NPF_SESSION_UDP]		= 300,		/*  5 min */
+	[IPPROTO_UDP]		= 300,		/*  5 min */
-	[NPF_SESSION_ICMP]		= 30		/*  1 min */
+	[IPPROTO_ICMP]		= 30		/*  1 min */
 };
 /* Session states and flags. */
 #define	SE_OPENING		1
-#define	SE_OPENING2		2
+#define	SE_ACKNOWLEDGE		2
 #define	SE_ESTABLISHED		3
 #define	SE_CLOSING		4
 #define	SE_PASSSING		0x01
 static void	sess_tracking_stop(void);
 static void	npf_session_worker(void *);
-#ifdef DEBUG
+#ifdef SE_DEBUG
 #define	DPRINTF(x)	printf x
 #else
 #define	DPRINTF(x)
 #endif
 /*
  * npf_session_sys{init,fini}: initialise/destroy session handling structures.
+ *
  * Session table and G/C thread are initialised when session tracking gets
  * actually enabled via npf_session_tracking() interface.
  */
 int
 @@ -211,129 +215,159 @@ npf_session_sysfini(void)
 	/* Disable tracking to destroy all structures. */
 	error = npf_session_tracking(false);
 	KASSERT(error == 0);
 	KASSERT(sess_tracking == 0);
 	KASSERT(sess_gc_lwp == NULL);
 	cv_destroy(&sess_cv);
 	mutex_destroy(&sess_lock);
+}
 /*
  * Session hash table and RB-tree helper routines.
- * Order: (node1, node2) where (node1 < node2).
+ * Order: (src.id, dst.id, src.addr, dst.addr), where (node1 < node2).
  */
 static signed int
 sess_rbtree_cmp_nodes(const struct rb_node *n1, const struct rb_node *n2)
+{
-	const npf_session_t *se1 = NPF_RBN2SESENT(n1);
+	const npf_session_t * const se1 = NPF_RBN2SESENT(n1);
-	const npf_session_t *se2 = NPF_RBN2SESENT(n2);
+	const npf_session_t * const se2 = NPF_RBN2SESENT(n2);
 	if (se1->s_src.id < se2->s_src.id || se1->s_dst.id < se2->s_dst.id)
 		return 1;
 	if (se1->s_src.id > se2->s_src.id || se1->s_dst.id > se2->s_dst.id)
 		return -1;
 	if (se1->s_src_addr < se2->s_src_addr ||
 	    se1->s_dst_addr < se2->s_dst_addr)
 		return -1;
 	if (se1->s_src_addr > se2->s_src_addr ||
 	    se1->s_dst_addr > se2->s_dst_addr)
 		return 1;
 	/*
 	 * Note: must compare equivalent streams.
 	 * See sess_rbtree_cmp_key() below.
 	 */
 	if (se1->s_direction == se2->s_direction) {
 		/*
 		 * Direction "forwards".
 		 */
 		if (se1->s_src.id != se2->s_src.id)
 			return (se1->s_src.id < se2->s_src.id) ? -1 : 1;
 		if (se1->s_dst.id != se2->s_dst.id)
 			return (se1->s_dst.id < se2->s_dst.id) ? -1 : 1;
 		if (__predict_false(se1->s_src_addr != se2->s_src_addr))
 			return (se1->s_src_addr < se2->s_src_addr) ? -1 : 1;
 		if (__predict_false(se1->s_dst_addr != se2->s_dst_addr))
 			return (se1->s_dst_addr < se2->s_dst_addr) ? -1 : 1;
 	} else {
 		/*
 		 * Direction "backwards".
 		 */
 		if (se1->s_src.id != se2->s_dst.id)
 			return (se1->s_src.id < se2->s_dst.id) ? -1 : 1;
 		if (se1->s_dst.id != se2->s_src.id)
 			return (se1->s_dst.id < se2->s_src.id) ? -1 : 1;
 		if (__predict_false(se1->s_src_addr != se2->s_dst_addr))
 			return (se1->s_src_addr < se2->s_dst_addr) ? -1 : 1;
 		if (__predict_false(se1->s_dst_addr != se2->s_src_addr))
 			return (se1->s_dst_addr < se2->s_src_addr) ? -1 : 1;
+	}
 	return 0;
+}
 static signed int
 sess_rbtree_cmp_key(const struct rb_node *n1, const void *key)
+{
-	const npf_session_t *se = NPF_RBN2SESENT(n1);
+	const npf_session_t * const se = NPF_RBN2SESENT(n1);
-	const npf_cache_t *npc = key;
+	const npf_cache_t * const npc = key;
 	in_port_t sport, dport;
 	in_addr_t src, dst;
 	if (se->s_direction == npc->npc_dir) {
 		/* Direction "forwards". */
 		src = npc->npc_srcip; sport = npc->npc_sport;
 		dst = npc->npc_dstip; dport = npc->npc_dport;
 	} else {
 		/* Direction "backwards". */
 		src = npc->npc_dstip; sport = npc->npc_dport;
 		dst = npc->npc_srcip; dport = npc->npc_sport;
+	}
 	/* Ports are the main criteria and are first. */
-	if (se->s_src.id < sport || se->s_dst.id < dport)
+	if (se->s_src.id != sport)
-		return 1;
+		return (se->s_src.id < sport) ? -1 : 1;
 	if (se->s_src.id > sport || se->s_dst.id > dport)
-		return -1;
+	if (se->s_dst.id != dport)
 		return (se->s_dst.id < dport) ? -1 : 1;
 	/* Note that hash should minimise differentiation on these. */
-	if (__predict_false(se->s_src_addr < src || se->s_dst_addr < dst))
+	if (__predict_false(se->s_src_addr != src))
-		return 1;
+		return (se->s_src_addr < src) ? -1 : 1;
-	if (__predict_false(se->s_src_addr > src || se->s_dst_addr > dst))
+	if (__predict_false(se->s_dst_addr < dst))
-		return -1;
+		return (se->s_dst_addr < dst) ? -1 : 1;
 	return 0;
+}
 static const struct rb_tree_ops sess_rbtree_ops = {
 	.rbto_compare_nodes = sess_rbtree_cmp_nodes,
 	.rbto_compare_key = sess_rbtree_cmp_key
 };
 static inline npf_sess_hash_t *
 sess_hash_bucket(const npf_cache_t *key)
+{
 	uint32_t hash, mix;
 	KASSERT(npf_iscached(key, NPC_IP46 | NPC_ADDRS));
 	/* Sum addresses for both directions and mix in protocol. */
 	mix = key->npc_srcip + key->npc_dstip + key->npc_proto;
 	hash = hash32_buf(&mix, sizeof(uint32_t), HASH32_BUF_INIT);
 	return &sess_hashtbl[hash & SESS_HASH_MASK];
+}
 static npf_sess_hash_t *
 sess_hash_construct(void)
+{
 	npf_sess_hash_t *ht, *sh;
 	u_int i;
 	ht = kmem_alloc(SESS_HASH_BUCKETS * sizeof(*sh), KM_SLEEP);
 	if (ht == NULL) {
 		return NULL;
+	}
 	for (i = 0; i < SESS_HASH_BUCKETS; i++) {
 		sh = &ht[i];
 		rb_tree_init(&sh->sh_tree, &sess_rbtree_ops);
 		rw_init(&sh->sh_lock);
 		sh->sh_count = 0;
+	}
 	return ht;
+}
 /*
  * Session tracking routines.  Note: manages tracking structures.
  */
 static int
 sess_tracking_start(void)
+{
 	npf_sess_hash_t *sh;
 	u_int i;
 	sess_cache = pool_cache_init(sizeof(npf_session_t), coherency_unit,
 , 0, "npfsespl", NULL, IPL_NET, NULL, NULL, NULL);
 	if (sess_cache == NULL)
 		return ENOMEM;
-	sess_hashtbl = kmem_alloc(SESS_HASH_BUCKETS * sizeof(*sh), KM_SLEEP);
+	sess_hashtbl = sess_hash_construct();
 	if (sess_hashtbl == NULL) {
 		pool_cache_destroy(sess_cache);
 		return ENOMEM;
+	}
 	for (i = 0; i < SESS_HASH_BUCKETS; i++) {
 		sh = &sess_hashtbl[i];
 		rb_tree_init(&sh->sh_tree, &sess_rbtree_ops);
 		rw_init(&sh->sh_lock);
 		sh->sh_count = 0;
 	/* Make it visible before thread start. */
 	sess_tracking = 1;
 	if (kthread_create(PRI_NONE, KTHREAD_MPSAFE, NULL,
 	    npf_session_worker, NULL, &sess_gc_lwp, "npfgc")) {
 		sess_tracking_stop();
 		return ENOMEM;
+	}
 	return 0;
+}
 static void
 sess_tracking_stop(void)
 @@ -411,60 +445,60 @@ npf_session_pstate(const npf_cache_t *np
+		}
 		return true;
+	}
 	const int tcpfl = npc->npc_tcp_flags & (TH_SYN|TH_ACK|TH_RST|TH_FIN);
 	switch (tcpfl) {
 	case TH_ACK:
 		/* Common case. */
 		if (__predict_true(se->s_state == SE_ESTABLISHED)) {
 			return true;
+		}
 		/* ACK seen after SYN-ACK: session fully established. */
-		if (se->s_state == SE_OPENING2 && !backwards) {
+		if (se->s_state == SE_ACKNOWLEDGE && !backwards) {
