 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_alg_icmp.c,v 1.19 2014/02/16 22:10:40 rmind Exp $	*/
+/*	$NetBSD: npf_alg_icmp.c,v 1.20 2014/02/19 03:51:31 rmind Exp $	*/
 /*-
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -24,27 +24,27 @@
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF ALG for ICMP and traceroute translations.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.19 2014/02/16 22:10:40 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_alg_icmp.c,v 1.20 2014/02/19 03:51:31 rmind Exp $");
 #include <sys/param.h>
 #include <sys/module.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
 #include <netinet/ip_icmp.h>
 #include <netinet/icmp6.h>
 #include <net/pfil.h>
 @@ -295,95 +295,102 @@ npfa_icmp_session(npf_cache_t *npc, nbuf
+	}
 	/* Lookup for a session using embedded packet. */
 	return npf_session_lookup(&enpc, nbuf, di, &forw);
+}
 /*
  * npfa_icmp_nat: ALG translator - rewrites IP address in the IP header
  * which is embedded in ICMP packet.  Note: backwards stream only.
  */
 static bool
 npfa_icmp_nat(npf_cache_t *npc, nbuf_t *nbuf, npf_nat_t *nt, bool forw)
+{
 	const u_int which = NPF_SRC;
 	npf_cache_t enpc;
 	if (forw || !npf_iscached(npc, NPC_ICMP))
 		return false;
 	if (!npfa_icmp_inspect(npc, nbuf, &enpc))
 		return false;
 	KASSERT(npf_iscached(&enpc, NPC_IP46));
 	KASSERT(npf_iscached(&enpc, NPC_LAYER4));
 	/*
 	 * ICMP: fetch the current checksum we are going to fixup.
 	 */
 	struct icmp *ic = npc->npc_l4.icmp;
 	uint16_t cksum = ic->icmp_cksum;
 	CTASSERT(offsetof(struct icmp, icmp_cksum) ==
 	    offsetof(struct icmp6_hdr, icmp6_cksum));
 	/*
-	 * Retrieve the original address and port, then calculate ICMP
+	 * Fetch the IP and port in the _embedded_ packet.  Also, fetch
-	 * checksum for these changes in the embedded packet.  While data
+	 * the IPv4 and TCP/UDP checksums before they are rewritten.
-	 * is not rewritten in the cache, save IP and TCP/UDP checksums.
+	 * Calculate the part of the ICMP checksum fixup.
 	 * XXX: Assumes NPF_NATOUT (source address/port).  Currently,
 	 * npfa_icmp_match() matches only for the PFIL_OUT traffic.
 	 */
 	const int proto = enpc.npc_proto;
 	uint16_t ipcksum = 0, l4cksum = 0;
 	npf_addr_t *addr;
 	in_port_t port;
 	npf_nat_getorig(nt, &addr, &port);
 	if (npf_iscached(&enpc, NPC_IP4)) {
 		const struct ip *eip = enpc.npc_ip.v4;
 		ipcksum = eip->ip_sum;
+	}
-	cksum = npf_addr_cksum(cksum, enpc.npc_alen, enpc.npc_ips[NPF_SRC], addr);
+	cksum = npf_addr_cksum(cksum, enpc.npc_alen, enpc.npc_ips[which], addr);
 	switch (proto) {
 	case IPPROTO_TCP: {
 		const struct tcphdr *th = enpc.npc_l4.tcp;
 		cksum = npf_fixup16_cksum(cksum, th->th_sport, port);
 		l4cksum = th->th_sum;
 		break;
+	}
 	case IPPROTO_UDP: {
 		const struct udphdr *uh = enpc.npc_l4.udp;
 		cksum = npf_fixup16_cksum(cksum, uh->uh_sport, port);
 		l4cksum = uh->uh_sum;
 		break;
+	}
 	case IPPROTO_ICMP:
 	case IPPROTO_ICMPV6:
 		break;
 	default:
 		return false;
+	}
 	/*
-	 * Rewrite the source IP address and port of the embedded IP header,
+	 * Translate the embedded packet.  The following changes will
-	 * which represents the original packet.  This updates the checksums
+	 * be performed by npf_napt_rwr():
 	 * in the embedded packet.
