pfd_nat.c File Reference

Contains the implementation of NAT for the PFD. More...

#include <string.h>
#include <sys/types.h>
#include <time.h>
#include <pthread.h>
#include <errno.h>
#include <isc/eventlib.h>
#include <jnx/aux_types.h>
#include <jnx/vrf_util_pub.h>
#include <jnx/rt_shared_pub.h>
#include <jnx/jnx_types.h>
#include <jnx/mpsdk.h>
#include <sys/jnx/jbuf.h>
#include <sys/socket.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <hashtable.h>
#include "pfd_logging.h"
#include "pfd_config.h"
#include "pfd_nat.h"

Go to the source code of this file.

Data Structures

struct  nat_table_t
struct  key_s

Defines

#define NAT_ENTRY_LIFETIME   60
#define NAT_MAX_ENTRIES   1000
#define NAT_LPORT_RANGE_MIN   50000
#define NAT_LPORT_RANGE_MAX   (NAT_LPORT_RANGE_MIN + NAT_MAX_ENTRIES - 1)
#define CPD_HTTP_PORT   80

Typedefs

typedef key_s hash_key_t

Functions

static DEFINE_HASHTABLE_INSERT (insert_entry, hash_key_t, uint16_t)
static DEFINE_HASHTABLE_SEARCH (get_entry, hash_key_t, uint16_t)
static DEFINE_HASHTABLE_REMOVE (remove_entry, hash_key_t, uint16_t)
static void checksum_adjust (unsigned char *chksum, unsigned char *optr, int olen, unsigned char *nptr, int nlen)
static unsigned int hashFromKey (void *key)
static int equalKeys (void *k1, void *k2)
void init_nat (void)
void terminate_nat (void)
boolean nat_packet (struct ip *ip_pkt, address_bundle_t *addresses)
boolean reverse_nat_packet (struct ip *ip_pkt)
void nat_fragment (struct ip *ip_pkt, address_bundle_t *addresses)

Variables

static nat_table_t nat_table [NAT_MAX_ENTRIES]
static struct hashtable * lookup_table = NULL
static uint16_t next_lport_num
 next available local src port number
static pthread_mutex_t lookup_table_lock
 lookup_table & next_lport_num lock
static uint16_t cpd_port
 Port of the CPD interface.


Detailed Description

Contains the implementation of NAT for the PFD.

Contains the implementation of NAT for the PFD, including, NAT table, table monitoring thread, and NAT/reverse-NAT header-rewriting functions for packets in transit.

Definition in file pfd_nat.c.


Define Documentation

#define CPD_HTTP_PORT   80

The port that the CPD's public HTTP server runs on

Definition at line 75 of file pfd_nat.c.

Referenced by init_nat().

#define NAT_ENTRY_LIFETIME   60

A NAT entry expires after this many seconds without use

Definition at line 52 of file pfd_nat.c.

Referenced by nat_packet(), and reverse_nat_packet().

#define NAT_LPORT_RANGE_MAX   (NAT_LPORT_RANGE_MIN + NAT_MAX_ENTRIES - 1)

End of local port range. See NAT_LPORT_RANGE_MIN. (do not edit formula)

Definition at line 70 of file pfd_nat.c.

Referenced by reverse_nat_packet().

#define NAT_LPORT_RANGE_MIN   50000

Start of local port range. We use these NAT_MAX_ENTRIES ports starting at this value to the re-write the source IP to the PFD's address and the source port to one of the available ports in the range.

Definition at line 65 of file pfd_nat.c.

Referenced by nat_packet(), and reverse_nat_packet().

#define NAT_MAX_ENTRIES   1000

The number of NAT entries in the table (the size of the table is fixed) and the max number of local port use for NAT

Definition at line 58 of file pfd_nat.c.

Referenced by init_nat(), nat_packet(), and terminate_nat().


Typedef Documentation

typedef struct key_s hash_key_t

The key for the hashtable. All values stay in network byte order


Function Documentation

static void checksum_adjust ( unsigned char *  chksum,
unsigned char *  optr,
int  olen,
unsigned char *  nptr,
int  nlen 
) [static]

This function will adjust a checksum. It is taken directly from the NAT RFC 3022.

Parameters:
[in,out] chksum Checksum
[out] optr Pointer to old data to scan
[out] olen Length of old data to scan
[out] nptr Pointer to old data to scan
[out] nlen Length of new data to scan

Definition at line 165 of file pfd_nat.c.

Referenced by nat_fragment(), nat_packet(), and reverse_nat_packet().

static DEFINE_HASHTABLE_INSERT ( insert_entry  ,
hash_key_t  ,
uint16_t   
) [static]

We use insert_entry to insert a (key,value) safely into the hashtable

static DEFINE_HASHTABLE_REMOVE ( remove_entry  ,
hash_key_t  ,
uint16_t   
) [static]

We use remove_entry to remove a (key,value) safely from the hashtable

static DEFINE_HASHTABLE_SEARCH ( get_entry  ,
hash_key_t  ,
uint16_t   
) [static]

We use get_entry to get a (key,value) safely from the hashtable

static int equalKeys ( void *  k1,
void *  k2 
) [static]

Compare two keys:

Parameters:
[in] k1 First key
[in] k2 Second key
Returns:
1 is keys are equal, 0 otherwise

Definition at line 233 of file pfd_nat.c.