 			se->s_state = SE_ESTABLISHED;
+		}
 		break;
 	case TH_SYN | TH_ACK:
 		/* SYN-ACK seen, wait for ACK. */
 		if (se->s_state == SE_OPENING && backwards) {
-			se->s_state = SE_OPENING2;
+			se->s_state = SE_ACKNOWLEDGE;
+		}
 		break;
 	case TH_RST:
 	case TH_FIN:
 		/* XXX/TODO: Handle TCP reset attacks; later. */
 		se->s_state = SE_CLOSING;
 		break;
+	}
 	return true;
+}
 /*
  * npf_session_inspect: look if there is an established session (connection).
+ *
  * => If found, we will hold a reference for caller.
  */
 npf_session_t *
 npf_session_inspect(npf_cache_t *npc, nbuf_t *nbuf,
-    struct ifnet *ifp, const int di, const int layer)
+    struct ifnet *ifp, const int di)
+{
 	npf_sess_hash_t *sh;
 	struct rb_node *nd;
 	npf_session_t *se;
 	/* Attempt to fetch and cache all relevant IPv4 data. */
-	if (!sess_tracking || !npf_cache_all_ip4(npc, nbuf, layer)) {
+	if (!sess_tracking || !npf_cache_all(npc, nbuf)) {
 		return NULL;
+	}
 	KASSERT(npf_iscached(npc, NPC_IP46 | NPC_ADDRS));
 	KASSERT(npf_iscached(npc, NPC_PORTS) || npf_iscached(npc, NPC_ICMP));
 	/*
 	 * Execute ALG session helpers.
 	 */
 	npf_cache_t algkey, *key;
 	if (npf_alg_sessionid(npc, nbuf, &algkey)) {
 		/* Unique IDs filled by ALG in a separate key cache. */
 		key = &algkey;
 @@ -519,50 +553,51 @@ npf_session_establish(const npf_cache_t
 	bool ok;
 	if (!sess_tracking)	/* XXX */
 		return NULL;
 	/* Allocate and initialise new state. */
 	se = pool_cache_get(sess_cache, PR_NOWAIT);
 	if (__predict_false(se == NULL)) {
 		return NULL;
+	}
 	/* Reference count and direction. */
 	se->s_refcnt = 1;
 	se->s_direction = di;
 	se->s_flags = 0;
 	/* NAT and backwards session. */
 	se->s_nat = nt;
 	se->s_nat_se = NULL;
 	/* Unique IDs: IP addresses. */
 	KASSERT(npf_iscached(npc, NPC_IP46 | NPC_ADDRS));
 	se->s_src_addr = npc->npc_srcip;
 	se->s_dst_addr = npc->npc_dstip;
 	/* Procotol. */
 	se->s_type = npc->npc_proto;
 	switch (npc->npc_proto) {
 	case IPPROTO_TCP:
 	case IPPROTO_UDP:
 		KASSERT(npf_iscached(npc, NPC_PORTS));
 		se->s_type = (npc->npc_proto == IPPROTO_TCP) ?
 		    NPF_SESSION_TCP : NPF_SESSION_UDP;
 		/* Additional IDs: ports. */
 		se->s_src.id = npc->npc_sport;
 		se->s_dst.id = npc->npc_dport;
 		break;
 	case IPPROTO_ICMP:
 		if (npf_iscached(npc, NPC_ICMP_ID)) {
 			/* ICMP query ID. (XXX) */
 			se->s_type = NPF_SESSION_ICMP;
 			se->s_src.id = npc->npc_icmp_id;
 			se->s_dst.id = npc->npc_icmp_id;
 			break;
+		}
 		/* FALLTHROUGH */
 	default:
 		/* Unsupported. */
 		pool_cache_put(sess_cache, se);
 		return NULL;
+	}
 	/* Set last activity time for a new session. */
 	se->s_state = SE_OPENING;
 @@ -585,89 +620,106 @@ npf_session_establish(const npf_cache_t
 		return NULL;
+	}
 	return se;
+}
 /*
  * npf_session_pass: return true if session is "pass" one, otherwise false.
  */
 bool
 npf_session_pass(const npf_session_t *se)
+{
 	KASSERT(se->s_refcnt > 0);
-	return true;	/* FIXME */
+	return (se->s_flags & SE_PASSSING) != 0;
+}
 /*
- * npf_session_release: release a reference, which might allow G/C thread
+ * npf_session_setpass: mark session as a "pass" one, also mark the
- * to destroy this session.
+ * linked session if there is one.
  */
 void
-npf_session_release(npf_session_t *se)
+npf_session_setpass(npf_session_t *se)
+{
 	KASSERT(se->s_refcnt > 0);
-	atomic_dec_uint(&se->s_refcnt);
+	se->s_flags |= SE_PASSSING;		/* XXXSMP */
 	if (se->s_nat_se) {
 		se = se->s_nat_se;
 		se->s_flags |= SE_PASSSING;	/* XXXSMP */
+	}
+}
 /*
- * npf_session_retnat: return associated NAT data, if any.
+ * npf_session_release: release a reference, which might allow G/C thread
  * to destroy this session.
  */
-npf_nat_t *
+void
-npf_session_retnat(const npf_session_t *se)
+npf_session_release(npf_session_t *se)
+{
 	KASSERT(se->s_refcnt > 0);
-	return se->s_nat;
+	atomic_dec_uint(&se->s_refcnt);
+}
 /*
  * npf_session_link: create a link between regular and NAT sessions.
  * Note: NAT session inherits the flags, including "pass" bit.
  */
 void
 npf_session_link(npf_session_t *se, npf_session_t *natse)
+{
-	/* Hold a reference on a session we link. */
+	/* Hold a reference on the session we link.  Inherit the flags. */
 	KASSERT(se->s_refcnt > 0 && natse->s_refcnt > 0);
 	atomic_inc_uint(&natse->s_refcnt);
 	natse->s_flags = se->s_flags;
 	KASSERT(se->s_nat_se == NULL);
 	se->s_nat_se = natse;
+}
 /*
  * npf_session_retnat: return associated NAT data entry and indicate
  * whether it is a "forwards" or "backwards" stream.
  */
 npf_nat_t *
-npf_session_retlinknat(const npf_session_t *se)
+npf_session_retnat(npf_session_t *se, const int di, bool *forw)
+{
 	npf_session_t *natse = se->s_nat_se;
 	KASSERT(se->s_refcnt > 0);
-	KASSERT(natse == NULL || natse->s_refcnt > 0);
+	*forw = (se->s_direction == di);
 	if (se->s_nat_se) {
-	/* If there is a link, we hold a reference on it. */
+		se = se->s_nat_se;
-	return natse ? natse->s_nat : NULL;
+		KASSERT(se->s_refcnt > 0);
+	}
 	return se->s_nat;
+}
 /*
  * npf_session_expired: criterion to check if session is expired.
  */
 static inline bool
 npf_session_expired(const npf_session_t *se, const struct timespec *tsnow)
+{
 	struct timespec tsdiff;
 	int etime = 0;
 	switch (se->s_state) {
 	case SE_ESTABLISHED:
 		etime = sess_expire_table[se->s_type];
 		break;
 	case SE_OPENING:
-	case SE_OPENING2:
+	case SE_ACKNOWLEDGE:
 	case SE_CLOSING:
 		etime = 10;	/* XXX: figure out reasonable time */
 		break;
 	default:
 		KASSERT(false);
+	}
 	timespecsub(tsnow, &se->s_atime, &tsdiff);
 	return (tsdiff.tv_sec > etime);
+}
 /*
  * npf_session_gc: scan all sessions, insert into G/C list all expired ones.
  */
 @@ -811,29 +863,29 @@ npf_sessions_dump(void)
+		}
 		printf("s_bucket %d (count = %d)\n", i, sh->sh_count);
 		RB_TREE_FOREACH(nd, &sh->sh_tree) {
 			struct timespec tsdiff;
 			struct in_addr ip;
 			int etime;
 			se = NPF_RBN2SESENT(nd);
 			timespecsub(&tsnow, &se->s_atime, &tsdiff);
 			etime = (se->s_state == SE_ESTABLISHED) ?
 			    sess_expire_table[se->s_type] : 10;
-			printf("\t%p: type(%d) di = %d, tsdiff = %d, "
+			printf("\t%p: type(%d) di %d, pass %d, tsdiff %d, "
-			    "etime = %d\n", se, se->s_type, se->s_direction,
+			    "etime %d\n", se, se->s_type, se->s_direction,
-			    (int)tsdiff.tv_sec, etime);
+			    se->s_flags, (int)tsdiff.tv_sec, etime);
 			ip.s_addr = se->s_src_addr;
 			printf("\tsrc (%s, %d) ",
 			    inet_ntoa(ip), ntohs(se->s_src.port));
 			ip.s_addr = se->s_dst_addr;
 			printf("dst (%s, %d)\n",
 			    inet_ntoa(ip), ntohs(se->s_dst.port));
 			if (se->s_nat_se != NULL) {
 				printf("\tlinked with %p\n", se->s_nat_se);
+			}
 			if (se->s_nat != NULL) {
 				npf_nat_dump(se->s_nat);
+			}
+		}