 	 *	1) Rewrite the IP address and, if not ICMP, port.
 	 *	2) Rewrite the TCP/UDP checksum (if not ICMP).
 	 *	3) Rewrite the IPv4 checksum for (1) and (2).
+	 *
 	 * XXX: Assumes NPF_NATOUT (source address/port).  Currently,
 	 * npfa_icmp_match() matches only for the PFIL_OUT traffic.
 	 */
-	if (npf_nat_translate(&enpc, nbuf, nt, forw)) {
+	if (npf_napt_rwr(&enpc, which, addr, port)) {
 		return false;
+	}
 	/*
-	 * Finish calculation of the ICMP checksum: include the checksum
+	 * Finally, finish the ICMP checksum fixup: include the checksum
-	 * change in the embedded packet.
+	 * changes in the embedded packet.
 	 */
 	if (npf_iscached(&enpc, NPC_IP4)) {
 		const struct ip *eip = enpc.npc_ip.v4;
 		cksum = npf_fixup16_cksum(cksum, ipcksum, eip->ip_sum);
+	}
 	switch (proto) {
 	case IPPROTO_TCP: {
 		const struct tcphdr *th = enpc.npc_l4.tcp;
 		cksum = npf_fixup16_cksum(cksum, l4cksum, th->th_sum);
 		break;
+	}
 	case IPPROTO_UDP:
 		if (l4cksum) {

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_impl.h,v 1.48 2014/02/16 22:10:40 rmind Exp $	*/
+/*	$NetBSD: npf_impl.h,v 1.49 2014/02/19 03:51:31 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -190,26 +190,28 @@ u_int		npf_ifmap_id(const ifnet_t *);
 int		npf_pfil_register(bool);
 void		npf_pfil_unregister(bool);
 bool		npf_pfil_registered_p(void);
 int		npf_packet_handler(void *, struct mbuf **, ifnet_t *, int);
 /* Protocol helpers. */
 int		npf_cache_all(npf_cache_t *, nbuf_t *);
 void		npf_recache(npf_cache_t *, nbuf_t *);
 bool		npf_rwrip(const npf_cache_t *, u_int, const npf_addr_t *);
 bool		npf_rwrport(const npf_cache_t *, u_int, const in_port_t);
 bool		npf_rwrcksum(const npf_cache_t *, u_int,
 		    const npf_addr_t *, const in_port_t);
 int		npf_napt_rwr(const npf_cache_t *, u_int, const npf_addr_t *,
 		    const in_addr_t);
 int		npf_npt66_rwr(const npf_cache_t *, u_int, const npf_addr_t *,
 		    npf_netmask_t, uint16_t);
 uint16_t	npf_fixup16_cksum(uint16_t, uint16_t, uint16_t);
 uint16_t	npf_fixup32_cksum(uint16_t, uint32_t, uint32_t);
 uint16_t	npf_addr_cksum(uint16_t, int, const npf_addr_t *,
 		    const npf_addr_t *);
 uint32_t	npf_addr_mix(const int, const npf_addr_t *, const npf_addr_t *);
 int		npf_addr_cmp(const npf_addr_t *, const npf_netmask_t,
 		    const npf_addr_t *, const npf_netmask_t, const int);
 void		npf_addr_mask(const npf_addr_t *, const npf_netmask_t,
 		    const int, npf_addr_t *);
 @@ -331,27 +333,26 @@ void		npf_state_destroy(npf_state_t *);
 bool		npf_state_tcp(npf_cache_t *, nbuf_t *, npf_state_t *, int);
 int		npf_state_tcp_timeout(const npf_state_t *);
 /* NAT. */
 void		npf_nat_sysinit(void);
 void		npf_nat_sysfini(void);
 npf_natpolicy_t *npf_nat_newpolicy(prop_dictionary_t, npf_ruleset_t *);
 void		npf_nat_freepolicy(npf_natpolicy_t *);
 bool		npf_nat_matchpolicy(npf_natpolicy_t *, npf_natpolicy_t *);
 bool		npf_nat_sharepm(npf_natpolicy_t *, npf_natpolicy_t *);
