netinet/libalias/alias.c

a9643ea8Slogwang/*-
*22ce4affSfengbojiang * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
*22ce4affSfengbojiang *
a9643ea8Slogwang * Copyright (c) 2001 Charles Mott <[email protected]>
a9643ea8Slogwang * All rights reserved.
a9643ea8Slogwang *
a9643ea8Slogwang * Redistribution and use in source and binary forms, with or without
a9643ea8Slogwang * modification, are permitted provided that the following conditions
a9643ea8Slogwang * are met:
a9643ea8Slogwang * 1. Redistributions of source code must retain the above copyright
a9643ea8Slogwang *    notice, this list of conditions and the following disclaimer.
a9643ea8Slogwang * 2. Redistributions in binary form must reproduce the above copyright
a9643ea8Slogwang *    notice, this list of conditions and the following disclaimer in the
a9643ea8Slogwang *    documentation and/or other materials provided with the distribution.
a9643ea8Slogwang *
a9643ea8Slogwang * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
a9643ea8Slogwang * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
a9643ea8Slogwang * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
a9643ea8Slogwang * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
a9643ea8Slogwang * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
a9643ea8Slogwang * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
a9643ea8Slogwang * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
a9643ea8Slogwang * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
a9643ea8Slogwang * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
a9643ea8Slogwang * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
a9643ea8Slogwang * SUCH DAMAGE.
a9643ea8Slogwang */
a9643ea8Slogwang
a9643ea8Slogwang#include <sys/cdefs.h>
a9643ea8Slogwang__FBSDID("$FreeBSD$");
a9643ea8Slogwang
a9643ea8Slogwang/*
a9643ea8Slogwang    Alias.c provides supervisory control for the functions of the
a9643ea8Slogwang    packet aliasing software.  It consists of routines to monitor
a9643ea8Slogwang    TCP connection state, protocol-specific aliasing routines,
a9643ea8Slogwang    fragment handling and the following outside world functional
a9643ea8Slogwang    interfaces: SaveFragmentPtr, GetFragmentPtr, FragmentAliasIn,
a9643ea8Slogwang    PacketAliasIn and PacketAliasOut.
a9643ea8Slogwang
a9643ea8Slogwang    The other C program files are briefly described. The data
a9643ea8Slogwang    structure framework which holds information needed to translate
a9643ea8Slogwang    packets is encapsulated in alias_db.c.  Data is accessed by
a9643ea8Slogwang    function calls, so other segments of the program need not know
a9643ea8Slogwang    about the underlying data structures.  Alias_ftp.c contains
a9643ea8Slogwang    special code for modifying the ftp PORT command used to establish
a9643ea8Slogwang    data connections, while alias_irc.c does the same for IRC
a9643ea8Slogwang    DCC. Alias_util.c contains a few utility routines.
a9643ea8Slogwang
a9643ea8Slogwang    Version 1.0 August, 1996  (cjm)
a9643ea8Slogwang
a9643ea8Slogwang    Version 1.1 August 20, 1996  (cjm)
a9643ea8Slogwang	PPP host accepts incoming connections for ports 0 to 1023.
a9643ea8Slogwang	(Gary Roberts pointed out the need to handle incoming
a9643ea8Slogwang	 connections.)
a9643ea8Slogwang
a9643ea8Slogwang    Version 1.2 September 7, 1996 (cjm)
a9643ea8Slogwang	Fragment handling error in alias_db.c corrected.
a9643ea8Slogwang	(Tom Torrance helped fix this problem.)
a9643ea8Slogwang
a9643ea8Slogwang    Version 1.4 September 16, 1996 (cjm)
a9643ea8Slogwang	- A more generalized method for handling incoming
a9643ea8Slogwang	  connections, without the 0-1023 restriction, is
a9643ea8Slogwang	  implemented in alias_db.c
a9643ea8Slogwang	- Improved ICMP support in alias.c.  Traceroute
a9643ea8Slogwang	  packet streams can now be correctly aliased.
a9643ea8Slogwang	- TCP connection closing logic simplified in
a9643ea8Slogwang	  alias.c and now allows for additional 1 minute
a9643ea8Slogwang	  "grace period" after FIN or RST is observed.
a9643ea8Slogwang
a9643ea8Slogwang    Version 1.5 September 17, 1996 (cjm)
a9643ea8Slogwang	Corrected error in handling incoming UDP packets with 0 checksum.
a9643ea8Slogwang	(Tom Torrance helped fix this problem.)
a9643ea8Slogwang
a9643ea8Slogwang    Version 1.6 September 18, 1996 (cjm)
a9643ea8Slogwang	Simplified ICMP aliasing scheme.  Should now support
a9643ea8Slogwang	traceroute from Win95 as well as FreeBSD.
a9643ea8Slogwang
a9643ea8Slogwang    Version 1.7 January 9, 1997 (cjm)
a9643ea8Slogwang	- Out-of-order fragment handling.
a9643ea8Slogwang	- IP checksum error fixed for ftp transfers
a9643ea8Slogwang	  from aliasing host.
a9643ea8Slogwang	- Integer return codes added to all
a9643ea8Slogwang	  aliasing/de-aliasing functions.
a9643ea8Slogwang	- Some obsolete comments cleaned up.
a9643ea8Slogwang	- Differential checksum computations for
a9643ea8Slogwang	  IP header (TCP, UDP and ICMP were already
a9643ea8Slogwang	  differential).
a9643ea8Slogwang
a9643ea8Slogwang    Version 2.1 May 1997 (cjm)
a9643ea8Slogwang	- Added support for outgoing ICMP error
a9643ea8Slogwang	  messages.
a9643ea8Slogwang	- Added two functions PacketAliasIn2()
a9643ea8Slogwang	  and PacketAliasOut2() for dynamic address
a9643ea8Slogwang	  control (e.g. round-robin allocation of
a9643ea8Slogwang	  incoming packets).
a9643ea8Slogwang
a9643ea8Slogwang    Version 2.2 July 1997 (cjm)
a9643ea8Slogwang	- Rationalized API function names to begin
a9643ea8Slogwang	  with "PacketAlias..."
a9643ea8Slogwang	- Eliminated PacketAliasIn2() and
a9643ea8Slogwang	  PacketAliasOut2() as poorly conceived.
a9643ea8Slogwang
a9643ea8Slogwang    Version 2.3 Dec 1998 (dillon)
a9643ea8Slogwang	- Major bounds checking additions, see FreeBSD/CVS
a9643ea8Slogwang
a9643ea8Slogwang    Version 3.1 May, 2000 (salander)
a9643ea8Slogwang	- Added hooks to handle PPTP.
a9643ea8Slogwang
a9643ea8Slogwang    Version 3.2 July, 2000 (salander and satoh)
a9643ea8Slogwang	- Added PacketUnaliasOut routine.
a9643ea8Slogwang	- Added hooks to handle RTSP/RTP.
a9643ea8Slogwang
a9643ea8Slogwang    See HISTORY file for additional revisions.
a9643ea8Slogwang*/
a9643ea8Slogwang
a9643ea8Slogwang#ifdef _KERNEL
a9643ea8Slogwang#include <sys/param.h>
a9643ea8Slogwang#include <sys/systm.h>
a9643ea8Slogwang#include <sys/mbuf.h>
a9643ea8Slogwang#include <sys/sysctl.h>
a9643ea8Slogwang#else
a9643ea8Slogwang#include <sys/types.h>
a9643ea8Slogwang#include <stdlib.h>
a9643ea8Slogwang#include <stdio.h>
a9643ea8Slogwang#include <ctype.h>
a9643ea8Slogwang#include <dlfcn.h>
a9643ea8Slogwang#include <errno.h>
a9643ea8Slogwang#include <string.h>
a9643ea8Slogwang#endif
a9643ea8Slogwang
a9643ea8Slogwang#include <netinet/in_systm.h>
a9643ea8Slogwang#include <netinet/in.h>
a9643ea8Slogwang#include <netinet/ip.h>
a9643ea8Slogwang#include <netinet/ip_icmp.h>
a9643ea8Slogwang#include <netinet/tcp.h>
a9643ea8Slogwang#include <netinet/udp.h>
a9643ea8Slogwang
a9643ea8Slogwang#ifdef _KERNEL
a9643ea8Slogwang#include <netinet/libalias/alias.h>
a9643ea8Slogwang#include <netinet/libalias/alias_local.h>
a9643ea8Slogwang#include <netinet/libalias/alias_mod.h>
a9643ea8Slogwang#else
a9643ea8Slogwang#include <err.h>
a9643ea8Slogwang#include "alias.h"
a9643ea8Slogwang#include "alias_local.h"
a9643ea8Slogwang#include "alias_mod.h"
a9643ea8Slogwang#endif
a9643ea8Slogwang
a9643ea8Slogwang/*
a9643ea8Slogwang * Define libalias SYSCTL Node
a9643ea8Slogwang */
a9643ea8Slogwang#ifdef SYSCTL_NODE
a9643ea8Slogwang
a9643ea8SlogwangSYSCTL_DECL(_net_inet);
a9643ea8SlogwangSYSCTL_DECL(_net_inet_ip);
*22ce4affSfengbojiangSYSCTL_NODE(_net_inet_ip, OID_AUTO, alias, CTLFLAG_RW | CTLFLAG_MPSAFE, NULL,
*22ce4affSfengbojiang    "Libalias sysctl API");
a9643ea8Slogwang
a9643ea8Slogwang#endif
a9643ea8Slogwang
a9643ea8Slogwangstatic __inline int
a9643ea8Slogwangtwowords(void *p)
a9643ea8Slogwang{
a9643ea8Slogwang	uint8_t *c = p;
a9643ea8Slogwang
a9643ea8Slogwang#if BYTE_ORDER == LITTLE_ENDIAN
a9643ea8Slogwang	uint16_t s1 = ((uint16_t)c[1] << 8) + (uint16_t)c[0];
a9643ea8Slogwang	uint16_t s2 = ((uint16_t)c[3] << 8) + (uint16_t)c[2];
a9643ea8Slogwang#else
a9643ea8Slogwang	uint16_t s1 = ((uint16_t)c[0] << 8) + (uint16_t)c[1];
a9643ea8Slogwang	uint16_t s2 = ((uint16_t)c[2] << 8) + (uint16_t)c[3];
a9643ea8Slogwang#endif
a9643ea8Slogwang	return (s1 + s2);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwang/* TCP Handling Routines
a9643ea8Slogwang
a9643ea8Slogwang    TcpMonitorIn()  -- These routines monitor TCP connections, and
a9643ea8Slogwang    TcpMonitorOut()    delete a link when a connection is closed.
a9643ea8Slogwang
a9643ea8SlogwangThese routines look for SYN, FIN and RST flags to determine when TCP
a9643ea8Slogwangconnections open and close.  When a TCP connection closes, the data
a9643ea8Slogwangstructure containing packet aliasing information is deleted after
a9643ea8Slogwanga timeout period.
a9643ea8Slogwang*/
a9643ea8Slogwang
a9643ea8Slogwang/* Local prototypes */
a9643ea8Slogwangstatic void	TcpMonitorIn(u_char, struct alias_link *);
a9643ea8Slogwang
a9643ea8Slogwangstatic void	TcpMonitorOut(u_char, struct alias_link *);
a9643ea8Slogwang
a9643ea8Slogwangstatic void
a9643ea8SlogwangTcpMonitorIn(u_char th_flags, struct alias_link *lnk)
a9643ea8Slogwang{
a9643ea8Slogwang
a9643ea8Slogwang	switch (GetStateIn(lnk)) {
a9643ea8Slogwang	case ALIAS_TCP_STATE_NOT_CONNECTED:
a9643ea8Slogwang		if (th_flags & TH_RST)
a9643ea8Slogwang			SetStateIn(lnk, ALIAS_TCP_STATE_DISCONNECTED);
a9643ea8Slogwang		else if (th_flags & TH_SYN)
a9643ea8Slogwang			SetStateIn(lnk, ALIAS_TCP_STATE_CONNECTED);
a9643ea8Slogwang		break;
a9643ea8Slogwang	case ALIAS_TCP_STATE_CONNECTED:
a9643ea8Slogwang		if (th_flags & (TH_FIN | TH_RST))
a9643ea8Slogwang			SetStateIn(lnk, ALIAS_TCP_STATE_DISCONNECTED);
a9643ea8Slogwang		break;
a9643ea8Slogwang	}
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic void
a9643ea8SlogwangTcpMonitorOut(u_char th_flags, struct alias_link *lnk)
a9643ea8Slogwang{
a9643ea8Slogwang
a9643ea8Slogwang	switch (GetStateOut(lnk)) {
a9643ea8Slogwang	case ALIAS_TCP_STATE_NOT_CONNECTED:
a9643ea8Slogwang		if (th_flags & TH_RST)
a9643ea8Slogwang			SetStateOut(lnk, ALIAS_TCP_STATE_DISCONNECTED);
a9643ea8Slogwang		else if (th_flags & TH_SYN)
a9643ea8Slogwang			SetStateOut(lnk, ALIAS_TCP_STATE_CONNECTED);
a9643ea8Slogwang		break;
a9643ea8Slogwang	case ALIAS_TCP_STATE_CONNECTED:
a9643ea8Slogwang		if (th_flags & (TH_FIN | TH_RST))
a9643ea8Slogwang			SetStateOut(lnk, ALIAS_TCP_STATE_DISCONNECTED);
a9643ea8Slogwang		break;
a9643ea8Slogwang	}
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwang/* Protocol Specific Packet Aliasing Routines
a9643ea8Slogwang
a9643ea8Slogwang    IcmpAliasIn(), IcmpAliasIn1(), IcmpAliasIn2()
a9643ea8Slogwang    IcmpAliasOut(), IcmpAliasOut1(), IcmpAliasOut2()
a9643ea8Slogwang    ProtoAliasIn(), ProtoAliasOut()
a9643ea8Slogwang    UdpAliasIn(), UdpAliasOut()
a9643ea8Slogwang    TcpAliasIn(), TcpAliasOut()
a9643ea8Slogwang
a9643ea8SlogwangThese routines handle protocol specific details of packet aliasing.