/*	$NetBSD: npf_sendpkt.c,v 1.1 2010/09/16 04:53:27 rmind Exp $	*/

/*-
 * Copyright (c) 2010 The NetBSD Foundation, Inc.
 * All rights reserved.
 *
 * This material is based upon work partially supported by The
 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * NPF module for packet construction routines.
 */

#ifdef _KERNEL
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: npf_sendpkt.c,v 1.1 2010/09/16 04:53:27 rmind Exp $");

#include <sys/param.h>
#include <sys/kernel.h>

#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip_var.h>
#include <netinet/tcp.h>
#endif
#include <sys/mbuf.h>

#include "npf_impl.h"

#define	DEFAULT_IP_TTL		(ip_defttl)

/*
 * npf_fetch_seqack: fetch TCP data length, SEQ and ACK numbers.
 *
 * NOTE: Returns in host byte-order.
 */
static inline bool
npf_fetch_seqack(nbuf_t *nbuf, npf_cache_t *npc,
    tcp_seq *seq, tcp_seq *ack, size_t *tcpdlen)
{
	void *n_ptr = nbuf_dataptr(nbuf);
	u_int offby;
	tcp_seq seqack[2];
	uint16_t iplen;
	uint8_t toff;

	/* Fetch total length of IP. */
	offby = offsetof(struct ip, ip_len);
	if ((n_ptr = nbuf_advance(&nbuf, n_ptr, offby)) == NULL)
		return false;
	if (nbuf_fetch_datum(nbuf, n_ptr, sizeof(uint16_t), &iplen))
		return false;

	/* Fetch SEQ and ACK numbers. */
	offby = (npc->npc_hlen - offby) + offsetof(struct tcphdr, th_seq);
	if ((n_ptr = nbuf_advance(&nbuf, n_ptr, offby)) == NULL)
		return false;
	if (nbuf_fetch_datum(nbuf, n_ptr, sizeof(seqack), seqack))
		return false;

	/* Fetch TCP data offset (header length) value. */
	offby = sizeof(seqack);
	if ((n_ptr = nbuf_advance(&nbuf, n_ptr, offby)) == NULL)
		return false;
	if (nbuf_fetch_datum(nbuf, n_ptr, sizeof(uint8_t), &toff))
		return false;
	toff >>= 4;

	*seq = ntohl(seqack[0]);
	*ack = ntohl(seqack[1]);
	*tcpdlen = ntohs(iplen) - npc->npc_hlen - (toff << 2);
	return true;
}

/*
 * npf_return_tcp: return a TCP reset (RST) packet.
 */
static int
npf_return_tcp(npf_cache_t *npc, nbuf_t *nbuf)
{
	struct mbuf *m;
	struct ip *ip;
	struct tcphdr *th;
	tcp_seq seq, ack;
	size_t tcpdlen, len;

	/* Fetch relevant data. */
	if (!npf_iscached(npc, NPC_IP46 | NPC_ADDRS | NPC_PORTS) ||
	    !npf_fetch_seqack(nbuf, npc, &seq, &ack, &tcpdlen)) {
		return EBADMSG;
	}
	if (npc->npc_tcp_flags & TH_RST) {
		return 0;
	}

	/* Create and setup a network buffer. */
	len = sizeof(struct ip) + sizeof(struct tcphdr);
	m = m_gethdr(M_DONTWAIT, MT_HEADER);
	if (m == NULL) {
		return ENOMEM;
	}
	m->m_data += max_linkhdr;
	m->m_len = len;
	m->m_pkthdr.len = len;

	ip = mtod(m, struct ip *);
	memset(ip, 0, len);

	/*
	 * First fill of IPv4 header, for TCP checksum.
	 * Note: IP length contains TCP header length.
	 */
	ip->ip_p = IPPROTO_TCP;
	ip->ip_src.s_addr = npc->npc_dstip;
	ip->ip_dst.s_addr = npc->npc_srcip;
	ip->ip_len = htons(sizeof(struct tcphdr));

	/* Construct TCP header and compute the checksum. */
	th = (struct tcphdr *)(ip + 1);
	th->th_sport = npc->npc_dport;
	th->th_dport = npc->npc_sport;
	th->th_seq = htonl(ack);
	if (npc->npc_tcp_flags & TH_SYN) {
		tcpdlen++;
	}
	th->th_ack = htonl(seq + tcpdlen);
	th->th_off = sizeof(struct tcphdr) >> 2;
	th->th_flags = TH_ACK | TH_RST;
	th->th_sum = in_cksum(m, len);

	/* Second fill of IPv4 header, fill correct IP length. */
	ip->ip_v = IPVERSION;
	ip->ip_hl = sizeof(struct ip) >> 2;
	ip->ip_tos = IPTOS_LOWDELAY;
	ip->ip_len = htons(len);
	ip->ip_off = htons(IP_DF);
	ip->ip_ttl = DEFAULT_IP_TTL;

	/* Pass to IP layer. */
	return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
}

/*
 * npf_return_icmp: return an ICMP error.
 */
static int
npf_return_icmp(nbuf_t *nbuf)
{
	struct mbuf *m = nbuf;

	icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_ADMIN_PROHIBIT, 0, 0);
	return 0;
}

/*
 * npf_return_block: return TCP reset or ICMP host unreachable packet.
 */
void
npf_return_block(npf_cache_t *npc, nbuf_t *nbuf, const int retfl)
{
	void *n_ptr = nbuf_dataptr(nbuf);
	const int proto = npc->npc_proto;

	if (!npf_iscached(npc, NPC_IP46) && !npf_ip4_proto(npc, nbuf, n_ptr))
		return;
	if ((proto == IPPROTO_TCP && (retfl & NPF_RULE_RETRST) == 0) ||
	    (proto == IPPROTO_UDP && (retfl & NPF_RULE_RETICMP) == 0)) {
		return;
	}
	switch (proto) {
	case IPPROTO_TCP:
		(void)npf_return_tcp(npc, nbuf);
		break;
	case IPPROTO_UDP:
		(void)npf_return_icmp(nbuf);
		break;
	}
}

