Unison Help
7.7. Network Translation - NAT with PAT
NAME
Network Address Translation – NAT
SYNOPSIS
#include <netinet/ip_compat.h>
#include <netinet/ip_fil.h>
#include <netinet/ip_nat.h>
DESCRIPTION
In addition to the packet filter pf that contains the NAT capabilities, Unison offers a simple NAT mechanism.
To add/delete rules to/from the NAT list, two “basic” ioctl’s are provided:
nat_ioctl(SIOCADNAT, struct ipnat *);
nat_ioctl(SIOCRMNAT, struct ipnat *);
To retrieve statistics is provided ioctl:
nat_ioctl(SIOCGNATS, struct natstat *);
To lookup state is provided ioctl:
nat_ioctl(SIOCGNATL, struct natlookup *);
Search the NAT table for the rdr entry that matches the fields in the natlookup structure. The caller must populate the structure with the address/port information of the accepted TCP connection (nl_inip, nl_inport) and the address/port information of the peer (nl_outip, nl_outport). The nl_flags field must have the IPN_TCP option set. All other fields must be set to 0. If the call succeeds, nl_realip and nl_realport are set to the real destination address and port, respectively. The nl_inport and nl_outport fields must be in host byte order.
To flush/clear NAT entries, two ioctl’s are provided:
nat_ioctl(SIOCFLNAT, int *); - clear the NAT table of all mapping entries.
nat_ioctl(SIOCCNATL, int *); - delete all entries in the active NAT mapping list.
The structure ipnat and associated macros are defined as:
typedef struct ipnat {
struct ipnat *in_next;
void *in_ifp;
void *in_apr;
u_int in_space;
u_int in_use;
struct in_addr in_nextip;
u_short in_pnext;
u_short in_flags;
u_short in_port[2];
struct in_addr in_in[2];
struct in_addr in_out[2];
int in_redir;
char in_ifname[IFNAMSIZ];
char in_plabel[APR_LABELLEN];
char in_p;
u_short in_dport;
} ipnat_t;
#define in_pmin in_port[0]
#define in_pmax in_port[1]
#define in_nip in_nextip.s_addr
#define in_inip in_in[0].s_addr
#define in_inmsk in_in[1].s_addr
#define in_outip in_out[0].s_addr
#define in_outmsk in_out[1].s_addr
The structure natstat is defined as:
typedef struct natstat {
u_long ns_mapped[2];
u_long ns_rules;
u_long ns_added;
u_long ns_expire;
u_long ns_inuse;
u_long ns_logged;
u_long ns_logfail;
nat_t **ns_table[2];
ipnat_t *ns_list;
} natstat_t;
The structure natlookup is defined as:
typedef struct natlookup {
struct in_addr nl_inip;
struct in_addr nl_outip;
struct in_addr nl_realip;
int nl_flags;
u_short nl_inport;
u_short nl_outport;
u_short nl_realport;
} natlookup_t
To start/stop NAT mechanism two commands are provided:
int ipl_enable(void);
int ipl_disable(void);
Before using NAT ioctl commands must be called function ipl_enable(). This function initializes the internal structures necessary for its setup and operation.
RULES PARSER
To easy manipulate NAT rules better to represent them in the text format and use parser to fill ipnat structure’s fields. This parser is shown in the ppp demo in the installdir/demos directory.
Valid NAT rules are described by the following grammar:
natrule ::= maprule | rdrrule | bimaprule
maprule ::= "map" ifname source "->" destination [mapoption]
rdrrule ::= "rdr" ifname destination port "->" target
bimaprule ::= "bimap" ifname source "->" destination
source ::= destination
destination ::= host "/" mask
target ::= host "port" port porttype
portrange ::= port ":" port
portmap ::= "portmap" porttype portrange
proxy ::= "proxy port" port [ "/" protocol ]
mapoption ::= proxy | portmap
porttype ::= "tcp" | "udp" | "tcpudp" | "tcp/udp"
protocol ::= number
port ::= number
host ::= "any" | IP-addr
mask ::= non-numeric | IP-addr | hex-value | bit-count
ifname ::= interface-name
Elements in a rule are usually separated by whitespace (blanks or tabs). In the case of the ‘/’ in host rule or the ‘:’ in the portrange rule, there must be no whitespace before or after it. In the case of the ‘/’ in the proxy rule there must be whitespace before but no whitespace after.
In the host and mask rules, the alternatives are evaluated in the order given.
For the mask rule, if the element begins with a non-digit the mask is taken to be all zeros. A ‘.’ in the element causes the element to be interpreted as a numeric IP address of the form 1.2.3.4. An ‘x’ in the element causes the element to be interpreted as a 32 bit hex value. If all else fails the element is interpreted as the number of sequential 1’s to place as the most significant bits in the 32 bit network mask. Whatever the interpretation method, a result network mask of all 1’s, indicating a hostname, is valid. A network mask of 31 1’s (255.255.255.254) is considered invalid as there is no space for allocating host IP#’s after consideration for broadcast and network addresses.
EXAMPLE
To change IP numbers used internally from network 10 into an ISP provided 8-bit subnet at 209.1.2.0 through the ppp0 interface, the following would be used:
map ppp0 10.0.0.0/8 -> 209.1.2.0/24
The obvious problem here is we’re trying to squeeze over 16,000,000 IP addresses into a 254 address space. To increase the scope, remapping for TCP and/or UDP, port remapping can be used:
map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
which falls only 527,566 `addresses’ short of the space available in net- work 10. If we were to combine these rules, they would need to be speci- fied as follows:
map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
map ppp0 10.0.0.0/8 -> 209.1.2.0/24
so that all TCP/ UDP packets were port mapped and other protocols, such as ICMP, have only their IP# changed.
NOTES
There is a demo PPP available for the Unison and DSPnano NAT which is found in installdir/demos.