a9643ea8SlogwangOne may observe a certain amount of repetitive arithmetic in these
a9643ea8Slogwangfunctions, the purpose of which is to compute a revised checksum
a9643ea8Slogwangwithout actually summing over the entire data packet, which could be
a9643ea8Slogwangunnecessarily time consuming.
a9643ea8Slogwang
a9643ea8SlogwangThe purpose of the packet aliasing routines is to replace the source
a9643ea8Slogwangaddress of the outgoing packet and then correctly put it back for
a9643ea8Slogwangany incoming packets.  For TCP and UDP, ports are also re-mapped.
a9643ea8Slogwang
a9643ea8SlogwangFor ICMP echo/timestamp requests and replies, the following scheme
a9643ea8Slogwangis used: the ID number is replaced by an alias for the outgoing
a9643ea8Slogwangpacket.
a9643ea8Slogwang
a9643ea8SlogwangICMP error messages are handled by looking at the IP fragment
a9643ea8Slogwangin the data section of the message.
a9643ea8Slogwang
a9643ea8SlogwangFor TCP and UDP protocols, a port number is chosen for an outgoing
a9643ea8Slogwangpacket, and then incoming packets are identified by IP address and
a9643ea8Slogwangport numbers.  For TCP packets, there is additional logic in the event
a9643ea8Slogwangthat sequence and ACK numbers have been altered (as in the case for
a9643ea8SlogwangFTP data port commands).
a9643ea8Slogwang
a9643ea8SlogwangThe port numbers used by the packet aliasing module are not true
a9643ea8Slogwangports in the Unix sense.  No sockets are actually bound to ports.
a9643ea8SlogwangThey are more correctly thought of as placeholders.
a9643ea8Slogwang
a9643ea8SlogwangAll packets go through the aliasing mechanism, whether they come from
a9643ea8Slogwangthe gateway machine or other machines on a local area network.
a9643ea8Slogwang*/
a9643ea8Slogwang
a9643ea8Slogwang/* Local prototypes */
a9643ea8Slogwangstatic int	IcmpAliasIn1(struct libalias *, struct ip *);
a9643ea8Slogwangstatic int	IcmpAliasIn2(struct libalias *, struct ip *);
a9643ea8Slogwangstatic int	IcmpAliasIn(struct libalias *, struct ip *);
a9643ea8Slogwang
a9643ea8Slogwangstatic int	IcmpAliasOut1(struct libalias *, struct ip *, int create);
a9643ea8Slogwangstatic int	IcmpAliasOut2(struct libalias *, struct ip *);
a9643ea8Slogwangstatic int	IcmpAliasOut(struct libalias *, struct ip *, int create);
a9643ea8Slogwang
a9643ea8Slogwangstatic int	ProtoAliasIn(struct libalias *la, struct in_addr ip_src,
*22ce4affSfengbojiang		    struct ip *pip, u_char ip_p, u_short *ip_sum);
*22ce4affSfengbojiangstatic int	ProtoAliasOut(struct libalias *la, struct ip *pip,
a9643ea8Slogwang		    struct in_addr ip_dst, u_char ip_p, u_short *ip_sum,
a9643ea8Slogwang		    int create);
a9643ea8Slogwang
a9643ea8Slogwangstatic int	UdpAliasIn(struct libalias *, struct ip *);
a9643ea8Slogwangstatic int	UdpAliasOut(struct libalias *, struct ip *, int, int create);
a9643ea8Slogwang
a9643ea8Slogwangstatic int	TcpAliasIn(struct libalias *, struct ip *);
a9643ea8Slogwangstatic int	TcpAliasOut(struct libalias *, struct ip *, int, int create);
a9643ea8Slogwang
a9643ea8Slogwangstatic int
a9643ea8SlogwangIcmpAliasIn1(struct libalias *la, struct ip *pip)
a9643ea8Slogwang{
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
a9643ea8Slogwang/*
a9643ea8Slogwang    De-alias incoming echo and timestamp replies.
a9643ea8Slogwang    Alias incoming echo and timestamp requests.
a9643ea8Slogwang*/
a9643ea8Slogwang	struct alias_link *lnk;
a9643ea8Slogwang	struct icmp *ic;
a9643ea8Slogwang
a9643ea8Slogwang	ic = (struct icmp *)ip_next(pip);
a9643ea8Slogwang
a9643ea8Slogwang/* Get source address from ICMP data field and restore original data */
a9643ea8Slogwang	lnk = FindIcmpIn(la, pip->ip_src, pip->ip_dst, ic->icmp_id, 1);
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		u_short original_id;
a9643ea8Slogwang		int accumulate;
a9643ea8Slogwang
a9643ea8Slogwang		original_id = GetOriginalPort(lnk);
a9643ea8Slogwang
a9643ea8Slogwang/* Adjust ICMP checksum */
a9643ea8Slogwang		accumulate = ic->icmp_id;
a9643ea8Slogwang		accumulate -= original_id;
a9643ea8Slogwang		ADJUST_CHECKSUM(accumulate, ic->icmp_cksum);
a9643ea8Slogwang
a9643ea8Slogwang/* Put original sequence number back in */
a9643ea8Slogwang		ic->icmp_id = original_id;
a9643ea8Slogwang
a9643ea8Slogwang/* Put original address back into IP header */
a9643ea8Slogwang		{
a9643ea8Slogwang			struct in_addr original_address;
a9643ea8Slogwang
a9643ea8Slogwang			original_address = GetOriginalAddress(lnk);
a9643ea8Slogwang			DifferentialChecksum(&pip->ip_sum,
a9643ea8Slogwang			    &original_address, &pip->ip_dst, 2);
a9643ea8Slogwang			pip->ip_dst = original_address;
a9643ea8Slogwang		}
a9643ea8Slogwang
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang	}
a9643ea8Slogwang	return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
a9643ea8SlogwangIcmpAliasIn2(struct libalias *la, struct ip *pip)
a9643ea8Slogwang{
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
a9643ea8Slogwang/*
a9643ea8Slogwang    Alias incoming ICMP error messages containing
a9643ea8Slogwang    IP header and first 64 bits of datagram.
a9643ea8Slogwang*/
a9643ea8Slogwang	struct ip *ip;
a9643ea8Slogwang	struct icmp *ic, *ic2;
a9643ea8Slogwang	struct udphdr *ud;
a9643ea8Slogwang	struct tcphdr *tc;
a9643ea8Slogwang	struct alias_link *lnk;
a9643ea8Slogwang
a9643ea8Slogwang	ic = (struct icmp *)ip_next(pip);
a9643ea8Slogwang	ip = &ic->icmp_ip;
a9643ea8Slogwang
a9643ea8Slogwang	ud = (struct udphdr *)ip_next(ip);
a9643ea8Slogwang	tc = (struct tcphdr *)ip_next(ip);
a9643ea8Slogwang	ic2 = (struct icmp *)ip_next(ip);
a9643ea8Slogwang
a9643ea8Slogwang	if (ip->ip_p == IPPROTO_UDP)
a9643ea8Slogwang		lnk = FindUdpTcpIn(la, ip->ip_dst, ip->ip_src,
a9643ea8Slogwang		    ud->uh_dport, ud->uh_sport,
a9643ea8Slogwang		    IPPROTO_UDP, 0);
a9643ea8Slogwang	else if (ip->ip_p == IPPROTO_TCP)
a9643ea8Slogwang		lnk = FindUdpTcpIn(la, ip->ip_dst, ip->ip_src,
a9643ea8Slogwang		    tc->th_dport, tc->th_sport,
a9643ea8Slogwang		    IPPROTO_TCP, 0);
a9643ea8Slogwang	else if (ip->ip_p == IPPROTO_ICMP) {
a9643ea8Slogwang		if (ic2->icmp_type == ICMP_ECHO || ic2->icmp_type == ICMP_TSTAMP)
a9643ea8Slogwang			lnk = FindIcmpIn(la, ip->ip_dst, ip->ip_src, ic2->icmp_id, 0);
a9643ea8Slogwang		else
a9643ea8Slogwang			lnk = NULL;
a9643ea8Slogwang	} else
a9643ea8Slogwang		lnk = NULL;
a9643ea8Slogwang
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		if (ip->ip_p == IPPROTO_UDP || ip->ip_p == IPPROTO_TCP) {
a9643ea8Slogwang			int accumulate, accumulate2;
a9643ea8Slogwang			struct in_addr original_address;
a9643ea8Slogwang			u_short original_port;
a9643ea8Slogwang
a9643ea8Slogwang			original_address = GetOriginalAddress(lnk);
a9643ea8Slogwang			original_port = GetOriginalPort(lnk);
a9643ea8Slogwang
a9643ea8Slogwang/* Adjust ICMP checksum */
a9643ea8Slogwang			accumulate = twowords(&ip->ip_src);
a9643ea8Slogwang			accumulate -= twowords(&original_address);
a9643ea8Slogwang			accumulate += ud->uh_sport;
a9643ea8Slogwang			accumulate -= original_port;
a9643ea8Slogwang			accumulate2 = accumulate;
a9643ea8Slogwang			accumulate2 += ip->ip_sum;
a9643ea8Slogwang			ADJUST_CHECKSUM(accumulate, ip->ip_sum);
a9643ea8Slogwang			accumulate2 -= ip->ip_sum;
a9643ea8Slogwang			ADJUST_CHECKSUM(accumulate2, ic->icmp_cksum);
a9643ea8Slogwang
a9643ea8Slogwang/* Un-alias address in IP header */
a9643ea8Slogwang			DifferentialChecksum(&pip->ip_sum,
a9643ea8Slogwang			    &original_address, &pip->ip_dst, 2);
a9643ea8Slogwang			pip->ip_dst = original_address;
a9643ea8Slogwang
a9643ea8Slogwang/* Un-alias address and port number of original IP packet
a9643ea8Slogwangfragment contained in ICMP data section */
a9643ea8Slogwang			ip->ip_src = original_address;
a9643ea8Slogwang			ud->uh_sport = original_port;
a9643ea8Slogwang		} else if (ip->ip_p == IPPROTO_ICMP) {
a9643ea8Slogwang			int accumulate, accumulate2;
a9643ea8Slogwang			struct in_addr original_address;
a9643ea8Slogwang			u_short original_id;
a9643ea8Slogwang
a9643ea8Slogwang			original_address = GetOriginalAddress(lnk);
a9643ea8Slogwang			original_id = GetOriginalPort(lnk);
a9643ea8Slogwang
a9643ea8Slogwang/* Adjust ICMP checksum */
a9643ea8Slogwang			accumulate = twowords(&ip->ip_src);
a9643ea8Slogwang			accumulate -= twowords(&original_address);
a9643ea8Slogwang			accumulate += ic2->icmp_id;
a9643ea8Slogwang			accumulate -= original_id;
a9643ea8Slogwang			accumulate2 = accumulate;
a9643ea8Slogwang			accumulate2 += ip->ip_sum;
a9643ea8Slogwang			ADJUST_CHECKSUM(accumulate, ip->ip_sum);
a9643ea8Slogwang			accumulate2 -= ip->ip_sum;
a9643ea8Slogwang			ADJUST_CHECKSUM(accumulate2, ic->icmp_cksum);
a9643ea8Slogwang
a9643ea8Slogwang/* Un-alias address in IP header */
a9643ea8Slogwang			DifferentialChecksum(&pip->ip_sum,
a9643ea8Slogwang			    &original_address, &pip->ip_dst, 2);
a9643ea8Slogwang			pip->ip_dst = original_address;
a9643ea8Slogwang
a9643ea8Slogwang/* Un-alias address of original IP packet and sequence number of
a9643ea8Slogwang   embedded ICMP datagram */
a9643ea8Slogwang			ip->ip_src = original_address;
a9643ea8Slogwang			ic2->icmp_id = original_id;
a9643ea8Slogwang		}
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang	}
a9643ea8Slogwang	return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
a9643ea8SlogwangIcmpAliasIn(struct libalias *la, struct ip *pip)
a9643ea8Slogwang{
a9643ea8Slogwang	struct icmp *ic;
*22ce4affSfengbojiang	int iresult;
*22ce4affSfengbojiang	size_t dlen;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
*22ce4affSfengbojiang
*22ce4affSfengbojiang	dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
*22ce4affSfengbojiang	if (dlen < ICMP_MINLEN)
*22ce4affSfengbojiang		return (PKT_ALIAS_IGNORED);
*22ce4affSfengbojiang
a9643ea8Slogwang/* Return if proxy-only mode is enabled */
a9643ea8Slogwang	if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY)
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang
a9643ea8Slogwang	ic = (struct icmp *)ip_next(pip);
a9643ea8Slogwang
a9643ea8Slogwang	iresult = PKT_ALIAS_IGNORED;
a9643ea8Slogwang	switch (ic->icmp_type) {
a9643ea8Slogwang	case ICMP_ECHOREPLY:
a9643ea8Slogwang	case ICMP_TSTAMPREPLY:
a9643ea8Slogwang		if (ic->icmp_code == 0) {
a9643ea8Slogwang			iresult = IcmpAliasIn1(la, pip);
a9643ea8Slogwang		}
a9643ea8Slogwang		break;
a9643ea8Slogwang	case ICMP_UNREACH:
a9643ea8Slogwang	case ICMP_SOURCEQUENCH:
a9643ea8Slogwang	case ICMP_TIMXCEED:
a9643ea8Slogwang	case ICMP_PARAMPROB:
*22ce4affSfengbojiang		if (dlen < ICMP_ADVLENMIN ||
*22ce4affSfengbojiang		    dlen < (size_t)ICMP_ADVLEN(ic))
*22ce4affSfengbojiang			return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang		iresult = IcmpAliasIn2(la, pip);
a9643ea8Slogwang		break;
a9643ea8Slogwang	case ICMP_ECHO:
a9643ea8Slogwang	case ICMP_TSTAMP:
a9643ea8Slogwang		iresult = IcmpAliasIn1(la, pip);
a9643ea8Slogwang		break;
a9643ea8Slogwang	}
a9643ea8Slogwang	return (iresult);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
a9643ea8SlogwangIcmpAliasOut1(struct libalias *la, struct ip *pip, int create)
a9643ea8Slogwang{
a9643ea8Slogwang/*
a9643ea8Slogwang    Alias outgoing echo and timestamp requests.