--- src/usr.sbin/npf/npfctl/npf.conf.5 2010/08/24 23:55:05	1.1
+++ src/usr.sbin/npf/npfctl/npf.conf.5 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-.\"	$NetBSD: npf.conf.5,v 1.1 2010/08/24 23:55:05 rmind Exp $
+.\"	$NetBSD: npf.conf.5,v 1.2 2010/09/16 04:53:27 rmind Exp $
 .\"
 .\" Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
 .\" All rights reserved.
 .\"
 .\" This material is based upon work partially supported by The
 .\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 @@ -17,27 +17,27 @@
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 .\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 24, 2010
+.Dd September 16, 2010
 .Dt NPF.CONF 5
 .Os
 .Sh NAME
 .Nm npf.conf
 .Nd NPF packet filter configuration file
 .\" -----
 .Sh DESCRIPTION
 .Nm
 is the default configuration file for NPF packet filter.
 It can contain definitions, grouped rules, and tables.
 .Sh DEFINITIONS
 Definitions are general purpose keywords which can be used in the
 ruleset to make it more flexible and easier to manage.
 @@ -85,47 +85,51 @@ Tables can be managed dynamically or loa
 is useful for large static tables.
 There are two types of storage: "tree" (red-black tree is used) and
 "hash".
 .Sh NAT
 Special rules for Network Address Translation (NAT) can be added.
 Translation is performed on specified interface, assigning a specified
 address of said interface.
 Minimal filtering criteria on local network and destination are provided.
 .\" -----
 .Sh GRAMMAR
 .Bd -literal
 line		= ( def | table | nat | group )
-def		= ( "{ a, b, ... }" | "text" | "$\*[Lt]interface\*[Gt]" )
+def		= ( \*[Lt]name\*[Gt] "=" "{ a, b, ... }" | "text" | "$\*[Lt]interface\*[Gt]" )
 iface		= ( \*[Lt]interface\*[Gt] | def )
 table		= "table" \*[Lt]tid\*[Gt] "type" ( "hash" | "tree" )
 		  ( "dynamic" | "file" \*[Lt]path\*[Gt] )
-nat		= "nat" iface "from" \*[Lt]addr/mask\*[Gt] "to" \*[Lt]addr/mask\*[Gt] "->" \*[Lt]addr\*[Gt]
+nat		= "nat" iface filt-opts "->" \*[Lt]addr\*[Gt]
 binat		= "binat" iface filt-opts "->" \*[Lt]addr\*[Gt]
 rdr		= "rdr" iface filt-opts "->" \*[Lt]addr\*[Gt] port-opts
 group		= "group" "(" ( "default" | group-opts ) "") ruleset
 group-opts	= "interface" iface "," [ "in" | "out" ]
 ruleset		= "{" rule1 \*[Lt]newline\*[Gt], rule2 \*[Lt]newline\*[Gt], ... "}"
-rule		= ( "block" | "pass" ) [ "in" | out" ] rule-opts
+rule		= ( "block" block-opts | "pass" ) [ "in" | out" ] rule-opts
 		  [ "on" iface ] [ "inet" | "inet6" ] [ "proto" \*[Lt]protocol\*[Gt] ]
-		  ( "all" | filt-opts )
+		  ( "all" | filt-opts [ "flags" \*[Lt]tcp_flags> \*[Gt] )
 block-opts	= [ "return-rst" | "return-icmp" | "return" ]
 rule-opts	= [ "log" ] [ "count" ] [ "quick" ]
 filt-opts	= [ "from" ( iface | def | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt] ) port-opts ]
 		  [ "to" ( iface | def | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt] ) port-opts ]
 port-opts	= [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] ":" \*[Lt]port-to\*[Gt] | def ) ]
 proto-opts	= [ "flags" \*[Lt]tcp_flags\*[Gt] | "icmp-type" \*[Lt]type\*[Gt] "code" \*[Lt]code\*[Gt] ]
 .Ed
 .\" -----
 .Sh FILES
 .Bl -tag -width /dev/npf.conf -compact
 .It Pa /dev/npf
 control device
 .It Pa /etc/npf.conf
 default configuration file
 .El
 .\" -----
 .Sh EXAMPLES
 .Bd -literal
 ext_if = "wm0"

--- src/usr.sbin/npf/npfctl/Attic/npf_ncgen.c 2010/08/22 18:56:23	1.1
+++ src/usr.sbin/npf/npfctl/Attic/npf_ncgen.c 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_ncgen.c,v 1.1 2010/08/22 18:56:23 rmind Exp $	*/
+/*	$NetBSD: npf_ncgen.c,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -38,53 +38,56 @@
 #include <sys/types.h>
 #include "npfctl.h"
 /*
  * npfctl_calc_ncsize: calculate size required for the n-code.
  */
 size_t
 npfctl_calc_ncsize(int nblocks[])
+{
 	/*
 	 * Blocks:
 	 * - 13 words by npfctl_gennc_ether(), single initial block.
 	 * - 5 words each by npfctl_gennc_ports/tbl(), stored in nblocks[0].
 	 * - 6 words each by npfctl_gennc_v4cidr(), stored in nblocks[1].
 	 * - 4 words by npfctl_gennc_{icmp,tcpfl}(), stored in nblocks[2].
 	 * - 4 words by npfctl_gennc_complete(), single last fragment.
 	 */
 	return nblocks[0] * 5 * sizeof(uint32_t) +
 	    nblocks[1] * 6 * sizeof(uint32_t) +
-* sizeof(uint32_t) +
+	    nblocks[2] * 4 * sizeof(uint32_t) +
 * sizeof(uint32_t);
+}
 /*
  * npfctl_failure_offset: calculate offset value to the failure block.
  */
 size_t
 npfctl_failure_offset(int nblocks[])
+{
-	size_t tblport_blocks, v4cidr_blocks;
+	size_t tblport_blocks, v4cidr_blocks, icmp_tcpfl;
 	/*
 	 * Take into account all blocks (plus 2 words for comparison each),
 	 * and additional 4 words to skip the last comparison and success path.
 	 */
 	tblport_blocks = (3 + 2) * nblocks[0];
 	v4cidr_blocks = (4 + 2) * nblocks[1];
-	return tblport_blocks + v4cidr_blocks + 4;
+	icmp_tcpfl = (2 + 2) * nblocks[2];
 	return tblport_blocks + v4cidr_blocks + icmp_tcpfl + 4;
+}
 #if 0
 /*
  * npfctl_gennc_ether: initial n-code fragment to check Ethernet frame.
  */
 void
 npfctl_gennc_ether(void **ncptr, int foff, uint16_t ethertype)
+{
 	uint32_t *nc = *ncptr;
 	/* NPF handler will set REG_0 to either NPF_LAYER_2 or NPF_LAYER_3. */
 	*nc++ = NPF_OPCODE_CMP;
 	*nc++ = NPF_LAYER_3;
 	*nc++ = 0;
 @@ -99,26 +102,28 @@ npfctl_gennc_ether(void **ncptr, int fof
 	*nc++ = ethertype;
 	/* Fail (+ 2 words of ADVR) or advance to layer 3 (IPv4) header. */
 	*nc++ = NPF_OPCODE_BNE;
 	*nc++ = foff + 2;
 	/* Offset to the header is returned by NPF_OPCODE_ETHER in REG_3. */
 	*nc++ = NPF_OPCODE_ADVR;
 	*nc++ = 3;
 	/* + 13 words. */
 	*ncptr = (void *)nc;
+}
 #endif
 /*
  * npfctl_gennc_v4cidr: fragment to match IPv4 CIDR.
  */
 void
 npfctl_gennc_v4cidr(void **ncptr, int foff,
     in_addr_t netaddr, in_addr_t subnet, bool sd)
+{
 	uint32_t *nc = *ncptr;
 	/* OP, direction, netaddr/subnet (4 words) */
 	*nc++ = NPF_OPCODE_IP4MASK;
 	*nc++ = (sd ? 0x01 : 0x00);
 	*nc++ = netaddr;
 @@ -145,69 +150,89 @@ npfctl_gennc_ports(void **ncptr, int fof
 	*nc++ = (tcpudp ? NPF_OPCODE_TCP_PORTS : NPF_OPCODE_UDP_PORTS);
 	*nc++ = (sd ? 0x01 : 0x00);
 	*nc++ = ((uint32_t)pfrom << 16) | pto;
 	/* If not equal, jump to failure block, continue otherwise (2 words). */
 	*nc++ = NPF_OPCODE_BNE;
 	*nc++ = foff;
 	/* + 5 words. */
 	*ncptr = (void *)nc;
+}
 /*
- * npfctl_gennc_icmp: fragment to match ICMP code and type.
+ * npfctl_gennc_icmp: fragment to match ICMP type and code.
  */
 void
-npfctl_gennc_icmp(void **ncptr, int foff, int code, int type)
+npfctl_gennc_icmp(void **ncptr, int foff, int type, int code)
+{
 	uint32_t *nc = *ncptr;
-	/* OP, code, type (3 words) */
+	/* OP, code, type (2 words) */
 	*nc++ = NPF_OPCODE_ICMP4;
-	*nc++ = code;
+	*nc++ = (type == -1 ? 0 : (1 << 31) & (type & 0xff << 8)) |
-	*nc++ = type;
+		(code == -1 ? 0 : (1 << 31) & (code & 0xff));
 	/* If not equal, jump to failure block, continue otherwise (2 words). */
 	*nc++ = NPF_OPCODE_BNE;
 	*nc++ = foff;
-	/* + 5 words. */
+	/* + 4 words. */
 	*ncptr = (void *)nc;
+}
 /*
  * npfctl_gennc_tbl: fragment to match IPv4 source/destination address of
  * the packet against table specified by ID.
  */
 void
 npfctl_gennc_tbl(void **ncptr, int foff, u_int tid, bool sd)
+{
 	uint32_t *nc = *ncptr;
 	/* OP, direction, table ID (3 words). */
 	*nc++ = NPF_OPCODE_IP4TABLE;
 	*nc++ = (sd ? 0x01 : 0x00);
 	*nc++ = tid;
 	/* If not equal, jump to failure block, continue otherwise (2 words). */
 	*nc++ = NPF_OPCODE_BNE;
 	*nc++ = foff;
 	/* + 5 words. */
 	*ncptr = (void *)nc;
+}
 /*
  * npfctl_gennc_tcpfl: fragment to match TCP flags/mask.
  */
 void
 npfctl_gennc_tcpfl(void **ncptr, int foff, uint8_t tf, uint8_t tf_mask)
+{
 	uint32_t *nc = *ncptr;
 	/* OP, code, type (2 words) */
 	*nc++ = NPF_OPCODE_TCP_FLAGS;
 	*nc++ = (tf << 8) | tf_mask;
 	/* If not equal, jump to failure block, continue otherwise (2 words). */
 	*nc++ = NPF_OPCODE_BNE;
 	*nc++ = foff;
 	/* + 4 words. */
 	*ncptr = (void *)nc;
+}
 /*
  * npfctl_gennc_complete: append success and failure fragments.
  */
 void
 npfctl_gennc_complete(void **ncptr)
+{
 	uint32_t *nc = *ncptr;
 	/* Success path (return 0x0). */
 	*nc++ = NPF_OPCODE_RET;
 	*nc++ = 0x0;
 	/* Failure path (return 0xff). */
 	*nc++ = NPF_OPCODE_RET;