 void		npf_nat_freealg(npf_natpolicy_t *, npf_alg_t *);
 int		npf_do_nat(npf_cache_t *, npf_session_t *, nbuf_t *, const int);
 int		npf_nat_translate(npf_cache_t *, nbuf_t *, npf_nat_t *, bool);
 void		npf_nat_destroy(npf_nat_t *);
 void		npf_nat_getorig(npf_nat_t *, npf_addr_t **, in_port_t *);
 void		npf_nat_gettrans(npf_nat_t *, npf_addr_t **, in_port_t *);
 void		npf_nat_setalg(npf_nat_t *, npf_alg_t *, uintptr_t);
 int		npf_nat_save(prop_dictionary_t, prop_array_t, npf_nat_t *);
 npf_nat_t *	npf_nat_restore(prop_dictionary_t, npf_session_t *);
 /* ALG interface. */
 void		npf_alg_sysinit(void);
 void		npf_alg_sysfini(void);
 npf_alg_t *	npf_alg_register(const char *, const npfa_funcs_t *);
 int		npf_alg_unregister(npf_alg_t *);

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_inet.c,v 1.29 2014/02/13 03:34:40 rmind Exp $	*/
+/*	$NetBSD: npf_inet.c,v 1.30 2014/02/19 03:51:31 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -29,27 +29,27 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * Various protocol related helper routines.
+ *
  * This layer manipulates npf_cache_t structure i.e. caches requested headers
  * and stores which information was cached in the information bit field.
  * It is also responsibility of this layer to update or invalidate the cache
  * on rewrites (e.g. by translation routines).
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.29 2014/02/13 03:34:40 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.30 2014/02/19 03:51:31 rmind Exp $");
 #include <sys/param.h>
 #include <sys/types.h>
 #include <net/pfil.h>
 #include <net/if.h>
 #include <net/ethertypes.h>
 #include <net/if_ether.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/ip6.h>
 @@ -568,27 +568,27 @@ npf_rwrcksum(const npf_cache_t *npc, u_i
 	if (npf_iscached(npc, NPC_IP4)) {
 		struct ip *ip = npc->npc_ip.v4;
 		uint16_t ipsum = ip->ip_sum;
 		/* Recalculate IPv4 checksum and rewrite. */
 		ip->ip_sum = npf_addr_cksum(ipsum, alen, oaddr, addr);
 	} else {
 		/* No checksum for IPv6. */
 		KASSERT(npf_iscached(npc, NPC_IP6));
+	}
 	/* Nothing else to do for ICMP. */
-	if (proto == IPPROTO_ICMP) {
+	if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6) {
 		return true;
+	}
 	KASSERT(npf_iscached(npc, NPC_TCP) || npf_iscached(npc, NPC_UDP));
 	/*
 	 * Calculate TCP/UDP checksum:
 	 * - Skip if UDP and the current checksum is zero.
 	 * - Fixup the IP address change.
 	 * - Fixup the port change, if required (non-zero).
 	 */
 	if (proto == IPPROTO_TCP) {
 		struct tcphdr *th = npc->npc_l4.tcp;
 @@ -607,26 +607,70 @@ npf_rwrcksum(const npf_cache_t *npc, u_i
+	}
 	uint16_t cksum = npf_addr_cksum(*ocksum, alen, oaddr, addr);
 	if (port) {
 		cksum = npf_fixup16_cksum(cksum, oport, port);
+	}
 	/* Rewrite TCP/UDP checksum. */
 	memcpy(ocksum, &cksum, sizeof(uint16_t));
 	return true;
+}
 /*
  * npf_napt_rwr: perform address and/or port translation.