a9643ea8Slogwang    De-alias outgoing echo and timestamp replies.
a9643ea8Slogwang*/
a9643ea8Slogwang	struct alias_link *lnk;
a9643ea8Slogwang	struct icmp *ic;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
a9643ea8Slogwang	ic = (struct icmp *)ip_next(pip);
a9643ea8Slogwang
a9643ea8Slogwang/* Save overwritten data for when echo packet returns */
a9643ea8Slogwang	lnk = FindIcmpOut(la, pip->ip_src, pip->ip_dst, ic->icmp_id, create);
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		u_short alias_id;
a9643ea8Slogwang		int accumulate;
a9643ea8Slogwang
a9643ea8Slogwang		alias_id = GetAliasPort(lnk);
a9643ea8Slogwang
a9643ea8Slogwang/* Since data field is being modified, adjust ICMP checksum */
a9643ea8Slogwang		accumulate = ic->icmp_id;
a9643ea8Slogwang		accumulate -= alias_id;
a9643ea8Slogwang		ADJUST_CHECKSUM(accumulate, ic->icmp_cksum);
a9643ea8Slogwang
a9643ea8Slogwang/* Alias sequence number */
a9643ea8Slogwang		ic->icmp_id = alias_id;
a9643ea8Slogwang
a9643ea8Slogwang/* Change source address */
a9643ea8Slogwang		{
a9643ea8Slogwang			struct in_addr alias_address;
a9643ea8Slogwang
a9643ea8Slogwang			alias_address = GetAliasAddress(lnk);
a9643ea8Slogwang			DifferentialChecksum(&pip->ip_sum,
a9643ea8Slogwang			    &alias_address, &pip->ip_src, 2);
a9643ea8Slogwang			pip->ip_src = alias_address;
a9643ea8Slogwang		}
a9643ea8Slogwang
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang	}
a9643ea8Slogwang	return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
a9643ea8SlogwangIcmpAliasOut2(struct libalias *la, struct ip *pip)
a9643ea8Slogwang{
a9643ea8Slogwang/*
a9643ea8Slogwang    Alias outgoing ICMP error messages containing
a9643ea8Slogwang    IP header and first 64 bits of datagram.
a9643ea8Slogwang*/
a9643ea8Slogwang	struct ip *ip;
a9643ea8Slogwang	struct icmp *ic, *ic2;
a9643ea8Slogwang	struct udphdr *ud;
a9643ea8Slogwang	struct tcphdr *tc;
a9643ea8Slogwang	struct alias_link *lnk;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
a9643ea8Slogwang	ic = (struct icmp *)ip_next(pip);
a9643ea8Slogwang	ip = &ic->icmp_ip;
a9643ea8Slogwang
a9643ea8Slogwang	ud = (struct udphdr *)ip_next(ip);
a9643ea8Slogwang	tc = (struct tcphdr *)ip_next(ip);
a9643ea8Slogwang	ic2 = (struct icmp *)ip_next(ip);
a9643ea8Slogwang
a9643ea8Slogwang	if (ip->ip_p == IPPROTO_UDP)
a9643ea8Slogwang		lnk = FindUdpTcpOut(la, ip->ip_dst, ip->ip_src,
a9643ea8Slogwang		    ud->uh_dport, ud->uh_sport,
a9643ea8Slogwang		    IPPROTO_UDP, 0);
a9643ea8Slogwang	else if (ip->ip_p == IPPROTO_TCP)
a9643ea8Slogwang		lnk = FindUdpTcpOut(la, ip->ip_dst, ip->ip_src,
a9643ea8Slogwang		    tc->th_dport, tc->th_sport,
a9643ea8Slogwang		    IPPROTO_TCP, 0);
a9643ea8Slogwang	else if (ip->ip_p == IPPROTO_ICMP) {
a9643ea8Slogwang		if (ic2->icmp_type == ICMP_ECHO || ic2->icmp_type == ICMP_TSTAMP)
a9643ea8Slogwang			lnk = FindIcmpOut(la, ip->ip_dst, ip->ip_src, ic2->icmp_id, 0);
a9643ea8Slogwang		else
a9643ea8Slogwang			lnk = NULL;
a9643ea8Slogwang	} else
a9643ea8Slogwang		lnk = NULL;
a9643ea8Slogwang
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		if (ip->ip_p == IPPROTO_UDP || ip->ip_p == IPPROTO_TCP) {
a9643ea8Slogwang			int accumulate;
a9643ea8Slogwang			struct in_addr alias_address;
a9643ea8Slogwang			u_short alias_port;
a9643ea8Slogwang
a9643ea8Slogwang			alias_address = GetAliasAddress(lnk);
a9643ea8Slogwang			alias_port = GetAliasPort(lnk);
a9643ea8Slogwang
a9643ea8Slogwang/* Adjust ICMP checksum */
a9643ea8Slogwang			accumulate = twowords(&ip->ip_dst);
a9643ea8Slogwang			accumulate -= twowords(&alias_address);
a9643ea8Slogwang			accumulate += ud->uh_dport;
a9643ea8Slogwang			accumulate -= alias_port;
a9643ea8Slogwang			ADJUST_CHECKSUM(accumulate, ic->icmp_cksum);
a9643ea8Slogwang
a9643ea8Slogwang/*
a9643ea8Slogwang * Alias address in IP header if it comes from the host
a9643ea8Slogwang * the original TCP/UDP packet was destined for.
a9643ea8Slogwang */
a9643ea8Slogwang			if (pip->ip_src.s_addr == ip->ip_dst.s_addr) {
a9643ea8Slogwang				DifferentialChecksum(&pip->ip_sum,
a9643ea8Slogwang				    &alias_address, &pip->ip_src, 2);
a9643ea8Slogwang				pip->ip_src = alias_address;
a9643ea8Slogwang			}
a9643ea8Slogwang/* Alias address and port number of original IP packet
a9643ea8Slogwangfragment contained in ICMP data section */
a9643ea8Slogwang			ip->ip_dst = alias_address;
a9643ea8Slogwang			ud->uh_dport = alias_port;
a9643ea8Slogwang		} else if (ip->ip_p == IPPROTO_ICMP) {
a9643ea8Slogwang			int accumulate;
a9643ea8Slogwang			struct in_addr alias_address;
a9643ea8Slogwang			u_short alias_id;
a9643ea8Slogwang
a9643ea8Slogwang			alias_address = GetAliasAddress(lnk);
a9643ea8Slogwang			alias_id = GetAliasPort(lnk);
a9643ea8Slogwang
a9643ea8Slogwang/* Adjust ICMP checksum */
a9643ea8Slogwang			accumulate = twowords(&ip->ip_dst);
a9643ea8Slogwang			accumulate -= twowords(&alias_address);
a9643ea8Slogwang			accumulate += ic2->icmp_id;
a9643ea8Slogwang			accumulate -= alias_id;
a9643ea8Slogwang			ADJUST_CHECKSUM(accumulate, ic->icmp_cksum);
a9643ea8Slogwang
a9643ea8Slogwang/*
a9643ea8Slogwang * Alias address in IP header if it comes from the host
a9643ea8Slogwang * the original ICMP message was destined for.
a9643ea8Slogwang */
a9643ea8Slogwang			if (pip->ip_src.s_addr == ip->ip_dst.s_addr) {
a9643ea8Slogwang				DifferentialChecksum(&pip->ip_sum,
a9643ea8Slogwang				    &alias_address, &pip->ip_src, 2);
a9643ea8Slogwang				pip->ip_src = alias_address;
a9643ea8Slogwang			}
a9643ea8Slogwang/* Alias address of original IP packet and sequence number of
a9643ea8Slogwang   embedded ICMP datagram */
a9643ea8Slogwang			ip->ip_dst = alias_address;
a9643ea8Slogwang			ic2->icmp_id = alias_id;
a9643ea8Slogwang		}
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang	}
a9643ea8Slogwang	return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
a9643ea8SlogwangIcmpAliasOut(struct libalias *la, struct ip *pip, int create)
a9643ea8Slogwang{
a9643ea8Slogwang	int iresult;
a9643ea8Slogwang	struct icmp *ic;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
a9643ea8Slogwang	(void)create;
a9643ea8Slogwang
a9643ea8Slogwang/* Return if proxy-only mode is enabled */
a9643ea8Slogwang	if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY)
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang
a9643ea8Slogwang	ic = (struct icmp *)ip_next(pip);
a9643ea8Slogwang
a9643ea8Slogwang	iresult = PKT_ALIAS_IGNORED;
a9643ea8Slogwang	switch (ic->icmp_type) {
a9643ea8Slogwang	case ICMP_ECHO:
a9643ea8Slogwang	case ICMP_TSTAMP:
a9643ea8Slogwang		if (ic->icmp_code == 0) {
a9643ea8Slogwang			iresult = IcmpAliasOut1(la, pip, create);
a9643ea8Slogwang		}
a9643ea8Slogwang		break;
a9643ea8Slogwang	case ICMP_UNREACH:
a9643ea8Slogwang	case ICMP_SOURCEQUENCH:
a9643ea8Slogwang	case ICMP_TIMXCEED:
a9643ea8Slogwang	case ICMP_PARAMPROB:
a9643ea8Slogwang		iresult = IcmpAliasOut2(la, pip);
a9643ea8Slogwang		break;
a9643ea8Slogwang	case ICMP_ECHOREPLY:
a9643ea8Slogwang	case ICMP_TSTAMPREPLY:
a9643ea8Slogwang		iresult = IcmpAliasOut1(la, pip, create);
a9643ea8Slogwang	}
a9643ea8Slogwang	return (iresult);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
a9643ea8SlogwangProtoAliasIn(struct libalias *la, struct in_addr ip_src,
*22ce4affSfengbojiang    struct ip *pip, u_char ip_p, u_short *ip_sum)
a9643ea8Slogwang{
a9643ea8Slogwang/*
a9643ea8Slogwang  Handle incoming IP packets. The
a9643ea8Slogwang  only thing which is done in this case is to alias
a9643ea8Slogwang  the dest IP address of the packet to our inside
a9643ea8Slogwang  machine.