--- src/usr.sbin/npf/npfctl/Attic/npf_parser.c 2010/08/22 18:56:23	1.1
+++ src/usr.sbin/npf/npfctl/Attic/npf_parser.c 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_parser.c,v 1.1 2010/08/22 18:56:23 rmind Exp $	*/
+/*	$NetBSD: npf_parser.c,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -144,44 +144,58 @@ npfctl_parsevalue(char *buf)
  * npfctl_parserule: main routine to parse a rule.  Syntax:
+ *
  *	{ pass | block | count } [ in | out ] [ log ] [ quick ]
  *	    [on <if>] [inet | inet6 ] proto <array>
  *	    from <addr/mask> port <port(s)|range>
  *	    too <addr/mask> port <port(s)|range>
  *	    [ keep state ]
  */
 static inline int
 npfctl_parserule(char *buf, prop_dictionary_t rl)
+{
 	var_t *from_cidr = NULL, *fports = NULL;
 	var_t *to_cidr = NULL, *tports = NULL;
-	char *proto = NULL;
+	char *proto = NULL, *tcp_flags = NULL;
 	char *p, *sptr, *iface;
 	bool icmp = false, tcp = false;
 	int icmp_type = -1, icmp_code = -1;
 	int ret, attr = 0;
 	DPRINTF(("rule\t|%s|\n", buf));
 	p = buf;
 	PARSE_FIRST_TOKEN();
 	/* pass or block (mandatory) */
 	if (strcmp(p, "block") == 0) {
 		attr = 0;
 		PARSE_NEXT_TOKEN();
 		/* return-rst or return-icmp */
 		if (strcmp(p, "return-rst") == 0) {
 			attr |= NPF_RULE_RETRST;
 			PARSE_NEXT_TOKEN();
 		} else if (strcmp(p, "return-icmp") == 0) {
 			attr |= NPF_RULE_RETICMP;
 			PARSE_NEXT_TOKEN();
 		} else if (strcmp(p, "return") == 0) {
 			attr |= NPF_RULE_RETRST | NPF_RULE_RETICMP;
 			PARSE_NEXT_TOKEN();
+		}
 	} else if (strcmp(p, "pass") == 0) {
 		attr = NPF_RULE_PASS;
 		PARSE_NEXT_TOKEN();
 	} else {
 		return PARSE_ERR();
+	}
 	PARSE_NEXT_TOKEN();
 	/* in or out */
 	if (strcmp(p, "in") == 0) {
 		attr |= NPF_RULE_IN;
 		PARSE_NEXT_TOKEN();
 	} else if (strcmp(p, "out") == 0) {
 		attr |= NPF_RULE_OUT;
 		PARSE_NEXT_TOKEN();
 	} else {
 		attr |= (NPF_RULE_IN | NPF_RULE_OUT);
+	}
 	/* log (XXX: NOP) */
 @@ -223,28 +237,34 @@ npfctl_parserule(char *buf, prop_diction
 	/* inet, inet6 (TODO) */
 	if (strcmp(p, "inet") == 0) {
 		PARSE_NEXT_TOKEN();
 	} else if (strcmp(p, "inet6") == 0) {
 		PARSE_NEXT_TOKEN();
+	}
 	/* proto <proto> */
 	if (strcmp(p, "proto") == 0) {
 		PARSE_NEXT_TOKEN();
 		var_t *pvar = npfctl_parsevalue(p);
 		PARSE_NEXT_TOKEN();
 		if (pvar->v_type != VAR_SINGLE) {
 			errx(EXIT_FAILURE, "only one protocol can be specified");
+		}
 		element_t *el = pvar->v_elements;
 		proto = el->e_data;
 		/* Determine TCP, ICMP. */
 		tcp = (strcmp(proto, "tcp") == 0);
 		icmp = (strcmp(proto, "icmp") == 0);
+	}
 	/*
 	 * Can be: "all", "from", "to" or "from + to".
 	 */
 	if (strcmp(p, "all") == 0) {
 		/* Should be no "from"/"to" after it. */
 		PARSE_NEXT_TOKEN_NOCHECK();
 		goto last;
+	}
 	ret = PARSE_ERR();
 @@ -270,40 +290,73 @@ npfctl_parserule(char *buf, prop_diction
 		PARSE_NEXT_TOKEN_NOCHECK();
 		if (p && strcmp(p, "port") == 0) {
 			PARSE_NEXT_TOKEN();
 			tports = npfctl_parsevalue(p);
 			PARSE_NEXT_TOKEN_NOCHECK();
+		}
 		ret = 0;
+	}
 	if (ret) {
 		return ret;
+	}
 	/* flags <fl/mask> */
 	if (p && strcmp(p, "flags") == 0) {
 		if (icmp) {
 			errx(EXIT_FAILURE,
 			    "TCP flags used with ICMP protocol");
+		}
 		PARSE_NEXT_TOKEN();
 		var_t *tfvar = npfctl_parsevalue(p);
 		PARSE_NEXT_TOKEN_NOCHECK();
 		if (tfvar->v_type != VAR_SINGLE) {
 			errx(EXIT_FAILURE, "invalid TCP flags");
+		}
 		element_t *el = tfvar->v_elements;
 		tcp_flags = el->e_data;
+	}
 	/* icmp-type <t> code <c> */
 	if (p && strcmp(p, "icmp-type") == 0) {
 		if (tcp) {
 			errx(EXIT_FAILURE,
 			    "ICMP options used with TCP protocol");
+		}
 		PARSE_NEXT_TOKEN();
 		icmp_type = atoi(p);
 		PARSE_NEXT_TOKEN_NOCHECK();
 		if (p && strcmp(p, "code") == 0) {
 			PARSE_NEXT_TOKEN();
 			icmp_code = atoi(p);
 			PARSE_NEXT_TOKEN_NOCHECK();
+		}
+	}
 last:
 	/* keep state */
 	if (p && strcmp(p, "keep") == 0) {
 		attr |= NPF_RULE_KEEPSTATE;
 		PARSE_NEXT_TOKEN();
+	}
 	/* Set the rule attributes and interface, if any. */
 	npfctl_rule_setattr(rl, attr, iface);
 	/*
 	 * Generate all protocol data.
 	 */
-	npfctl_rule_protodata(rl, proto, from_cidr, fports, to_cidr, tports);
+	npfctl_rule_protodata(rl, proto, tcp_flags, icmp_type, icmp_code,
 	    from_cidr, fports, to_cidr, tports);
 	return 0;
+}
 /*
  * npfctl_parsegroup: parse group definition.  Syntax:
+ *
  *	group (name <name>, interface <if>, [ in | out ]) { <rules> }
  *	group (default) { <rules> }
  */
 #define	GROUP_ATTRS	(NPF_RULE_PASS | NPF_RULE_FINAL)
 static inline int
 @@ -440,79 +493,136 @@ npfctl_parsetable(char *buf, prop_dictio
 	PARSE_NEXT_TOKEN();
 	fname = ++p;
 	p = strchr(p, '"');
 	*p = '\0';
 	/* Construct the table. */
 	npfctl_construct_table(tl, fname);
 	return 0;
+}
 /*
  * npfctl_parse_nat: parse NAT policy definition.
+ *
- *	nat on <if> from <localnet> to <filter> -> <ip>
+ *	[bi]nat <if> from <net> to <net/addr> -> <ip>
  *	rdr <if> from <net> to <addr> -> <ip>
  */
 static inline int
 npfctl_parse_nat(char *buf, prop_dictionary_t nat)
+{
 	var_t *ifvar, *from_cidr, *to_cidr, *ip;
 	var_t *tports = NULL, *rports = NULL;
 	element_t *iface, *cidr;
 	char *p, *sptr;
 	bool binat, rdr;
 	DPRINTF(("[bi]nat/rdr\t|%s|\n", buf));
 	binat = (strncmp(buf, "binat", 5) == 0);
 	rdr = (strncmp(buf, "rdr", 3) == 0);
 	DPRINTF(("nat\t|%s|\n", buf));
 	if ((p = strchr(buf, ' ')) == NULL) {
 		return PARSE_ERR();
+	}
 	PARSE_FIRST_TOKEN();
-	/* on <interface> */
+	/* <interface> */
 	if ((ifvar = npfctl_parsevalue(p)) == NULL) {
 		return PARSE_ERR();
+	}
 	if (ifvar->v_type != VAR_SINGLE) {
 		errx(EXIT_FAILURE, "invalid interface value '%s'", p);
 	} else {
 		iface = ifvar->v_elements;
+	}
 	PARSE_NEXT_TOKEN();
 	/* from <addr> */
 	if (strcmp(p, "from") != 0) {
 		return PARSE_ERR();
+	}
 	PARSE_NEXT_TOKEN();
 	from_cidr = npfctl_parsevalue(p);
 	PARSE_NEXT_TOKEN();
 	/* to <addr> */
 	if (strcmp(p, "to") != 0) {
 		return PARSE_ERR();
+	}
 	PARSE_NEXT_TOKEN();
 	to_cidr = npfctl_parsevalue(p);
 	PARSE_NEXT_TOKEN();
 	if (rdr && strcmp(p, "port") == 0) {
 		PARSE_NEXT_TOKEN();
 		tports = npfctl_parsevalue(p);
 		PARSE_NEXT_TOKEN();
+	}
 	/* -> <ip> */
 	if (strcmp(p, "->") != 0) {
 		return PARSE_ERR();
+	}
 	PARSE_NEXT_TOKEN();
 	ip = npfctl_parsevalue(p);
 	cidr = ip->v_elements;
-	/* Setup NAT policy (rule as filter and extra info). */
+	if (rdr) {
-	npfctl_rule_protodata(nat, NULL, from_cidr, NULL, to_cidr, NULL);
+		PARSE_NEXT_TOKEN();
-	npfctl_nat_setup(nat, iface->e_data, cidr->e_data);
+		if (strcmp(p, "port") != 0) {
 			return PARSE_ERR();
+		}
 		PARSE_NEXT_TOKEN();
 		rports = npfctl_parsevalue(p);
+	}
 	/*
 	 * Setup NAT policy (rule as filter and extra info), which is
 	 * Outbound NAT (NPF_NATOUT).  Unless it is a redirect rule,
 	 * in which case it is Inbound NAT with specified port.
+	 *
 	 * XXX mess
 	 */
 	if (!rdr) {
 		npfctl_rule_protodata(nat, NULL, NULL, -1, -1, from_cidr,
 		    NULL, to_cidr, NULL);
 		npfctl_nat_setup(nat, NPF_NATOUT,
 		    binat ? 0 : (NPF_NAT_PORTS | NPF_NAT_PORTMAP),
 		    iface->e_data, cidr->e_data, NULL);
 	} else {
 		element_t *rp = rports->v_elements;
 		npfctl_rule_protodata(nat, NULL, NULL, -1, -1, from_cidr,
 		    NULL, to_cidr, tports);
 		npfctl_nat_setup(nat, NPF_NATIN, NPF_NAT_PORTS,
 		    iface->e_data, cidr->e_data, rp->e_data);
+	}
 	/*
 	 * For bi-directional NAT case, create and setup additional
 	 * Inbound NAT (NPF_NATIN) policy.  Note that translation address
 	 * is local IP, and filter criteria is inverted accordingly.
+	 *
 	 * XXX mess
 	 */
 	if (binat) {
 		prop_dictionary_t bn = npfctl_mk_nat();
 		element_t *taddr = from_cidr->v_elements;
 		npfctl_rule_protodata(bn, NULL, NULL, -1, -1,
 		    to_cidr, NULL, ip, NULL);
 		npfctl_nat_setup(bn, NPF_NATIN, 0, iface->e_data,
 		    taddr->e_data, NULL);
 		npfctl_add_nat(bn);
+	}
 	return 0;
+}
 /*
  * npfctl_parsevar: parse defined variable.
+ *
  * => Assigned value should be with double quotes (").
  * => Value can be an array, use npf_parsevalue().
  * => Insert variable into the global list.
  */
 static inline int
 npfctl_parsevar(char *buf)
+{
 @@ -593,27 +703,28 @@ npf_parseline(char *buf)
 			return ret;
 		npfctl_add_rule(curgr, NULL);
 	} else if (strncmp(p, "table", 5) == 0) {
 		prop_dictionary_t tl;
 		/* Table. */
 		tl = npfctl_mk_table();
 		ret = npfctl_parsetable(p, tl);
 		if (ret)
 			return ret;
 		npfctl_add_table(tl);
-	} else if (strncmp(p, "nat", 3) == 0) {
+	} else if (strncmp(p, "nat", 3) == 0 || strncmp(p, "rdr", 3) == 0 ||
 	    strncmp(p, "binat", 5) == 0) {
 		prop_dictionary_t nat;
 		/* NAT policy. */
 		nat = npfctl_mk_nat();
 		ret = npfctl_parse_nat(p, nat);
 		if (ret)
 			return ret;
 		npfctl_add_nat(nat);
 	} else {
 		/* Defined variable or syntax error. */
 		ret = npfctl_parsevar(p);
+	}