  */
 int
 npf_napt_rwr(const npf_cache_t *npc, u_int which,
     const npf_addr_t *addr, const in_addr_t port)
+{
 	const unsigned proto = npc->npc_proto;
 	/*
 	 * Rewrite IP and/or TCP/UDP checksums first, since we need the
 	 * current (old) address/port for the calculations.  Then perform
 	 * the address translation i.e. rewrite source or destination.
 	 */
 	if (!npf_rwrcksum(npc, which, addr, port)) {
 		return EINVAL;
+	}
 	if (!npf_rwrip(npc, which, addr)) {
 		return EINVAL;
+	}
 	if (port == 0) {
 		/* Done. */
 		return 0;
+	}
 	switch (proto) {
 	case IPPROTO_TCP:
 	case IPPROTO_UDP:
 		/* Rewrite source/destination port. */
 		if (!npf_rwrport(npc, which, port)) {
 			return EINVAL;
+		}
 		break;
 	case IPPROTO_ICMP:
 	case IPPROTO_ICMPV6:
 		KASSERT(npf_iscached(npc, NPC_ICMP));
 		/* Nothing. */
 		break;
 	default:
 		return ENOTSUP;
+	}
 	return 0;
+}
 /*
  * IPv6-to-IPv6 Network Prefix Translation (NPTv6), as per RFC 6296.
  */
 int
 npf_npt66_rwr(const npf_cache_t *npc, u_int which, const npf_addr_t *pref,
     npf_netmask_t len, uint16_t adj)
+{
 	npf_addr_t *addr = npc->npc_ips[which];
 	unsigned remnant, word, preflen = len >> 4;
 	uint32_t sum;
 	KASSERT(which == NPF_SRC || which == NPF_DST);

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_nat.c,v 1.25 2014/02/13 03:34:40 rmind Exp $	*/
+/*	$NetBSD: npf_nat.c,v 1.26 2014/02/19 03:51:31 rmind Exp $	*/
 /*-
  * Copyright (c) 2014 Mindaugas Rasiukevicius <rmind at netbsd org>
  * Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
 @@ -61,27 +61,27 @@
+ *
  * Sessions, translation entries and their life-cycle
+ *
  *	NAT module relies on session management module.  Each translated
  *	session has an associated translation entry (npf_nat_t), which
  *	contains information used for backwards stream translation, i.e.
  *	original IP address with port and translation port, allocated from
  *	the port map.  Each NAT entry is associated with the policy, which
  *	contains translation IP address.  Allocated port is returned to the
  *	port map and NAT entry is destroyed when session expires.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.25 2014/02/13 03:34:40 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.26 2014/02/19 03:51:31 rmind Exp $");
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/atomic.h>
 #include <sys/bitops.h>
 #include <sys/condvar.h>
 #include <sys/kmem.h>
 #include <sys/mutex.h>
 #include <sys/pool.h>
 #include <sys/proc.h>
 #include <sys/cprng.h>
 @@ -539,121 +539,78 @@ npf_nat_create(npf_cache_t *npc, npf_nat
 	if ((np->n_flags & NPF_NAT_PORTMAP) != 0) {
 		nt->nt_tport = npf_nat_getport(np);
 	} else {
 		nt->nt_tport = np->n_tport;
+	}
 out:
 	mutex_enter(&np->n_lock);
 	LIST_INSERT_HEAD(&np->n_nat_list, nt, nt_entry);
 	mutex_exit(&np->n_lock);
 	return nt;
+}
 /*
  * npf_nat_rwr: perform address and/or port translation.