a9643ea8Slogwang*/
a9643ea8Slogwang	struct alias_link *lnk;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
a9643ea8Slogwang/* Return if proxy-only mode is enabled */
a9643ea8Slogwang	if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY)
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang
*22ce4affSfengbojiang	lnk = FindProtoIn(la, ip_src, pip->ip_dst, ip_p);
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		struct in_addr original_address;
a9643ea8Slogwang
a9643ea8Slogwang		original_address = GetOriginalAddress(lnk);
a9643ea8Slogwang
a9643ea8Slogwang/* Restore original IP address */
a9643ea8Slogwang		DifferentialChecksum(ip_sum,
*22ce4affSfengbojiang		    &original_address, &pip->ip_dst, 2);
*22ce4affSfengbojiang		pip->ip_dst = original_address;
a9643ea8Slogwang
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang	}
a9643ea8Slogwang	return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
*22ce4affSfengbojiangProtoAliasOut(struct libalias *la, struct ip *pip,
a9643ea8Slogwang    struct in_addr ip_dst, u_char ip_p, u_short *ip_sum, int create)
a9643ea8Slogwang{
a9643ea8Slogwang/*
a9643ea8Slogwang  Handle outgoing IP packets. The
a9643ea8Slogwang  only thing which is done in this case is to alias
a9643ea8Slogwang  the source IP address of the packet.
a9643ea8Slogwang*/
a9643ea8Slogwang	struct alias_link *lnk;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
a9643ea8Slogwang
a9643ea8Slogwang/* Return if proxy-only mode is enabled */
a9643ea8Slogwang	if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY)
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang
*22ce4affSfengbojiang	if (!create)
*22ce4affSfengbojiang		return (PKT_ALIAS_IGNORED);
*22ce4affSfengbojiang
*22ce4affSfengbojiang	lnk = FindProtoOut(la, pip->ip_src, ip_dst, ip_p);
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		struct in_addr alias_address;
a9643ea8Slogwang
a9643ea8Slogwang		alias_address = GetAliasAddress(lnk);
a9643ea8Slogwang
a9643ea8Slogwang/* Change source address */
a9643ea8Slogwang		DifferentialChecksum(ip_sum,
*22ce4affSfengbojiang		    &alias_address, &pip->ip_src, 2);
*22ce4affSfengbojiang		pip->ip_src = alias_address;
a9643ea8Slogwang
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang	}
a9643ea8Slogwang	return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
a9643ea8SlogwangUdpAliasIn(struct libalias *la, struct ip *pip)
a9643ea8Slogwang{
a9643ea8Slogwang	struct udphdr *ud;
a9643ea8Slogwang	struct alias_link *lnk;
*22ce4affSfengbojiang	size_t dlen;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
a9643ea8Slogwang
*22ce4affSfengbojiang	dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
*22ce4affSfengbojiang	if (dlen < sizeof(struct udphdr))
*22ce4affSfengbojiang		return (PKT_ALIAS_IGNORED);
*22ce4affSfengbojiang
a9643ea8Slogwang	ud = (struct udphdr *)ip_next(pip);
*22ce4affSfengbojiang	if (dlen < ntohs(ud->uh_ulen))
*22ce4affSfengbojiang		return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang
a9643ea8Slogwang	lnk = FindUdpTcpIn(la, pip->ip_src, pip->ip_dst,
a9643ea8Slogwang	    ud->uh_sport, ud->uh_dport,
a9643ea8Slogwang	    IPPROTO_UDP, !(la->packetAliasMode & PKT_ALIAS_PROXY_ONLY));
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		struct in_addr alias_address;
a9643ea8Slogwang		struct in_addr original_address;
a9643ea8Slogwang		struct in_addr proxy_address;
a9643ea8Slogwang		u_short alias_port;
a9643ea8Slogwang		u_short proxy_port;
a9643ea8Slogwang		int accumulate;
a9643ea8Slogwang		int error;
a9643ea8Slogwang		struct alias_data ad = {
a9643ea8Slogwang			.lnk = lnk,
a9643ea8Slogwang			.oaddr = &original_address,
a9643ea8Slogwang			.aaddr = &alias_address,
a9643ea8Slogwang			.aport = &alias_port,
a9643ea8Slogwang			.sport = &ud->uh_sport,
a9643ea8Slogwang			.dport = &ud->uh_dport,
a9643ea8Slogwang			.maxpktsize = 0
a9643ea8Slogwang		};
a9643ea8Slogwang
a9643ea8Slogwang		alias_address = GetAliasAddress(lnk);
a9643ea8Slogwang		original_address = GetOriginalAddress(lnk);
a9643ea8Slogwang		proxy_address = GetProxyAddress(lnk);
a9643ea8Slogwang		alias_port = ud->uh_dport;
a9643ea8Slogwang		ud->uh_dport = GetOriginalPort(lnk);
a9643ea8Slogwang		proxy_port = GetProxyPort(lnk);
a9643ea8Slogwang
a9643ea8Slogwang		/* Walk out chain. */
a9643ea8Slogwang		error = find_handler(IN, UDP, la, pip, &ad);
a9643ea8Slogwang		/* If we cannot figure out the packet, ignore it. */
a9643ea8Slogwang		if (error < 0)
a9643ea8Slogwang			return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang
a9643ea8Slogwang/* If UDP checksum is not zero, then adjust since destination port */
a9643ea8Slogwang/* is being unaliased and destination address is being altered.    */
a9643ea8Slogwang		if (ud->uh_sum != 0) {
a9643ea8Slogwang			accumulate = alias_port;
a9643ea8Slogwang			accumulate -= ud->uh_dport;
a9643ea8Slogwang			accumulate += twowords(&alias_address);
a9643ea8Slogwang			accumulate -= twowords(&original_address);
a9643ea8Slogwang
a9643ea8Slogwang/* If this is a proxy packet, modify checksum because of source change.*/
a9643ea8Slogwang        		if (proxy_port != 0) {
a9643ea8Slogwang		                accumulate += ud->uh_sport;
a9643ea8Slogwang		                accumulate -= proxy_port;
a9643ea8Slogwang	                }
a9643ea8Slogwang
a9643ea8Slogwang	                if (proxy_address.s_addr != 0) {
a9643ea8Slogwang				accumulate += twowords(&pip->ip_src);
a9643ea8Slogwang				accumulate -= twowords(&proxy_address);
a9643ea8Slogwang	                }
a9643ea8Slogwang
a9643ea8Slogwang			ADJUST_CHECKSUM(accumulate, ud->uh_sum);
a9643ea8Slogwang		}
a9643ea8Slogwang/* XXX: Could the two if's below be concatenated to one ? */
a9643ea8Slogwang/* Restore source port and/or address in case of proxying*/
a9643ea8Slogwang
a9643ea8Slogwang    		if (proxy_port != 0)
a9643ea8Slogwang        		ud->uh_sport = proxy_port;
a9643ea8Slogwang
a9643ea8Slogwang    		if (proxy_address.s_addr != 0) {
a9643ea8Slogwang        		DifferentialChecksum(&pip->ip_sum,
a9643ea8Slogwang                	    &proxy_address, &pip->ip_src, 2);
a9643ea8Slogwang	        	pip->ip_src = proxy_address;
a9643ea8Slogwang    		}
a9643ea8Slogwang
a9643ea8Slogwang/* Restore original IP address */
a9643ea8Slogwang		DifferentialChecksum(&pip->ip_sum,
a9643ea8Slogwang		    &original_address, &pip->ip_dst, 2);
a9643ea8Slogwang		pip->ip_dst = original_address;
a9643ea8Slogwang
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang	}
a9643ea8Slogwang	return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
a9643ea8SlogwangUdpAliasOut(struct libalias *la, struct ip *pip, int maxpacketsize, int create)
a9643ea8Slogwang{
a9643ea8Slogwang	struct udphdr *ud;
a9643ea8Slogwang	struct alias_link *lnk;
a9643ea8Slogwang	struct in_addr dest_address;
a9643ea8Slogwang	struct in_addr proxy_server_address;
a9643ea8Slogwang	u_short dest_port;
a9643ea8Slogwang	u_short proxy_server_port;
a9643ea8Slogwang	int proxy_type;
a9643ea8Slogwang	int error;
*22ce4affSfengbojiang	size_t dlen;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
a9643ea8Slogwang
a9643ea8Slogwang/* Return if proxy-only mode is enabled and not proxyrule found.*/
*22ce4affSfengbojiang	dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
*22ce4affSfengbojiang	if (dlen < sizeof(struct udphdr))
*22ce4affSfengbojiang		return (PKT_ALIAS_IGNORED);
*22ce4affSfengbojiang
a9643ea8Slogwang	ud = (struct udphdr *)ip_next(pip);
*22ce4affSfengbojiang	if (dlen < ntohs(ud->uh_ulen))
*22ce4affSfengbojiang		return (PKT_ALIAS_IGNORED);
*22ce4affSfengbojiang
a9643ea8Slogwang	proxy_type = ProxyCheck(la, &proxy_server_address,
a9643ea8Slogwang		&proxy_server_port, pip->ip_src, pip->ip_dst,
a9643ea8Slogwang		ud->uh_dport, pip->ip_p);
a9643ea8Slogwang	if (proxy_type == 0 && (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY))
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang
a9643ea8Slogwang/* If this is a transparent proxy, save original destination,
a9643ea8Slogwang * then alter the destination and adjust checksums */
a9643ea8Slogwang	dest_port = ud->uh_dport;
a9643ea8Slogwang	dest_address = pip->ip_dst;
a9643ea8Slogwang
a9643ea8Slogwang	if (proxy_type != 0) {
a9643ea8Slogwang	        int accumulate;
a9643ea8Slogwang
a9643ea8Slogwang		accumulate = twowords(&pip->ip_dst);
a9643ea8Slogwang		accumulate -= twowords(&proxy_server_address);
a9643ea8Slogwang
a9643ea8Slogwang	        ADJUST_CHECKSUM(accumulate, pip->ip_sum);
a9643ea8Slogwang
a9643ea8Slogwang		if (ud->uh_sum != 0) {
a9643ea8Slogwang			accumulate = twowords(&pip->ip_dst);
a9643ea8Slogwang			accumulate -= twowords(&proxy_server_address);
a9643ea8Slogwang    			accumulate += ud->uh_dport;
a9643ea8Slogwang	        	accumulate -= proxy_server_port;
a9643ea8Slogwang	    		ADJUST_CHECKSUM(accumulate, ud->uh_sum);
a9643ea8Slogwang		}
a9643ea8Slogwang	        pip->ip_dst = proxy_server_address;
a9643ea8Slogwang	        ud->uh_dport = proxy_server_port;
a9643ea8Slogwang	}
a9643ea8Slogwang	lnk = FindUdpTcpOut(la, pip->ip_src, pip->ip_dst,
a9643ea8Slogwang	    ud->uh_sport, ud->uh_dport,
a9643ea8Slogwang	    IPPROTO_UDP, create);
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		u_short alias_port;
a9643ea8Slogwang		struct in_addr alias_address;
a9643ea8Slogwang		struct alias_data ad = {
a9643ea8Slogwang			.lnk = lnk,
a9643ea8Slogwang			.oaddr = NULL,
a9643ea8Slogwang			.aaddr = &alias_address,
a9643ea8Slogwang			.aport = &alias_port,
a9643ea8Slogwang			.sport = &ud->uh_sport,
a9643ea8Slogwang			.dport = &ud->uh_dport,
a9643ea8Slogwang			.maxpktsize = 0
a9643ea8Slogwang		};
a9643ea8Slogwang
a9643ea8Slogwang/* Save original destination address, if this is a proxy packet.