--- src/usr.sbin/npf/npfctl/npfctl.h 2010/08/22 18:56:24	1.1
+++ src/usr.sbin/npf/npfctl/npfctl.h 2010/09/16 04:53:27	1.2

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npfctl.h,v 1.1 2010/08/22 18:56:24 rmind Exp $	*/
+/*	$NetBSD: npfctl.h,v 1.2 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -68,42 +68,44 @@ typedef struct {
 } var_t;
 void *		zalloc(size_t);
 char *		xstrdup(const char *);
 void		npfctl_init_data(void);
 int		npfctl_ioctl_send(int);
 bool		npfctl_parse_v4mask(char *, in_addr_t *, in_addr_t *);
 prop_dictionary_t npfctl_mk_rule(bool);
 void		npfctl_add_rule(prop_dictionary_t, prop_dictionary_t);
 void		npfctl_rule_setattr(prop_dictionary_t, int, char *);
-void		npfctl_rule_protodata(prop_dictionary_t, char *, var_t *,
+void		npfctl_rule_protodata(prop_dictionary_t, char *, char *,
-		    var_t *, var_t *, var_t *);
+		    int, int, var_t *, var_t *, var_t *, var_t *);
 void		npfctl_rule_icmpdata(prop_dictionary_t, var_t *, var_t *);
 prop_dictionary_t npfctl_lookup_table(char *);
 prop_dictionary_t npfctl_mk_table(void);
 void		npfctl_table_setup(prop_dictionary_t, char *, char *);
 void		npfctl_construct_table(prop_dictionary_t, char *);
 void		npfctl_add_table(prop_dictionary_t);
 prop_dictionary_t npfctl_mk_nat(void);
 void		npfctl_add_nat(prop_dictionary_t);
-void		npfctl_nat_setup(prop_dictionary_t, char *, char *);
+void		npfctl_nat_setup(prop_dictionary_t, int, int,
 		    char *, char *, char *);
 size_t		npfctl_calc_ncsize(int []);
 size_t		npfctl_failure_offset(int []);
 void		npfctl_gennc_ether(void **, int, uint16_t);
 void		npfctl_gennc_v4cidr(void **, int,
 		    in_addr_t, in_addr_t, bool);
 void		npfctl_gennc_icmp(void **, int, int, int);
 void		npfctl_gennc_tcpfl(void **, int , uint8_t, uint8_t);
 void		npfctl_gennc_ports(void **, int,
 		    in_port_t, in_port_t, bool, bool);
 void		npfctl_gennc_tbl(void **, int, u_int , bool);
 void		npfctl_gennc_complete(void **);
 int		npf_parseline(char *);
 #endif