Referenced by init_nat().

static unsigned int hashFromKey ( void *  key  )  [static]

Returns the hash value of a key:

Parameters:
[in] key The key to be typecasted to (hash_key_t *)
Returns:
a hash of the key (key's contents)

Definition at line 203 of file pfd_nat.c.

Referenced by init_nat().

void init_nat ( void   ) 

Initialize the NAT table, variables, and all the mutexes used in this module

Definition at line 246 of file pfd_nat.c.

References CPD_HTTP_PORT, cpd_port, equalKeys(), hashFromKey(), INSIST_ERR, lookup_table, lookup_table_lock, NAT_MAX_ENTRIES, nat_table, and next_lport_num.

Referenced by pfd_init().

void nat_fragment ( struct ip *  ip_pkt,
address_bundle_t addresses 
)

NAT the IP-fragmented packet from the original source to the CPD making the PFD the new sender. This will not assume nor change TCP headers. This performs no lookups. It only changes the IP addresses and checksum.

Parameters:
[in] ip_pkt the packet to nat
[in] addresses PFD and CPD addresses

Definition at line 580 of file pfd_nat.c.

References checksum_adjust().

Referenced by pfd_process_packet().

boolean nat_packet ( struct ip *  ip_pkt,
address_bundle_t addresses 
)

NAT the packet from the original source to the CPD making the PFD the new sender.

Parameters:
[in] ip_pkt the packet to nat
[in] addresses PFD and CPD addresses
Returns:
TRUE if successfully NAT'd FALSE if an entry doesn't exist and we couldn't create one (full table)

Definition at line 303 of file pfd_nat.c.

References checksum_adjust(), cpd_port, current_time, nat_table_t::dstport, nat_table_t::exp_time, get_current_time(), INSIST_ERR, key_s::ipdst, nat_table_t::ipdst, key_s::ipsrc, nat_table_t::ipsrc, LOCK_MUTEX, LOG, lookup_table, lookup_table_lock, NAT_ENTRY_LIFETIME, NAT_LPORT_RANGE_MIN, NAT_MAX_ENTRIES, nat_table, next_lport_num, key_s::srcport, nat_table_t::srcport, and UNLOCK_MUTEX.

Referenced by pfd_process_packet().

boolean reverse_nat_packet ( struct ip *  ip_pkt  ) 

Reverse NAT the packet from the CPD to the original sender. (The PFD was the intermediate sender).

Parameters:
[in] ip_pkt the packet to reverse nat
Returns:
TRUE if successfully NAT'd, FALSE if cannot find an entry for dst port

Definition at line 507 of file pfd_nat.c.

References checksum_adjust(), current_time, nat_table_t::dstport, nat_table_t::exp_time, get_current_time(), nat_table_t::ipdst, nat_table_t::ipsrc, LOCK_MUTEX, NAT_ENTRY_LIFETIME, NAT_LPORT_RANGE_MAX, NAT_LPORT_RANGE_MIN, nat_table, nat_table_t::srcport, and UNLOCK_MUTEX.

Referenced by pfd_process_packet().

void terminate_nat ( void   ) 

Destroy the NAT table and all the mutexes used in this module

Definition at line 271 of file pfd_nat.c.

References lookup_table, lookup_table_lock, NAT_MAX_ENTRIES, and nat_table.

Referenced by pfd_quit(), and pfd_shutdown().


Variable Documentation

struct hashtable* lookup_table = NULL [static]

The actual forward NAT lookup table which maps src & dst IP addr and src port number to a local port number

Definition at line 102 of file pfd_nat.c.

Referenced by init_nat(), nat_packet(), and terminate_nat().

nat_table_t nat_table[NAT_MAX_ENTRIES] [static]

NAT table lookup/indexed by local port number used. Lookups are performed faster here when doing reverse NAT.

Definition at line 96 of file pfd_nat.c.

Referenced by init_nat(), nat_packet(), reverse_nat_packet(), and terminate_nat().


2007-2009 Juniper Networks, Inc. All rights reserved. The information contained herein is confidential information of Juniper Networks, Inc., and may not be used, disclosed, distributed, modified, or copied without the prior written consent of Juniper Networks, Inc. in an express license. This information is subject to change by Juniper Networks, Inc. Juniper Networks, the Juniper Networks logo, and JUNOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Generated on Sun May 30 20:27:07 2010 for SDK Your Net Corporation Policy Manager Example: Packet Filtering Daemon (pfd) 1.0 by Doxygen 1.5.1