a9643ea8Slogwang * Also modify packet to include destination encoding.  This may
a9643ea8Slogwang * change the size of IP header. */
a9643ea8Slogwang		if (proxy_type != 0) {
a9643ea8Slogwang	                SetProxyPort(lnk, dest_port);
a9643ea8Slogwang	                SetProxyAddress(lnk, dest_address);
a9643ea8Slogwang	                ProxyModify(la, lnk, pip, maxpacketsize, proxy_type);
a9643ea8Slogwang	                ud = (struct udphdr *)ip_next(pip);
a9643ea8Slogwang	        }
a9643ea8Slogwang
a9643ea8Slogwang		alias_address = GetAliasAddress(lnk);
a9643ea8Slogwang		alias_port = GetAliasPort(lnk);
a9643ea8Slogwang
a9643ea8Slogwang		/* Walk out chain. */
a9643ea8Slogwang		error = find_handler(OUT, UDP, la, pip, &ad);
a9643ea8Slogwang
a9643ea8Slogwang/* If UDP checksum is not zero, adjust since source port is */
a9643ea8Slogwang/* being aliased and source address is being altered        */
a9643ea8Slogwang		if (ud->uh_sum != 0) {
a9643ea8Slogwang			int accumulate;
a9643ea8Slogwang
a9643ea8Slogwang			accumulate = ud->uh_sport;
a9643ea8Slogwang			accumulate -= alias_port;
a9643ea8Slogwang			accumulate += twowords(&pip->ip_src);
a9643ea8Slogwang			accumulate -= twowords(&alias_address);
a9643ea8Slogwang			ADJUST_CHECKSUM(accumulate, ud->uh_sum);
a9643ea8Slogwang		}
a9643ea8Slogwang/* Put alias port in UDP header */
a9643ea8Slogwang		ud->uh_sport = alias_port;
a9643ea8Slogwang
a9643ea8Slogwang/* Change source address */
a9643ea8Slogwang		DifferentialChecksum(&pip->ip_sum,
a9643ea8Slogwang		    &alias_address, &pip->ip_src, 2);
a9643ea8Slogwang		pip->ip_src = alias_address;
a9643ea8Slogwang
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang	}
a9643ea8Slogwang	return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
a9643ea8SlogwangTcpAliasIn(struct libalias *la, struct ip *pip)
a9643ea8Slogwang{
a9643ea8Slogwang	struct tcphdr *tc;
a9643ea8Slogwang	struct alias_link *lnk;
*22ce4affSfengbojiang	size_t dlen;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
*22ce4affSfengbojiang
*22ce4affSfengbojiang	dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
*22ce4affSfengbojiang	if (dlen < sizeof(struct tcphdr))
*22ce4affSfengbojiang		return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang	tc = (struct tcphdr *)ip_next(pip);
a9643ea8Slogwang
a9643ea8Slogwang	lnk = FindUdpTcpIn(la, pip->ip_src, pip->ip_dst,
a9643ea8Slogwang	    tc->th_sport, tc->th_dport,
a9643ea8Slogwang	    IPPROTO_TCP,
a9643ea8Slogwang	    !(la->packetAliasMode & PKT_ALIAS_PROXY_ONLY));
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		struct in_addr alias_address;
a9643ea8Slogwang		struct in_addr original_address;
a9643ea8Slogwang		struct in_addr proxy_address;
a9643ea8Slogwang		u_short alias_port;
a9643ea8Slogwang		u_short proxy_port;
a9643ea8Slogwang		int accumulate, error;
a9643ea8Slogwang
a9643ea8Slogwang		/*
a9643ea8Slogwang		 * The init of MANY vars is a bit below, but aliashandlepptpin
a9643ea8Slogwang		 * seems to need the destination port that came within the
a9643ea8Slogwang		 * packet and not the original one looks below [*].
a9643ea8Slogwang		 */
a9643ea8Slogwang
a9643ea8Slogwang		struct alias_data ad = {
a9643ea8Slogwang			.lnk = lnk,
a9643ea8Slogwang			.oaddr = NULL,
a9643ea8Slogwang			.aaddr = NULL,
a9643ea8Slogwang			.aport = NULL,
a9643ea8Slogwang			.sport = &tc->th_sport,
a9643ea8Slogwang			.dport = &tc->th_dport,
a9643ea8Slogwang			.maxpktsize = 0
a9643ea8Slogwang		};
a9643ea8Slogwang
a9643ea8Slogwang		/* Walk out chain. */
a9643ea8Slogwang		error = find_handler(IN, TCP, la, pip, &ad);
a9643ea8Slogwang
a9643ea8Slogwang		alias_address = GetAliasAddress(lnk);
a9643ea8Slogwang		original_address = GetOriginalAddress(lnk);
a9643ea8Slogwang		proxy_address = GetProxyAddress(lnk);
a9643ea8Slogwang		alias_port = tc->th_dport;
a9643ea8Slogwang		tc->th_dport = GetOriginalPort(lnk);
a9643ea8Slogwang		proxy_port = GetProxyPort(lnk);
a9643ea8Slogwang
a9643ea8Slogwang		/*
a9643ea8Slogwang		 * Look above, if anyone is going to add find_handler AFTER
a9643ea8Slogwang		 * this aliashandlepptpin/point, please redo alias_data too.
a9643ea8Slogwang		 * Uncommenting the piece here below should be enough.
a9643ea8Slogwang		 */
a9643ea8Slogwang#if 0
a9643ea8Slogwang				 struct alias_data ad = {
a9643ea8Slogwang					.lnk = lnk,
a9643ea8Slogwang					.oaddr = &original_address,
a9643ea8Slogwang					.aaddr = &alias_address,
a9643ea8Slogwang					.aport = &alias_port,
a9643ea8Slogwang					.sport = &ud->uh_sport,
a9643ea8Slogwang					.dport = &ud->uh_dport,
a9643ea8Slogwang					.maxpktsize = 0
a9643ea8Slogwang				};
a9643ea8Slogwang
a9643ea8Slogwang				/* Walk out chain. */
a9643ea8Slogwang				error = find_handler(la, pip, &ad);
a9643ea8Slogwang				if (error == EHDNOF)
a9643ea8Slogwang					printf("Protocol handler not found\n");
a9643ea8Slogwang#endif
a9643ea8Slogwang
a9643ea8Slogwang/* Adjust TCP checksum since destination port is being unaliased */
a9643ea8Slogwang/* and destination port is being altered.                        */
a9643ea8Slogwang		accumulate = alias_port;
a9643ea8Slogwang		accumulate -= tc->th_dport;
a9643ea8Slogwang		accumulate += twowords(&alias_address);
a9643ea8Slogwang		accumulate -= twowords(&original_address);
a9643ea8Slogwang
a9643ea8Slogwang/* If this is a proxy, then modify the TCP source port and
a9643ea8Slogwang   checksum accumulation */
a9643ea8Slogwang		if (proxy_port != 0) {
a9643ea8Slogwang			accumulate += tc->th_sport;
a9643ea8Slogwang			tc->th_sport = proxy_port;
a9643ea8Slogwang			accumulate -= tc->th_sport;
a9643ea8Slogwang			accumulate += twowords(&pip->ip_src);
a9643ea8Slogwang			accumulate -= twowords(&proxy_address);
a9643ea8Slogwang		}
a9643ea8Slogwang/* See if ACK number needs to be modified */
a9643ea8Slogwang		if (GetAckModified(lnk) == 1) {
a9643ea8Slogwang			int delta;
a9643ea8Slogwang
a9643ea8Slogwang			tc = (struct tcphdr *)ip_next(pip);
a9643ea8Slogwang			delta = GetDeltaAckIn(tc->th_ack, lnk);
a9643ea8Slogwang			if (delta != 0) {
a9643ea8Slogwang				accumulate += twowords(&tc->th_ack);
a9643ea8Slogwang				tc->th_ack = htonl(ntohl(tc->th_ack) - delta);
a9643ea8Slogwang				accumulate -= twowords(&tc->th_ack);
a9643ea8Slogwang			}
a9643ea8Slogwang		}
a9643ea8Slogwang		ADJUST_CHECKSUM(accumulate, tc->th_sum);
a9643ea8Slogwang
a9643ea8Slogwang/* Restore original IP address */
a9643ea8Slogwang		accumulate = twowords(&pip->ip_dst);
a9643ea8Slogwang		pip->ip_dst = original_address;
a9643ea8Slogwang		accumulate -= twowords(&pip->ip_dst);
a9643ea8Slogwang
a9643ea8Slogwang/* If this is a transparent proxy packet, then modify the source
a9643ea8Slogwang   address */
a9643ea8Slogwang		if (proxy_address.s_addr != 0) {
a9643ea8Slogwang			accumulate += twowords(&pip->ip_src);
a9643ea8Slogwang			pip->ip_src = proxy_address;
a9643ea8Slogwang			accumulate -= twowords(&pip->ip_src);
a9643ea8Slogwang		}
a9643ea8Slogwang		ADJUST_CHECKSUM(accumulate, pip->ip_sum);
a9643ea8Slogwang
a9643ea8Slogwang/* Monitor TCP connection state */
a9643ea8Slogwang		tc = (struct tcphdr *)ip_next(pip);
a9643ea8Slogwang		TcpMonitorIn(tc->th_flags, lnk);
a9643ea8Slogwang
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang	}
a9643ea8Slogwang	return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
a9643ea8SlogwangTcpAliasOut(struct libalias *la, struct ip *pip, int maxpacketsize, int create)
a9643ea8Slogwang{
a9643ea8Slogwang	int proxy_type, error;
a9643ea8Slogwang	u_short dest_port;
a9643ea8Slogwang	u_short proxy_server_port;
*22ce4affSfengbojiang	size_t dlen;
a9643ea8Slogwang	struct in_addr dest_address;
a9643ea8Slogwang	struct in_addr proxy_server_address;
a9643ea8Slogwang	struct tcphdr *tc;
a9643ea8Slogwang	struct alias_link *lnk;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
*22ce4affSfengbojiang
*22ce4affSfengbojiang	dlen = ntohs(pip->ip_len) - (pip->ip_hl << 2);
*22ce4affSfengbojiang	if (dlen < sizeof(struct tcphdr))
*22ce4affSfengbojiang		return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang	tc = (struct tcphdr *)ip_next(pip);
a9643ea8Slogwang
a9643ea8Slogwang	if (create)
a9643ea8Slogwang		proxy_type = ProxyCheck(la, &proxy_server_address,
a9643ea8Slogwang		    &proxy_server_port, pip->ip_src, pip->ip_dst,
a9643ea8Slogwang		    tc->th_dport, pip->ip_p);
a9643ea8Slogwang	else
a9643ea8Slogwang		proxy_type = 0;
a9643ea8Slogwang
a9643ea8Slogwang	if (proxy_type == 0 && (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY))
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang
a9643ea8Slogwang/* If this is a transparent proxy, save original destination,
a9643ea8Slogwang   then alter the destination and adjust checksums */
a9643ea8Slogwang	dest_port = tc->th_dport;
a9643ea8Slogwang	dest_address = pip->ip_dst;
a9643ea8Slogwang	if (proxy_type != 0) {
a9643ea8Slogwang		int accumulate;
a9643ea8Slogwang
a9643ea8Slogwang		accumulate = tc->th_dport;
a9643ea8Slogwang		tc->th_dport = proxy_server_port;
a9643ea8Slogwang		accumulate -= tc->th_dport;
a9643ea8Slogwang		accumulate += twowords(&pip->ip_dst);
a9643ea8Slogwang		accumulate -= twowords(&proxy_server_address);
a9643ea8Slogwang		ADJUST_CHECKSUM(accumulate, tc->th_sum);
a9643ea8Slogwang
a9643ea8Slogwang		accumulate = twowords(&pip->ip_dst);
a9643ea8Slogwang		pip->ip_dst = proxy_server_address;
a9643ea8Slogwang		accumulate -= twowords(&pip->ip_dst);
a9643ea8Slogwang		ADJUST_CHECKSUM(accumulate, pip->ip_sum);
a9643ea8Slogwang	}
a9643ea8Slogwang	lnk = FindUdpTcpOut(la, pip->ip_src, pip->ip_dst,
a9643ea8Slogwang	    tc->th_sport, tc->th_dport,
a9643ea8Slogwang	    IPPROTO_TCP, create);
a9643ea8Slogwang	if (lnk == NULL)
a9643ea8Slogwang		return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		u_short alias_port;
a9643ea8Slogwang		struct in_addr alias_address;
a9643ea8Slogwang		int accumulate;
a9643ea8Slogwang		struct alias_data ad = {
a9643ea8Slogwang			.lnk = lnk,
a9643ea8Slogwang			.oaddr = NULL,
a9643ea8Slogwang			.aaddr = &alias_address,
a9643ea8Slogwang			.aport = &alias_port,
a9643ea8Slogwang			.sport = &tc->th_sport,
a9643ea8Slogwang			.dport = &tc->th_dport,
a9643ea8Slogwang			.maxpktsize = maxpacketsize
a9643ea8Slogwang		};
a9643ea8Slogwang
a9643ea8Slogwang/* Save original destination address, if this is a proxy packet.
