Add a ``nat proto'' command -- similar to natd(8)'s -redirect_proto switch.

MFC after: 3 weeks
svn path=/head/; revision=79433
2024-09-22 17:54:52 +00:00 · 2001-07-09 00:07:56 +00:00 · 2001-07-09 00:07:56 +00:00 · 8829899405 · 2020-12-20 02:59:44 +00:00
parent a9b238fa8e
commit 8829899405
5 changed files with 117 additions and 0 deletions
--- a/usr.sbin/ppp/command.c
+++ b/usr.sbin/ppp/command.c
@ -632,6 +632,8 @@ static struct cmdtab const NatCommands[] =
   (const void *) PKT_ALIAS_LOG},
  {"port", NULL, nat_RedirectPort, LOCAL_AUTH, "port redirection",
   "nat port proto localaddr:port[-port] aliasport[-aliasport]"},
+  {"proto", NULL, nat_RedirectProto, LOCAL_AUTH, "protocol redirection",
+   "nat proto proto localIP [publicIP [remoteIP]]"},
  {"proxy", NULL, nat_ProxyRule, LOCAL_AUTH,
   "proxy control", "nat proxy server host[:port] ..."},
  {"same_ports", NULL, NatOption, LOCAL_AUTH,
--- a/usr.sbin/ppp/nat_cmd.c
+++ b/usr.sbin/ppp/nat_cmd.c
@ -229,6 +229,74 @@ nat_RedirectAddr(struct cmdargs const *arg)
 }


+int
+nat_RedirectProto(struct cmdargs const *arg)
+{
+  if (!arg->bundle->NatEnabled) {
+    prompt_Printf(arg->prompt, "nat not enabled\n");
+    return 1;
+  } else if (arg->argc >= arg->argn + 2 && arg->argc <= arg->argn + 4) {
+    struct in_addr localIP, publicIP, remoteIP;
+    struct alias_link *link;
+    struct protoent *pe;
+    int error, len;
+
+    len = strlen(arg->argv[arg->argn]);
+    if (len == 0) {
+      prompt_Printf(arg->prompt, "proto redirect: invalid protocol\n");
+      return 1;
+    }
+    if (strspn(arg->argv[arg->argn], "01234567") == len)
+      pe = getprotobynumber(atoi(arg->argv[arg->argn]));
+    else
+      pe = getprotobyname(arg->argv[arg->argn]);
+    if (pe == NULL) {
+      prompt_Printf(arg->prompt, "proto redirect: invalid protocol\n");
+      return 1;
+    }
+
+    error = StrToAddr(arg->argv[arg->argn + 1], &localIP);
+    if (error) {
+      prompt_Printf(arg->prompt, "proto redirect: invalid src address\n");
+      return 1;
+    }
+
+    if (arg->argc >= arg->argn + 3) {
+      error = StrToAddr(arg->argv[arg->argn + 2], &publicIP);
+      if (error) {
+        prompt_Printf(arg->prompt, "proto redirect: invalid alias address\n");
+        prompt_Printf(arg->prompt, "Usage: nat %s %s\n", arg->cmd->name,
+                      arg->cmd->syntax);
+        return 1;
+      }
+    } else
+      publicIP.s_addr = INADDR_ANY;
+
+    if (arg->argc == arg->argn + 4) {
+      error = StrToAddr(arg->argv[arg->argn + 2], &remoteIP);
+      if (error) {
+        prompt_Printf(arg->prompt, "proto redirect: invalid dst address\n");
+        prompt_Printf(arg->prompt, "Usage: nat %s %s\n", arg->cmd->name,
+                      arg->cmd->syntax);
+        return 1;
+      }
+    } else
+      remoteIP.s_addr = INADDR_ANY;
+
+    link = PacketAliasRedirectProto(localIP, remoteIP, publicIP, pe->p_proto);
+    if (link == NULL) {
+      prompt_Printf(arg->prompt, "proto redirect: packet aliasing"
+                    " engine error\n");
+      prompt_Printf(arg->prompt, "Usage: nat %s %s\n", arg->cmd->name,
+                    arg->cmd->syntax);
+    }
+  } else
+    return -1;
+
+  return 0;
+}
+
+
 static int
 StrToAddr(const char *str, struct in_addr *addr)
 {
--- a/usr.sbin/ppp/nat_cmd.h
+++ b/usr.sbin/ppp/nat_cmd.h
@ -31,6 +31,7 @@ struct cmdargs;

 extern int nat_RedirectPort(struct cmdargs const *);
 extern int nat_RedirectAddr(struct cmdargs const *);
+extern int nat_RedirectProto(struct cmdargs const *);
 extern int nat_ProxyRule(struct cmdargs const *);
 extern int nat_SetTarget(struct cmdargs const *);

--- a/usr.sbin/ppp/ppp.8
+++ b/usr.sbin/ppp/ppp.8
@ -3370,6 +3370,28 @@ or a range of ports the same size as the other ranges.
 This option is useful if you wish to run things like Internet phone on
 machines behind your gateway, but is limited in that connections to only
 one interior machine per source machine and target port are possible.
+.It nat proto Ar proto localIP Op Ar publicIP Op Ar remoteIP
+This command tells
+.Nm
+to redirect packets of protocol type
+.Ar proto
+.Pq see Xr protocols 5
+to the internall address
+.Ar localIP .
+.Pp
+If
+.Ar publicIP
+is specified, only packets destined for that address are matched,
+otherwise the default alias address is used.
+.Pp
+If
+.Ar remoteIP
+is specified, only packets matching that source address are matched,
+.Pp
+This command is useful for redirecting tunnel endpoints to an internal machine,
+for example:
+.Pp
+.Dl nat proto ipencap 10.0.0.1
 .It "nat proxy cmd" Ar arg Ns No ...
 This command tells
 .Nm
@ -5646,6 +5668,7 @@ This socket is used to pass links between different instances of
 .Xr crontab 5 ,
 .Xr group 5 ,
 .Xr passwd 5 ,
+.Xr protocols 5 ,
 .Xr radius.conf 5 ,
 .Xr resolv.conf 5 ,
 .Xr syslog.conf 5 ,
--- a/usr.sbin/ppp/ppp.8.m4
+++ b/usr.sbin/ppp/ppp.8.m4
@ -3370,6 +3370,28 @@ or a range of ports the same size as the other ranges.
 This option is useful if you wish to run things like Internet phone on
 machines behind your gateway, but is limited in that connections to only
 one interior machine per source machine and target port are possible.
+.It nat proto Ar proto localIP Op Ar publicIP Op Ar remoteIP
+This command tells
+.Nm
+to redirect packets of protocol type
+.Ar proto
+.Pq see Xr protocols 5
+to the internall address
+.Ar localIP .
+.Pp
+If
+.Ar publicIP
+is specified, only packets destined for that address are matched,
+otherwise the default alias address is used.
+.Pp
+If
+.Ar remoteIP
+is specified, only packets matching that source address are matched,
+.Pp
+This command is useful for redirecting tunnel endpoints to an internal machine,
+for example:
+.Pp
+.Dl nat proto ipencap 10.0.0.1
 .It "nat proxy cmd" Ar arg Ns No ...
 This command tells
 .Nm
@ -5646,6 +5668,7 @@ This socket is used to pass links between different instances of
 .Xr crontab 5 ,
 .Xr group 5 ,
 .Xr passwd 5 ,
+.Xr protocols 5 ,
 .Xr radius.conf 5 ,
 .Xr resolv.conf 5 ,
 .Xr syslog.conf 5 ,