--- src/usr.sbin/npf/npfctl/npf_data.c 2010/08/23 06:01:04	1.2
+++ src/usr.sbin/npf/npfctl/npf_data.c 2010/09/16 04:53:27	1.3

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_data.c,v 1.2 2010/08/23 06:01:04 jnemeth Exp $	*/
+/*	$NetBSD: npf_data.c,v 1.3 2010/09/16 04:53:27 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -26,26 +26,27 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF proplib(9) dictionary producer.
+ *
  * XXX: Needs some clean-up.
  */
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/ioctl.h>
 #include <net/if.h>
 #include <netinet/tcp.h>
 #include <arpa/inet.h>
 #include <prop/proplib.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <ctype.h>
 #include <err.h>
 #include <ifaddrs.h>
 #include <netdb.h>
 #include <assert.h>
 @@ -64,132 +65,190 @@ void
 npfctl_init_data(void)
+{
 	prop_number_t ver;
 	if (getifaddrs(&ifs_list) == -1)
 		err(EXIT_FAILURE, "getifaddrs");
 	npf_dict = prop_dictionary_create();
 	ver = prop_number_create_integer(NPF_VERSION);
 	prop_dictionary_set(npf_dict, "version", ver);
 	nat_arr = prop_array_create();
-	prop_dictionary_set(npf_dict, "nat", nat_arr);
+	prop_dictionary_set(npf_dict, "translation", nat_arr);
 	settings_dict = prop_dictionary_create();
 	prop_dictionary_set(npf_dict, "settings", settings_dict);
 	tables_arr = prop_array_create();
 	prop_dictionary_set(npf_dict, "tables", tables_arr);
 	rules_arr = prop_array_create();
 	prop_dictionary_set(npf_dict, "rules", rules_arr);
+}
 int
 npfctl_ioctl_send(int fd)
+{
 	int ret = 0, errval;
 #ifdef DEBUG
-	prop_dictionary_externalize_to_file(npf_dict, "/tmp/npf.plist");
+	prop_dictionary_externalize_to_file(npf_dict, "./npf.plist");
 #else
 	errval = prop_dictionary_send_ioctl(npf_dict, fd, IOC_NPF_RELOAD);
 	if (errval) {
 		errx(EXIT_FAILURE, "npf_ioctl_send: %s\n", strerror(errval));
 		ret = -1;
+	}
 #endif
 	prop_object_release(npf_dict);
 	return ret;
+}
 /*
  * Helper routines:
+ *
  *	npfctl_getif() - get interface addresses and index number from name.
  *	npfctl_servname2port() - get service ports from name.
  *	npfctl_parse_v4mask() - parse address/mask integers from CIDR block.
  *	npfctl_parse_port() - parse port number (which may be a service name).
  *	npfctl_parse_tcpfl() - parse TCP flags.
  */
 static struct ifaddrs *
 npfctl_getif(char *ifname, unsigned int *if_idx)
+{
 	struct ifaddrs *ifent;
 	struct sockaddr_in *sin;
 	for (ifent = ifs_list; ifent != NULL; ifent = ifent->ifa_next) {
 		sin = (struct sockaddr_in *)ifent->ifa_addr;
 		if (sin->sin_family != AF_INET)
 			continue;
 		if (strcmp(ifent->ifa_name, ifname) == 0)
 			break;
+	}
 	if (ifent) {
 		*if_idx = if_nametoindex(ifname);
+	}
 	return ifent;
+}
 static int
 npfctl_servname2port(char *name)
 	struct servent *se;
 	se = getservbyname(name, NULL);
 	return se ? se->s_port : -1;
 bool
-npfctl_parse_v4mask(char *str, in_addr_t *addr, in_addr_t *mask)
+npfctl_parse_v4mask(char *ostr, in_addr_t *addr, in_addr_t *mask)
+{
 	char *str = xstrdup(ostr);
 	char *p = strchr(str, '/');
 	u_int bits;
 	bool ret;
 	/* In network byte order. */
 	if (p) {
 		*p++ = '\0';
 		bits = (u_int)atoi(p);
 		*mask = bits ? htonl(0xffffffff << (32 - bits)) : 0;
 	} else {
 		*mask = 0xffffffff;
+	}
-	return inet_aton(str, (struct in_addr *)addr) != 0;
+	ret = inet_aton(str, (struct in_addr *)addr) != 0;
 	free(str);
 	return ret;
+}
 static bool
 npfctl_parse_port(char *ostr, bool *range, in_port_t *fport, in_port_t *tport)
+{
 	char *str = xstrdup(ostr), *sep;
 	*range = false;
 	if ((sep = strchr(str, ':')) != NULL) {
 		/* Port range (only numeric). */
 		*range = true;
 		*sep = '\0';
 	} else if (isalpha((unsigned char)*str)) {
 		struct servent *se;
 		se = getservbyname(str, NULL);
 		if (se == NULL) {
 			free(str);
 			return false;
+		}
 		*fport = se->s_port;
 	} else {
 		*fport = htons(atoi(str));
+	}
 	*tport = sep ? htons(atoi(sep + 1)) : *fport;
 	free(str);
 	return true;
+}
 static void
 npfctl_parse_cidr(char *str, in_addr_t *addr, in_addr_t *mask)
+{
 	if (isalpha((unsigned char)*str)) {
 		struct ifaddrs *ifa;
 		struct sockaddr_in *sin;
 		u_int idx;
 		if ((ifa = npfctl_getif(str, &idx)) == NULL) {
 			errx(EXIT_FAILURE, "invalid interface '%s'", str);
+		}
 		/* Interface address. */
 		sin = (struct sockaddr_in *)ifa->ifa_addr;
 		*addr = sin->sin_addr.s_addr;
 		*mask = 0xffffffff;
 	} else if (!npfctl_parse_v4mask(str, addr, mask)) {
 		errx(EXIT_FAILURE, "invalid CIDR '%s'\n", str);
+	}
+}
 static bool
 npfctl_parse_tcpfl(char *s, uint8_t *tfl, uint8_t *tfl_mask)
+{
 	uint8_t tcpfl = 0;
 	bool mask = false;
 	while (*s) {
 		switch (*s) {
 		case 'F': tcpfl |= TH_FIN; break;
 		case 'S': tcpfl |= TH_SYN; break;
 		case 'R': tcpfl |= TH_RST; break;
 		case 'P': tcpfl |= TH_PUSH; break;
 		case 'A': tcpfl |= TH_ACK; break;
 		case 'U': tcpfl |= TH_URG; break;
 		case 'E': tcpfl |= TH_ECE; break;
 		case 'W': tcpfl |= TH_CWR; break;
 		case '/':
 			*s = '\0';
 			*tfl = tcpfl;
 			tcpfl = 0;
 			mask = true;
 			break;
 		default:
 			return false;
+		}
 		s++;
+	}
 	if (!mask) {
 		*tfl = tcpfl;
+	}
 	*tfl_mask = tcpfl;
 	return true;
+}
 /*
  * NPF table creation and construction routines.
  */
 prop_dictionary_t
 npfctl_lookup_table(char *tidstr)
+{
 	prop_dictionary_t tl;
 	prop_object_iterator_t it;
 	prop_object_t obj;
 	u_int tid;
 	if ((it = prop_array_iterator(tables_arr)) == NULL)
 @@ -380,155 +439,175 @@ npfctl_rulenc_v4cidr(void **nc, int nblo
+	}
+}
 static void
 npfctl_rulenc_ports(void **nc, int nblocks[], var_t *dat, bool tcpudp, bool sd)
+{
 	element_t *el = dat->v_elements;
 	int foff;
 	assert(dat->v_type != VAR_TABLE);
 	/* Generate TCP/UDP port matching blocks. */
 	for (el = dat->v_elements; el != NULL; el = el->e_next) {
-		int pfrom, pto;
+		in_port_t fport, tport;
-		char *sep;
+		bool range;
-		if ((sep = strchr(el->e_data, ':')) != NULL) {
+		if (!npfctl_parse_port(el->e_data, &range, &fport, &tport)) {
-			/* Port range (only numeric). */