a9643ea8Slogwang   Also modify packet to include destination encoding.  This may
a9643ea8Slogwang   change the size of IP header. */
a9643ea8Slogwang		if (proxy_type != 0) {
a9643ea8Slogwang			SetProxyPort(lnk, dest_port);
a9643ea8Slogwang			SetProxyAddress(lnk, dest_address);
a9643ea8Slogwang			ProxyModify(la, lnk, pip, maxpacketsize, proxy_type);
a9643ea8Slogwang			tc = (struct tcphdr *)ip_next(pip);
a9643ea8Slogwang		}
a9643ea8Slogwang/* Get alias address and port */
a9643ea8Slogwang		alias_port = GetAliasPort(lnk);
a9643ea8Slogwang		alias_address = GetAliasAddress(lnk);
a9643ea8Slogwang
a9643ea8Slogwang/* Monitor TCP connection state */
a9643ea8Slogwang		tc = (struct tcphdr *)ip_next(pip);
a9643ea8Slogwang		TcpMonitorOut(tc->th_flags, lnk);
a9643ea8Slogwang
a9643ea8Slogwang		/* Walk out chain. */
a9643ea8Slogwang		error = find_handler(OUT, TCP, la, pip, &ad);
a9643ea8Slogwang
a9643ea8Slogwang/* Adjust TCP checksum since source port is being aliased */
a9643ea8Slogwang/* and source address is being altered                    */
a9643ea8Slogwang		accumulate = tc->th_sport;
a9643ea8Slogwang		tc->th_sport = alias_port;
a9643ea8Slogwang		accumulate -= tc->th_sport;
a9643ea8Slogwang		accumulate += twowords(&pip->ip_src);
a9643ea8Slogwang		accumulate -= twowords(&alias_address);
a9643ea8Slogwang
a9643ea8Slogwang/* Modify sequence number if necessary */
a9643ea8Slogwang		if (GetAckModified(lnk) == 1) {
a9643ea8Slogwang			int delta;
a9643ea8Slogwang
a9643ea8Slogwang			tc = (struct tcphdr *)ip_next(pip);
a9643ea8Slogwang			delta = GetDeltaSeqOut(tc->th_seq, lnk);
a9643ea8Slogwang			if (delta != 0) {
a9643ea8Slogwang				accumulate += twowords(&tc->th_seq);
a9643ea8Slogwang				tc->th_seq = htonl(ntohl(tc->th_seq) + delta);
a9643ea8Slogwang				accumulate -= twowords(&tc->th_seq);
a9643ea8Slogwang			}
a9643ea8Slogwang		}
a9643ea8Slogwang		ADJUST_CHECKSUM(accumulate, tc->th_sum);
a9643ea8Slogwang
a9643ea8Slogwang/* Change source address */
a9643ea8Slogwang		accumulate = twowords(&pip->ip_src);
a9643ea8Slogwang		pip->ip_src = alias_address;
a9643ea8Slogwang		accumulate -= twowords(&pip->ip_src);
a9643ea8Slogwang		ADJUST_CHECKSUM(accumulate, pip->ip_sum);
a9643ea8Slogwang
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang	}
a9643ea8Slogwang	return (PKT_ALIAS_IGNORED);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwang/* Fragment Handling
a9643ea8Slogwang
a9643ea8Slogwang    FragmentIn()
a9643ea8Slogwang    FragmentOut()
a9643ea8Slogwang
a9643ea8SlogwangThe packet aliasing module has a limited ability for handling IP
a9643ea8Slogwangfragments.  If the ICMP, TCP or UDP header is in the first fragment
a9643ea8Slogwangreceived, then the ID number of the IP packet is saved, and other
a9643ea8Slogwangfragments are identified according to their ID number and IP address
a9643ea8Slogwangthey were sent from.  Pointers to unresolved fragments can also be
a9643ea8Slogwangsaved and recalled when a header fragment is seen.
a9643ea8Slogwang*/
a9643ea8Slogwang
a9643ea8Slogwang/* Local prototypes */
a9643ea8Slogwangstatic int	FragmentIn(struct libalias *la, struct in_addr ip_src,
*22ce4affSfengbojiang		    struct ip *pip, u_short ip_id, u_short *ip_sum);
*22ce4affSfengbojiangstatic int	FragmentOut(struct libalias *, struct ip *pip,
a9643ea8Slogwang		    u_short *ip_sum);
a9643ea8Slogwang
a9643ea8Slogwangstatic int
*22ce4affSfengbojiangFragmentIn(struct libalias *la, struct in_addr ip_src, struct ip *pip,
a9643ea8Slogwang    u_short ip_id, u_short *ip_sum)
a9643ea8Slogwang{
a9643ea8Slogwang	struct alias_link *lnk;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
*22ce4affSfengbojiang	lnk = FindFragmentIn2(la, ip_src, pip->ip_dst, ip_id);
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		struct in_addr original_address;
a9643ea8Slogwang
a9643ea8Slogwang		GetFragmentAddr(lnk, &original_address);
a9643ea8Slogwang		DifferentialChecksum(ip_sum,
*22ce4affSfengbojiang		    &original_address, &pip->ip_dst, 2);
*22ce4affSfengbojiang		pip->ip_dst = original_address;
a9643ea8Slogwang
a9643ea8Slogwang		return (PKT_ALIAS_OK);
a9643ea8Slogwang	}
a9643ea8Slogwang	return (PKT_ALIAS_UNRESOLVED_FRAGMENT);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
*22ce4affSfengbojiangFragmentOut(struct libalias *la, struct ip *pip, u_short *ip_sum)
a9643ea8Slogwang{
a9643ea8Slogwang	struct in_addr alias_address;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK_ASSERT(la);
*22ce4affSfengbojiang	alias_address = FindAliasAddress(la, pip->ip_src);
a9643ea8Slogwang	DifferentialChecksum(ip_sum,
*22ce4affSfengbojiang	    &alias_address, &pip->ip_src, 2);
*22ce4affSfengbojiang	pip->ip_src = alias_address;
a9643ea8Slogwang
a9643ea8Slogwang	return (PKT_ALIAS_OK);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwang/* Outside World Access
a9643ea8Slogwang
a9643ea8Slogwang	PacketAliasSaveFragment()
a9643ea8Slogwang	PacketAliasGetFragment()
a9643ea8Slogwang	PacketAliasFragmentIn()
a9643ea8Slogwang	PacketAliasIn()
a9643ea8Slogwang	PacketAliasOut()
a9643ea8Slogwang	PacketUnaliasOut()
a9643ea8Slogwang
a9643ea8Slogwang(prototypes in alias.h)
a9643ea8Slogwang*/
a9643ea8Slogwang
a9643ea8Slogwangint
*22ce4affSfengbojiangLibAliasSaveFragment(struct libalias *la, void *ptr)
a9643ea8Slogwang{
a9643ea8Slogwang	int iresult;
a9643ea8Slogwang	struct alias_link *lnk;
a9643ea8Slogwang	struct ip *pip;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK(la);
a9643ea8Slogwang	pip = (struct ip *)ptr;
a9643ea8Slogwang	lnk = AddFragmentPtrLink(la, pip->ip_src, pip->ip_id);
a9643ea8Slogwang	iresult = PKT_ALIAS_ERROR;
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		SetFragmentPtr(lnk, ptr);
a9643ea8Slogwang		iresult = PKT_ALIAS_OK;
a9643ea8Slogwang	}
a9643ea8Slogwang	LIBALIAS_UNLOCK(la);
a9643ea8Slogwang	return (iresult);
a9643ea8Slogwang}
a9643ea8Slogwang
*22ce4affSfengbojiangvoid           *
*22ce4affSfengbojiangLibAliasGetFragment(struct libalias *la, void *ptr)
a9643ea8Slogwang{
a9643ea8Slogwang	struct alias_link *lnk;
*22ce4affSfengbojiang	void *fptr;
a9643ea8Slogwang	struct ip *pip;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK(la);
a9643ea8Slogwang	pip = (struct ip *)ptr;
a9643ea8Slogwang	lnk = FindFragmentPtr(la, pip->ip_src, pip->ip_id);
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		GetFragmentPtr(lnk, &fptr);
a9643ea8Slogwang		SetFragmentPtr(lnk, NULL);
a9643ea8Slogwang		SetExpire(lnk, 0);	/* Deletes link */
a9643ea8Slogwang	} else
a9643ea8Slogwang		fptr = NULL;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_UNLOCK(la);
a9643ea8Slogwang	return (fptr);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangvoid
*22ce4affSfengbojiangLibAliasFragmentIn(struct libalias *la, void *ptr,	/* Points to correctly
a9643ea8Slogwang							 * de-aliased header
a9643ea8Slogwang							 * fragment */
*22ce4affSfengbojiang    void *ptr_fragment		/* Points to fragment which must be
a9643ea8Slogwang				 * de-aliased   */
a9643ea8Slogwang)
a9643ea8Slogwang{
a9643ea8Slogwang	struct ip *pip;
a9643ea8Slogwang	struct ip *fpip;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK(la);
a9643ea8Slogwang	(void)la;
a9643ea8Slogwang	pip = (struct ip *)ptr;
a9643ea8Slogwang	fpip = (struct ip *)ptr_fragment;
a9643ea8Slogwang
a9643ea8Slogwang	DifferentialChecksum(&fpip->ip_sum,
a9643ea8Slogwang	    &pip->ip_dst, &fpip->ip_dst, 2);
a9643ea8Slogwang	fpip->ip_dst = pip->ip_dst;
a9643ea8Slogwang	LIBALIAS_UNLOCK(la);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwang/* Local prototypes */
a9643ea8Slogwangstatic int
*22ce4affSfengbojiangLibAliasOutLocked(struct libalias *la, struct ip *pip,
a9643ea8Slogwang		  int maxpacketsize, int create);
a9643ea8Slogwangstatic int
*22ce4affSfengbojiangLibAliasInLocked(struct libalias *la, struct ip *pip,
a9643ea8Slogwang		  int maxpacketsize);
a9643ea8Slogwang
a9643ea8Slogwangint
*22ce4affSfengbojiangLibAliasIn(struct libalias *la, void *ptr, int maxpacketsize)
a9643ea8Slogwang{
a9643ea8Slogwang	int res;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK(la);
*22ce4affSfengbojiang	res = LibAliasInLocked(la, (struct ip *)ptr, maxpacketsize);
a9643ea8Slogwang	LIBALIAS_UNLOCK(la);
a9643ea8Slogwang	return (res);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
*22ce4affSfengbojiangLibAliasInLocked(struct libalias *la, struct ip *pip, int maxpacketsize)
a9643ea8Slogwang{
a9643ea8Slogwang	struct in_addr alias_addr;
a9643ea8Slogwang	int iresult;
a9643ea8Slogwang
a9643ea8Slogwang	if (la->packetAliasMode & PKT_ALIAS_REVERSE) {
a9643ea8Slogwang		la->packetAliasMode &= ~PKT_ALIAS_REVERSE;
*22ce4affSfengbojiang		iresult = LibAliasOutLocked(la, pip, maxpacketsize, 1);
a9643ea8Slogwang		la->packetAliasMode |= PKT_ALIAS_REVERSE;
a9643ea8Slogwang		goto getout;
a9643ea8Slogwang	}
a9643ea8Slogwang	HouseKeeping(la);
a9643ea8Slogwang	ClearCheckNewLink(la);
a9643ea8Slogwang	alias_addr = pip->ip_dst;
a9643ea8Slogwang
a9643ea8Slogwang	/* Defense against mangled packets */
a9643ea8Slogwang	if (ntohs(pip->ip_len) > maxpacketsize
a9643ea8Slogwang	    || (pip->ip_hl << 2) > maxpacketsize) {
a9643ea8Slogwang		iresult = PKT_ALIAS_IGNORED;