  */
 static int
 npf_nat_rwr(npf_cache_t *npc, const npf_natpolicy_t *np,
     const npf_addr_t *addr, const in_addr_t port, bool forw)
 	const unsigned proto = npc->npc_proto;
 	const u_int which = npf_nat_which(np->n_type, forw);
 	/*
 	 * Rewrite IP and/or TCP/UDP checksums first, since we need the
 	 * current (old) address/port for the calculations.  Then perform
 	 * the address translation i.e. rewrite source or destination.
 	 */
 	if (!npf_rwrcksum(npc, which, addr, port)) {
 		return EINVAL;
 	if (!npf_rwrip(npc, which, addr)) {
 		return EINVAL;
 	if ((np->n_flags & NPF_NAT_PORTS) == 0) {
 		/* Done. */
 		return 0;
 	switch (proto) {
 	case IPPROTO_TCP:
 	case IPPROTO_UDP:
 		/* Rewrite source/destination port. */
 		if (!npf_rwrport(npc, which, port)) {
 			return EINVAL;
 		break;
 	case IPPROTO_ICMP:
 		KASSERT(npf_iscached(npc, NPC_ICMP));
 		/* Nothing. */
 		break;
 	default:
 		return ENOTSUP;
 	return 0;
 /*
  * npf_nat_translate: perform translation given the state data.
  */
-int
+static inline int
 npf_nat_translate(npf_cache_t *npc, nbuf_t *nbuf, npf_nat_t *nt, bool forw)
+{
 	const npf_natpolicy_t *np = nt->nt_natpolicy;
 	const u_int which = npf_nat_which(np->n_type, forw);
 	const npf_addr_t *addr;
 	in_port_t port;
 	KASSERT(npf_iscached(npc, NPC_IP46));
 	KASSERT(npf_iscached(npc, NPC_LAYER4));
 	KASSERT(!nbuf_flag_p(nbuf, NBUF_DATAREF_RESET));
 	if (forw) {
 		/* "Forwards" stream: use translation address/port. */
 		addr = &np->n_taddr;
 		port = nt->nt_tport;
 	} else {
 		/* "Backwards" stream: use original address/port. */
 		addr = &nt->nt_oaddr;
 		port = nt->nt_oport;
+	}
 	KASSERT((np->n_flags & NPF_NAT_PORTS) != 0 || port == 0);
-	/* Execute ALG hook first. */
+	/* Execute ALG translation first. */
 	if ((npc->npc_info & NPC_ALG_EXEC) == 0) {
 		npc->npc_info |= NPC_ALG_EXEC;
 		npf_alg_exec(npc, nbuf, nt, forw);
 		npf_recache(npc, nbuf);
+	}
 	KASSERT(!nbuf_flag_p(nbuf, NBUF_DATAREF_RESET));
 	/* Finally, perform the translation. */
-	return npf_nat_rwr(npc, np, addr, port, forw);
+	return npf_napt_rwr(npc, which, addr, port);
+}
 /*
  * npf_nat_algo: perform the translation given the algorithm.
  */
 static inline int
 npf_nat_algo(npf_cache_t *npc, const npf_natpolicy_t *np, bool forw)
+{
-	u_int which;
+	const u_int which = npf_nat_which(np->n_type, forw);
 	int error;
 	switch (np->n_algo) {
 	case NPF_ALGO_NPT66:
 		which = npf_nat_which(np->n_type, forw);
 		error = npf_npt66_rwr(npc, which, &np->n_taddr,
 		    np->n_tmask, np->n_npt66_adj);
 		break;
 	default:
-		error = npf_nat_rwr(npc, np, &np->n_taddr, np->n_tport, forw);
+		error = npf_napt_rwr(npc, which, &np->n_taddr, np->n_tport);
 		break;
+	}
 	return error;
+}
 /*
  * npf_do_nat:
  *	- Inspect packet for a NAT policy, unless a session with a NAT
  *	  association already exists.  In such case, determine whether it
  *	  is a "forwards" or "backwards" stream.
  *	- Perform translation: rewrite source or destination fields,
  *	  depending on translation type and direction.