+			errx(EXIT_FAILURE, "invalid service '%s'", el->e_data);
 			*sep = '\0';
+		}
 		if (isalpha((unsigned char)*el->e_data)) {
 			pfrom = npfctl_servname2port(el->e_data);
 			if (pfrom == -1) {
 				errx(EXIT_FAILURE, "invalid service '%s'",
 				    el->e_data);
 		} else {
 			pfrom = htons(atoi(el->e_data));
 		pto = sep ? htons(atoi(sep + 1)) : pfrom;
 		nblocks[0]--;
 		foff = npfctl_failure_offset(nblocks);
-		npfctl_gennc_ports(nc, foff, pfrom, pto, tcpudp, sd);
+		npfctl_gennc_ports(nc, foff, fport, tport, tcpudp, sd);
+	}
+}
 static void
 npfctl_rulenc_block(void **nc, int nblocks[], var_t *cidr, var_t *ports,
     bool both, bool tcpudp, bool sd)
+{
 	npfctl_rulenc_v4cidr(nc, nblocks, cidr, sd);
 	if (ports == NULL) {
 		return;
+	}
 	npfctl_rulenc_ports(nc, nblocks, ports, tcpudp, sd);
 	if (!both) {
 		return;
+	}
 	npfctl_rulenc_ports(nc, nblocks, ports, !tcpudp, sd);
+}
 void
-npfctl_rule_protodata(prop_dictionary_t rl, char *proto, var_t *from,
+npfctl_rule_protodata(prop_dictionary_t rl, char *proto, char *tcp_flags,
-    var_t *fports, var_t *to, var_t *tports)
+    int icmp_type, int icmp_code,
     var_t *from, var_t *fports, var_t *to, var_t *tports)
+{
 	prop_data_t ncdata;
 	bool icmp, tcpudp, both;
-	int nblocks[2] = { 0, 0 };
+	int foff, nblocks[3] = { 0, 0, 0 };
 	void *ncptr, *nc;
 	size_t sz;
 	/*
 	 * Default: both TCP and UDP.
 	 */
 	icmp = false;
 	tcpudp = true;
 	both = false;
 	if (proto == NULL) {
 		goto skip_proto;
+	}
 	if (strcmp(proto, "icmp") == 0) {
 		/* ICMP case. */
 		fports = NULL;
 		tports = NULL;
 		icmp = true;
 		nblocks[0] += 1;
 	} else if (strcmp(proto, "tcp") == 0) {
 		/* Just TCP. */
 		tcpudp = true;
 	} else if (strcmp(proto, "udp") == 0) {
 		/* Just UDP. */
 		tcpudp = false;
 	} else {
 		/* Default. */
+	}
 skip_proto:
 	if (icmp_type != -1) {
 		assert(tcp_flags == NULL);
 		icmp = true;
 		nblocks[2] += 1;
+	}
 	if (tcpudp && tcp_flags) {
 		assert(icmp_type == -1 && icmp_code == -1);
 		nblocks[2] += 1;
+	}
 	/* Calculate how blocks to determince n-code. */
 	if (from && from->v_count) {
 		if (from->v_type == VAR_TABLE)
 			nblocks[0] += 1;
 		else
 			nblocks[1] += from->v_count;
 		if (fports && fports->v_count)
 			nblocks[0] += fports->v_count * (both ? 2 : 1);
+	}
 	if (to && to->v_count) {
 		if (to->v_type == VAR_TABLE)
 			nblocks[0] += 1;
 		else
 			nblocks[1] += to->v_count;
 		if (tports && tports->v_count)
 			nblocks[0] += tports->v_count * (both ? 2 : 1);
+	}
 	/* Any n-code to generate? */
 	if ((nblocks[0] + nblocks[1] + nblocks[2]) == 0) {
 		/* Done, if none. */
 		return;
+	}
 	/* Allocate memory for the n-code. */
 	sz = npfctl_calc_ncsize(nblocks);
 	ncptr = malloc(sz);
 	if (ncptr == NULL) {
 		perror("malloc");
 		exit(EXIT_FAILURE);
+	}
 	nc = ncptr;
-	/* Ethernet fragment (ETHERTYPE_IP), XXX. */
+	/*
-	npfctl_gennc_ether(&nc, npfctl_failure_offset(nblocks), htons(0x0800));
+	 * Generate v4 CIDR matching blocks and TCP/UDP port matching.
 	 */
 	/* Generate v4 CIDR matching blocks and TCP/UDP port matching. */
 	if (from) {
 		npfctl_rulenc_block(&nc, nblocks, from, fports,
 		    both, tcpudp, true);
+	}
 	if (to) {
 		npfctl_rulenc_block(&nc, nblocks, to, tports,
 		    both, tcpudp, false);
+	}
 	/* ICMP case. */
 	if (icmp) {
-		const int foff = npfctl_failure_offset(nblocks);
+		/*
-		npfctl_gennc_icmp(&nc, foff, -1, -1);
+		 * ICMP case.
 		 */
 		nblocks[2]--;
 		foff = npfctl_failure_offset(nblocks);
 		npfctl_gennc_icmp(&nc, foff, icmp_type, icmp_code);
 	} else if (tcpudp && tcp_flags) {
 		/*
 		 * TCP case, flags.
 		 */
 		uint8_t tfl = 0, tfl_mask;
 		nblocks[2]--;
 		foff = npfctl_failure_offset(nblocks);
 		if (!npfctl_parse_tcpfl(tcp_flags, &tfl, &tfl_mask)) {
 			errx(EXIT_FAILURE, "invalid TCP flags '%s'", tcp_flags);
+		}
 		npfctl_gennc_tcpfl(&nc, foff, tfl, tfl_mask);
+	}
 	npfctl_gennc_complete(&nc);
-	if ((uintptr_t)nc - (uintptr_t)ncptr != sz)
+	if ((uintptr_t)nc - (uintptr_t)ncptr != sz) {
 		errx(EXIT_FAILURE, "n-code size got wrong (%tu != %zu)",
 		    (uintptr_t)nc - (uintptr_t)ncptr, sz);
+	}
 #ifdef DEBUG
 	uint32_t *op = ncptr;
 	size_t n = sz;
 	do {
 		DPRINTF(("\t> |0x%02x|\n", (u_int)*op));
 		op++;
 		n -= sizeof(*op);
 	} while (n);
 #endif
 	/* Create a final memory block of data, ready to send. */
 	ncdata = prop_data_create_data(ncptr, sz);
 @@ -555,25 +634,49 @@ npfctl_mk_nat(void)
 	pri = nat_prio_counter++;
 	prop_dictionary_set(rl, "priority",
 	    prop_number_create_integer(pri));
 	return rl;
+}
 void
 npfctl_add_nat(prop_dictionary_t nat)
+{
 	prop_array_add(nat_arr, nat);
+}
 void
-npfctl_nat_setup(prop_dictionary_t rl, char *iface, char *gwip)
+npfctl_nat_setup(prop_dictionary_t rl, int type, int flags,
     char *iface, char *taddr, char *rport)
+{
-	const int attr = NPF_RULE_PASS | NPF_RULE_OUT | NPF_RULE_FINAL;
+	int attr = NPF_RULE_PASS | NPF_RULE_FINAL;
 	in_addr_t addr, mask;
 	/* Translation type and flags. */
 	prop_dictionary_set(rl, "type",
 	    prop_number_create_integer(type));
 	prop_dictionary_set(rl, "flags",
 	    prop_number_create_integer(flags));
 	/* Interface and attributes. */
 	attr |= (type == NPF_NATOUT) ? NPF_RULE_OUT : NPF_RULE_IN;
 	npfctl_rule_setattr(rl, attr, iface);
-	/* Gateway IP, XXX should be no mask. */
+	/* Translation IP, XXX should be no mask. */
-	npfctl_parse_cidr(gwip, &addr, &mask);
+	npfctl_parse_cidr(taddr, &addr, &mask);
-	prop_dictionary_set(rl, "gateway_ip", prop_number_create_integer(addr));
+	prop_dictionary_set(rl, "translation_ip",
 	    prop_number_create_integer(addr));
 	/* Translation port (for redirect case). */
 	if (rport) {
 		in_port_t port;
 		bool range;
 		if (!npfctl_parse_port(rport, &range, &port, &port)) {
 			errx(EXIT_FAILURE, "invalid service '%s'", rport);
+		}
 		if (range) {
 			errx(EXIT_FAILURE, "range is not supported for 'rdr'");
+		}
 		prop_dictionary_set(rl, "translation_port",
 		    prop_number_create_integer(port));
+	}
+}