a9643ea8Slogwang		goto getout;
a9643ea8Slogwang	}
a9643ea8Slogwang
a9643ea8Slogwang	iresult = PKT_ALIAS_IGNORED;
a9643ea8Slogwang	if ((ntohs(pip->ip_off) & IP_OFFMASK) == 0) {
a9643ea8Slogwang		switch (pip->ip_p) {
a9643ea8Slogwang		case IPPROTO_ICMP:
a9643ea8Slogwang			iresult = IcmpAliasIn(la, pip);
a9643ea8Slogwang			break;
a9643ea8Slogwang		case IPPROTO_UDP:
a9643ea8Slogwang			iresult = UdpAliasIn(la, pip);
a9643ea8Slogwang			break;
a9643ea8Slogwang		case IPPROTO_TCP:
a9643ea8Slogwang			iresult = TcpAliasIn(la, pip);
a9643ea8Slogwang			break;
a9643ea8Slogwang#ifdef _KERNEL
a9643ea8Slogwang		case IPPROTO_SCTP:
a9643ea8Slogwang		  iresult = SctpAlias(la, pip, SN_TO_LOCAL);
a9643ea8Slogwang			break;
a9643ea8Slogwang#endif
a9643ea8Slogwang 		case IPPROTO_GRE: {
a9643ea8Slogwang			int error;
a9643ea8Slogwang			struct alias_data ad = {
a9643ea8Slogwang				.lnk = NULL,
a9643ea8Slogwang				.oaddr = NULL,
a9643ea8Slogwang				.aaddr = NULL,
a9643ea8Slogwang				.aport = NULL,
a9643ea8Slogwang				.sport = NULL,
a9643ea8Slogwang				.dport = NULL,
a9643ea8Slogwang				.maxpktsize = 0
a9643ea8Slogwang			};
a9643ea8Slogwang
a9643ea8Slogwang			/* Walk out chain. */
a9643ea8Slogwang			error = find_handler(IN, IP, la, pip, &ad);
a9643ea8Slogwang			if (error ==  0)
a9643ea8Slogwang				iresult = PKT_ALIAS_OK;
a9643ea8Slogwang			else
a9643ea8Slogwang				iresult = ProtoAliasIn(la, pip->ip_src,
*22ce4affSfengbojiang				    pip, pip->ip_p, &pip->ip_sum);
a9643ea8Slogwang		}
a9643ea8Slogwang 			break;
a9643ea8Slogwang		default:
*22ce4affSfengbojiang			iresult = ProtoAliasIn(la, pip->ip_src, pip,
a9643ea8Slogwang			    pip->ip_p, &pip->ip_sum);
a9643ea8Slogwang			break;
a9643ea8Slogwang		}
a9643ea8Slogwang
a9643ea8Slogwang		if (ntohs(pip->ip_off) & IP_MF) {
a9643ea8Slogwang			struct alias_link *lnk;
a9643ea8Slogwang
a9643ea8Slogwang			lnk = FindFragmentIn1(la, pip->ip_src, alias_addr, pip->ip_id);
a9643ea8Slogwang			if (lnk != NULL) {
a9643ea8Slogwang				iresult = PKT_ALIAS_FOUND_HEADER_FRAGMENT;
a9643ea8Slogwang				SetFragmentAddr(lnk, pip->ip_dst);
a9643ea8Slogwang			} else {
a9643ea8Slogwang				iresult = PKT_ALIAS_ERROR;
a9643ea8Slogwang			}
a9643ea8Slogwang		}
a9643ea8Slogwang	} else {
*22ce4affSfengbojiang		iresult = FragmentIn(la, pip->ip_src, pip, pip->ip_id,
a9643ea8Slogwang		    &pip->ip_sum);
a9643ea8Slogwang	}
a9643ea8Slogwang
a9643ea8Slogwanggetout:
a9643ea8Slogwang	return (iresult);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwang/* Unregistered address ranges */
a9643ea8Slogwang
a9643ea8Slogwang/* 10.0.0.0   ->   10.255.255.255 */
a9643ea8Slogwang#define UNREG_ADDR_A_LOWER 0x0a000000
a9643ea8Slogwang#define UNREG_ADDR_A_UPPER 0x0affffff
a9643ea8Slogwang
a9643ea8Slogwang/* 172.16.0.0  ->  172.31.255.255 */
a9643ea8Slogwang#define UNREG_ADDR_B_LOWER 0xac100000
a9643ea8Slogwang#define UNREG_ADDR_B_UPPER 0xac1fffff
a9643ea8Slogwang
a9643ea8Slogwang/* 192.168.0.0 -> 192.168.255.255 */
a9643ea8Slogwang#define UNREG_ADDR_C_LOWER 0xc0a80000
a9643ea8Slogwang#define UNREG_ADDR_C_UPPER 0xc0a8ffff
a9643ea8Slogwang
*22ce4affSfengbojiang/* 100.64.0.0  -> 100.127.255.255 (RFC 6598 - Carrier Grade NAT) */
*22ce4affSfengbojiang#define UNREG_ADDR_CGN_LOWER 0x64400000
*22ce4affSfengbojiang#define UNREG_ADDR_CGN_UPPER 0x647fffff
*22ce4affSfengbojiang
a9643ea8Slogwangint
*22ce4affSfengbojiangLibAliasOut(struct libalias *la, void *ptr, int maxpacketsize)
a9643ea8Slogwang{
a9643ea8Slogwang	int res;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK(la);
*22ce4affSfengbojiang	res = LibAliasOutLocked(la, (struct ip *)ptr, maxpacketsize, 1);
a9643ea8Slogwang	LIBALIAS_UNLOCK(la);
a9643ea8Slogwang	return (res);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangint
*22ce4affSfengbojiangLibAliasOutTry(struct libalias *la, void *ptr, int maxpacketsize, int create)
a9643ea8Slogwang{
a9643ea8Slogwang	int res;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK(la);
*22ce4affSfengbojiang	res = LibAliasOutLocked(la, (struct ip *)ptr, maxpacketsize, create);
a9643ea8Slogwang	LIBALIAS_UNLOCK(la);
a9643ea8Slogwang	return (res);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangstatic int
*22ce4affSfengbojiangLibAliasOutLocked(struct libalias *la, struct ip *pip,	/* valid IP packet */
a9643ea8Slogwang    int maxpacketsize,		/* How much the packet data may grow (FTP
a9643ea8Slogwang				 * and IRC inline changes) */
a9643ea8Slogwang    int create                  /* Create new entries ? */
a9643ea8Slogwang)
a9643ea8Slogwang{
a9643ea8Slogwang	int iresult;
a9643ea8Slogwang	struct in_addr addr_save;
a9643ea8Slogwang
a9643ea8Slogwang	if (la->packetAliasMode & PKT_ALIAS_REVERSE) {
a9643ea8Slogwang		la->packetAliasMode &= ~PKT_ALIAS_REVERSE;
*22ce4affSfengbojiang		iresult = LibAliasInLocked(la, pip, maxpacketsize);
a9643ea8Slogwang		la->packetAliasMode |= PKT_ALIAS_REVERSE;
a9643ea8Slogwang		goto getout;
a9643ea8Slogwang	}
a9643ea8Slogwang	HouseKeeping(la);
a9643ea8Slogwang	ClearCheckNewLink(la);
a9643ea8Slogwang
a9643ea8Slogwang	/* Defense against mangled packets */
a9643ea8Slogwang	if (ntohs(pip->ip_len) > maxpacketsize
a9643ea8Slogwang	    || (pip->ip_hl << 2) > maxpacketsize) {
a9643ea8Slogwang		iresult = PKT_ALIAS_IGNORED;
a9643ea8Slogwang		goto getout;
a9643ea8Slogwang	}
a9643ea8Slogwang
a9643ea8Slogwang	addr_save = GetDefaultAliasAddress(la);
*22ce4affSfengbojiang	if (la->packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY ||
*22ce4affSfengbojiang	    la->packetAliasMode & PKT_ALIAS_UNREGISTERED_CGN) {
a9643ea8Slogwang		u_long addr;
a9643ea8Slogwang		int iclass;
a9643ea8Slogwang
a9643ea8Slogwang		iclass = 0;
a9643ea8Slogwang		addr = ntohl(pip->ip_src.s_addr);
a9643ea8Slogwang		if (addr >= UNREG_ADDR_C_LOWER && addr <= UNREG_ADDR_C_UPPER)
a9643ea8Slogwang			iclass = 3;
a9643ea8Slogwang		else if (addr >= UNREG_ADDR_B_LOWER && addr <= UNREG_ADDR_B_UPPER)
a9643ea8Slogwang			iclass = 2;
a9643ea8Slogwang		else if (addr >= UNREG_ADDR_A_LOWER && addr <= UNREG_ADDR_A_UPPER)
a9643ea8Slogwang			iclass = 1;
*22ce4affSfengbojiang		else if (addr >= UNREG_ADDR_CGN_LOWER && addr <= UNREG_ADDR_CGN_UPPER &&
*22ce4affSfengbojiang		    la->packetAliasMode & PKT_ALIAS_UNREGISTERED_CGN)
*22ce4affSfengbojiang			iclass = 4;
a9643ea8Slogwang
a9643ea8Slogwang		if (iclass == 0) {
a9643ea8Slogwang			SetDefaultAliasAddress(la, pip->ip_src);
a9643ea8Slogwang		}
a9643ea8Slogwang	} else if (la->packetAliasMode & PKT_ALIAS_PROXY_ONLY) {
a9643ea8Slogwang		SetDefaultAliasAddress(la, pip->ip_src);
a9643ea8Slogwang	}
a9643ea8Slogwang	iresult = PKT_ALIAS_IGNORED;
a9643ea8Slogwang	if ((ntohs(pip->ip_off) & IP_OFFMASK) == 0) {
a9643ea8Slogwang		switch (pip->ip_p) {
a9643ea8Slogwang		case IPPROTO_ICMP:
a9643ea8Slogwang			iresult = IcmpAliasOut(la, pip, create);
a9643ea8Slogwang			break;
a9643ea8Slogwang		case IPPROTO_UDP:
a9643ea8Slogwang			iresult = UdpAliasOut(la, pip, maxpacketsize, create);
a9643ea8Slogwang			break;
a9643ea8Slogwang		case IPPROTO_TCP:
a9643ea8Slogwang			iresult = TcpAliasOut(la, pip, maxpacketsize, create);
a9643ea8Slogwang			break;
a9643ea8Slogwang#ifdef _KERNEL
a9643ea8Slogwang		case IPPROTO_SCTP:
a9643ea8Slogwang		  iresult = SctpAlias(la, pip, SN_TO_GLOBAL);
a9643ea8Slogwang			break;
a9643ea8Slogwang#endif
a9643ea8Slogwang		case IPPROTO_GRE: {
a9643ea8Slogwang			int error;
a9643ea8Slogwang			struct alias_data ad = {
a9643ea8Slogwang				.lnk = NULL,
a9643ea8Slogwang				.oaddr = NULL,
a9643ea8Slogwang				.aaddr = NULL,
a9643ea8Slogwang				.aport = NULL,
a9643ea8Slogwang				.sport = NULL,
a9643ea8Slogwang				.dport = NULL,
a9643ea8Slogwang				.maxpktsize = 0
a9643ea8Slogwang			};
a9643ea8Slogwang			/* Walk out chain. */
a9643ea8Slogwang			error = find_handler(OUT, IP, la, pip, &ad);
a9643ea8Slogwang			if (error == 0)
a9643ea8Slogwang 				iresult = PKT_ALIAS_OK;
a9643ea8Slogwang 			else
*22ce4affSfengbojiang				iresult = ProtoAliasOut(la, pip,
a9643ea8Slogwang				    pip->ip_dst, pip->ip_p, &pip->ip_sum, create);
a9643ea8Slogwang		}
a9643ea8Slogwang 			break;
a9643ea8Slogwang		default:
*22ce4affSfengbojiang			iresult = ProtoAliasOut(la, pip,
a9643ea8Slogwang			    pip->ip_dst, pip->ip_p, &pip->ip_sum, create);
a9643ea8Slogwang			break;
a9643ea8Slogwang		}
a9643ea8Slogwang	} else {
*22ce4affSfengbojiang		iresult = FragmentOut(la, pip, &pip->ip_sum);
a9643ea8Slogwang	}
a9643ea8Slogwang
a9643ea8Slogwang	SetDefaultAliasAddress(la, addr_save);
a9643ea8Slogwanggetout:
a9643ea8Slogwang	return (iresult);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangint
*22ce4affSfengbojiangLibAliasUnaliasOut(struct libalias *la, void *ptr,	/* valid IP packet */
a9643ea8Slogwang    int maxpacketsize		/* for error checking */
a9643ea8Slogwang)
a9643ea8Slogwang{
a9643ea8Slogwang	struct ip *pip;
a9643ea8Slogwang	struct icmp *ic;
a9643ea8Slogwang	struct udphdr *ud;
a9643ea8Slogwang	struct tcphdr *tc;
a9643ea8Slogwang	struct alias_link *lnk;
a9643ea8Slogwang	int iresult = PKT_ALIAS_IGNORED;
a9643ea8Slogwang
a9643ea8Slogwang	LIBALIAS_LOCK(la);
a9643ea8Slogwang	pip = (struct ip *)ptr;
a9643ea8Slogwang
a9643ea8Slogwang	/* Defense against mangled packets */
a9643ea8Slogwang	if (ntohs(pip->ip_len) > maxpacketsize
a9643ea8Slogwang	    || (pip->ip_hl << 2) > maxpacketsize)
a9643ea8Slogwang		goto getout;
a9643ea8Slogwang
a9643ea8Slogwang	ud = (struct udphdr *)ip_next(pip);
a9643ea8Slogwang	tc = (struct tcphdr *)ip_next(pip);
a9643ea8Slogwang	ic = (struct icmp *)ip_next(pip);
a9643ea8Slogwang
a9643ea8Slogwang	/* Find a link */
a9643ea8Slogwang	if (pip->ip_p == IPPROTO_UDP)
a9643ea8Slogwang		lnk = FindUdpTcpIn(la, pip->ip_dst, pip->ip_src,
a9643ea8Slogwang		    ud->uh_dport, ud->uh_sport,
a9643ea8Slogwang		    IPPROTO_UDP, 0);
a9643ea8Slogwang	else if (pip->ip_p == IPPROTO_TCP)
a9643ea8Slogwang		lnk = FindUdpTcpIn(la, pip->ip_dst, pip->ip_src,
a9643ea8Slogwang		    tc->th_dport, tc->th_sport,
a9643ea8Slogwang		    IPPROTO_TCP, 0);
a9643ea8Slogwang	else if (pip->ip_p == IPPROTO_ICMP)
a9643ea8Slogwang		lnk = FindIcmpIn(la, pip->ip_dst, pip->ip_src, ic->icmp_id, 0);
a9643ea8Slogwang	else
a9643ea8Slogwang		lnk = NULL;
a9643ea8Slogwang
a9643ea8Slogwang	/* Change it from an aliased packet to an unaliased packet */
a9643ea8Slogwang	if (lnk != NULL) {
a9643ea8Slogwang		if (pip->ip_p == IPPROTO_UDP || pip->ip_p == IPPROTO_TCP) {
a9643ea8Slogwang			int accumulate;
a9643ea8Slogwang			struct in_addr original_address;
a9643ea8Slogwang			u_short original_port;
a9643ea8Slogwang
a9643ea8Slogwang			original_address = GetOriginalAddress(lnk);
a9643ea8Slogwang			original_port = GetOriginalPort(lnk);
a9643ea8Slogwang
a9643ea8Slogwang			/* Adjust TCP/UDP checksum */
a9643ea8Slogwang			accumulate = twowords(&pip->ip_src);
a9643ea8Slogwang			accumulate -= twowords(&original_address);
a9643ea8Slogwang
a9643ea8Slogwang			if (pip->ip_p == IPPROTO_UDP) {
a9643ea8Slogwang				accumulate += ud->uh_sport;
a9643ea8Slogwang				accumulate -= original_port;
a9643ea8Slogwang				ADJUST_CHECKSUM(accumulate, ud->uh_sum);
a9643ea8Slogwang			} else {
a9643ea8Slogwang				accumulate += tc->th_sport;
a9643ea8Slogwang				accumulate -= original_port;
a9643ea8Slogwang				ADJUST_CHECKSUM(accumulate, tc->th_sum);
a9643ea8Slogwang			}
a9643ea8Slogwang
a9643ea8Slogwang			/* Adjust IP checksum */
a9643ea8Slogwang			DifferentialChecksum(&pip->ip_sum,
a9643ea8Slogwang			    &original_address, &pip->ip_src, 2);
a9643ea8Slogwang
a9643ea8Slogwang			/* Un-alias source address and port number */
a9643ea8Slogwang			pip->ip_src = original_address;
a9643ea8Slogwang			if (pip->ip_p == IPPROTO_UDP)
a9643ea8Slogwang				ud->uh_sport = original_port;
a9643ea8Slogwang			else
a9643ea8Slogwang				tc->th_sport = original_port;
a9643ea8Slogwang
a9643ea8Slogwang			iresult = PKT_ALIAS_OK;
a9643ea8Slogwang
a9643ea8Slogwang		} else if (pip->ip_p == IPPROTO_ICMP) {
a9643ea8Slogwang			int accumulate;
a9643ea8Slogwang			struct in_addr original_address;
a9643ea8Slogwang			u_short original_id;
a9643ea8Slogwang
a9643ea8Slogwang			original_address = GetOriginalAddress(lnk);
a9643ea8Slogwang			original_id = GetOriginalPort(lnk);
a9643ea8Slogwang
a9643ea8Slogwang			/* Adjust ICMP checksum */
a9643ea8Slogwang			accumulate = twowords(&pip->ip_src);
a9643ea8Slogwang			accumulate -= twowords(&original_address);
a9643ea8Slogwang			accumulate += ic->icmp_id;
a9643ea8Slogwang			accumulate -= original_id;
a9643ea8Slogwang			ADJUST_CHECKSUM(accumulate, ic->icmp_cksum);
a9643ea8Slogwang
a9643ea8Slogwang			/* Adjust IP checksum */
a9643ea8Slogwang			DifferentialChecksum(&pip->ip_sum,
a9643ea8Slogwang			    &original_address, &pip->ip_src, 2);
a9643ea8Slogwang
a9643ea8Slogwang			/* Un-alias source address and port number */
a9643ea8Slogwang			pip->ip_src = original_address;
a9643ea8Slogwang			ic->icmp_id = original_id;
a9643ea8Slogwang
a9643ea8Slogwang			iresult = PKT_ALIAS_OK;
a9643ea8Slogwang		}
a9643ea8Slogwang	}
a9643ea8Slogwanggetout:
a9643ea8Slogwang	LIBALIAS_UNLOCK(la);
a9643ea8Slogwang	return (iresult);
a9643ea8Slogwang
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwang#ifndef _KERNEL
a9643ea8Slogwang
a9643ea8Slogwangint
a9643ea8SlogwangLibAliasRefreshModules(void)
a9643ea8Slogwang{
a9643ea8Slogwang	char buf[256], conf[] = "/etc/libalias.conf";
a9643ea8Slogwang	FILE *fd;
a9643ea8Slogwang	int i, len;
a9643ea8Slogwang
a9643ea8Slogwang	fd = fopen(conf, "r");
a9643ea8Slogwang	if (fd == NULL)
a9643ea8Slogwang		err(1, "fopen(%s)", conf);
a9643ea8Slogwang
a9643ea8Slogwang	LibAliasUnLoadAllModule();
a9643ea8Slogwang
a9643ea8Slogwang	for (;;) {
a9643ea8Slogwang		fgets(buf, 256, fd);
a9643ea8Slogwang		if (feof(fd))
a9643ea8Slogwang		        break;
a9643ea8Slogwang		len = strlen(buf);
a9643ea8Slogwang		if (len > 1) {
a9643ea8Slogwang			for (i = 0; i < len; i++)
a9643ea8Slogwang				if (!isspace(buf[i]))
a9643ea8Slogwang					break;
a9643ea8Slogwang			if (buf[i] == '#')
a9643ea8Slogwang				continue;
a9643ea8Slogwang			buf[len - 1] = '\0';
a9643ea8Slogwang			LibAliasLoadModule(buf);
a9643ea8Slogwang		}
a9643ea8Slogwang	}
a9643ea8Slogwang	fclose(fd);
a9643ea8Slogwang	return (0);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangint
a9643ea8SlogwangLibAliasLoadModule(char *path)
a9643ea8Slogwang{
a9643ea8Slogwang	struct dll *t;
a9643ea8Slogwang	void *handle;
a9643ea8Slogwang	struct proto_handler *m;
a9643ea8Slogwang        const char *error;
a9643ea8Slogwang	moduledata_t *p;
a9643ea8Slogwang
a9643ea8Slogwang        handle = dlopen (path, RTLD_LAZY);
a9643ea8Slogwang        if (!handle) {
a9643ea8Slogwang		fprintf(stderr, "%s\n", dlerror());
a9643ea8Slogwang		return (EINVAL);
a9643ea8Slogwang        }
a9643ea8Slogwang
a9643ea8Slogwang	p = dlsym(handle, "alias_mod");
a9643ea8Slogwang        if ((error = dlerror()) != NULL)  {
a9643ea8Slogwang		fprintf(stderr, "%s\n", dlerror());
a9643ea8Slogwang		return (EINVAL);
a9643ea8Slogwang        }
a9643ea8Slogwang
a9643ea8Slogwang	t = malloc(sizeof(struct dll));
a9643ea8Slogwang	if (t == NULL)
a9643ea8Slogwang		return (ENOMEM);
a9643ea8Slogwang	strncpy(t->name, p->name, DLL_LEN);
a9643ea8Slogwang	t->handle = handle;
a9643ea8Slogwang	if (attach_dll(t) == EEXIST) {
a9643ea8Slogwang		free(t);
a9643ea8Slogwang		fprintf(stderr, "dll conflict\n");
a9643ea8Slogwang		return (EEXIST);
a9643ea8Slogwang	}
a9643ea8Slogwang
a9643ea8Slogwang        m = dlsym(t->handle, "handlers");
a9643ea8Slogwang        if ((error = dlerror()) != NULL)  {
a9643ea8Slogwang		fprintf(stderr, "%s\n", error);
a9643ea8Slogwang		return (EINVAL);
a9643ea8Slogwang	}
a9643ea8Slogwang
a9643ea8Slogwang	LibAliasAttachHandlers(m);
a9643ea8Slogwang	return (0);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwangint
a9643ea8SlogwangLibAliasUnLoadAllModule(void)
a9643ea8Slogwang{
a9643ea8Slogwang	struct dll *t;
a9643ea8Slogwang	struct proto_handler *p;
a9643ea8Slogwang
a9643ea8Slogwang	/* Unload all modules then reload everything. */
a9643ea8Slogwang	while ((p = first_handler()) != NULL) {
a9643ea8Slogwang		LibAliasDetachHandlers(p);
a9643ea8Slogwang	}
a9643ea8Slogwang	while ((t = walk_dll_chain()) != NULL) {
a9643ea8Slogwang		dlclose(t->handle);
a9643ea8Slogwang		free(t);
a9643ea8Slogwang	}
a9643ea8Slogwang	return (1);
a9643ea8Slogwang}
a9643ea8Slogwang
a9643ea8Slogwang#endif
a9643ea8Slogwang
a9643ea8Slogwang#ifdef _KERNEL
a9643ea8Slogwang/*
a9643ea8Slogwang * m_megapullup() - this function is a big hack.
a9643ea8Slogwang * Thankfully, it's only used in ng_nat and ipfw+nat.
a9643ea8Slogwang *
a9643ea8Slogwang * It allocates an mbuf with cluster and copies the specified part of the chain
a9643ea8Slogwang * into cluster, so that it is all contiguous and can be accessed via a plain
a9643ea8Slogwang * (char *) pointer. This is required, because libalias doesn't know how to
a9643ea8Slogwang * handle mbuf chains.
a9643ea8Slogwang *
a9643ea8Slogwang * On success, m_megapullup returns an mbuf (possibly with cluster) containing
a9643ea8Slogwang * the input packet, on failure NULL. The input packet is always consumed.
a9643ea8Slogwang */
a9643ea8Slogwangstruct mbuf *
*22ce4affSfengbojiangm_megapullup(struct mbuf *m, int len)
*22ce4affSfengbojiang{
a9643ea8Slogwang	struct mbuf *mcl;
a9643ea8Slogwang
a9643ea8Slogwang	if (len > m->m_pkthdr.len)
a9643ea8Slogwang		goto bad;
a9643ea8Slogwang
a9643ea8Slogwang	if (m->m_next == NULL && M_WRITABLE(m))
a9643ea8Slogwang		return (m);
a9643ea8Slogwang
*22ce4affSfengbojiang	if (len <= MJUMPAGESIZE)
a9643ea8Slogwang		mcl = m_get2(len, M_NOWAIT, MT_DATA, M_PKTHDR);
*22ce4affSfengbojiang	else if (len <= MJUM9BYTES)
*22ce4affSfengbojiang		mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM9BYTES);
*22ce4affSfengbojiang	else if (len <= MJUM16BYTES)
*22ce4affSfengbojiang		mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM16BYTES);
*22ce4affSfengbojiang	else
*22ce4affSfengbojiang		goto bad;
a9643ea8Slogwang	if (mcl == NULL)
a9643ea8Slogwang		goto bad;
a9643ea8Slogwang	m_align(mcl, len);
a9643ea8Slogwang	m_move_pkthdr(mcl, m);
a9643ea8Slogwang	m_copydata(m, 0, len, mtod(mcl, caddr_t));
a9643ea8Slogwang	mcl->m_len = mcl->m_pkthdr.len = len;
a9643ea8Slogwang	m_freem(m);
a9643ea8Slogwang
a9643ea8Slogwang	return (mcl);
a9643ea8Slogwangbad:
a9643ea8Slogwang	m_freem(m);
a9643ea8Slogwang	return (NULL);
a9643ea8Slogwang}
a9643ea8Slogwang#endif