1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
.\" $OpenBSD: ipnat.4,v 1.12 1999/06/18 01:46:40 aaron Exp $
.Dd 5 June, 1999
.Os
.Dt IPNAT 4
.Sh NAME
.Nm ipnat
.Nd Network Address Translation kernel interface
.Sh SYNOPSIS
.Fd #include <netinet/ip_fil_compat.h>
.Fd #include <netinet/ip_fil.h>
.Fd #include <netinets/ip_proxy.h>
.Fd #include <netinet/ip_nat.h>
.Sh DESCRIPTION
Unlike
.Xr ipf 4 ,
only a single list is supported by the kernel NAT
interface. An inactive list which can be swapped to is not currently
supported.
.Pp
.Pp
To add/delete rules to/from the NAT list, two
.Dq basic
ioctl's are provided:
.Bd -literal -offset indent
.Fn ioctl fd SIOCADNAT "struct ipnat *"
.Fn ioctl fd SIOCRMNAT "struct ipnat *"
.Ed
.Pp
To retrieve NAT statistics
.Bd -literal -offset indent
.Fn ioctl fd SIOCGNATS "struct natstat *"
.Ed
.Pp
is provided.
.Pp
These ioctl's are implemented as routing ioctl's, so the rules
for routing ioctl's and the file descriptor
.Ar fd
must be followed.
The most important rule is that the file descriptor
.Fa fd
must be for the device associated with the module (i.e.,
.Pa /dev/ipl ) .
.Pp
The structure
.Fa ipnat
and associated macros are defined as:
.Bd -literal -offset indent
typedef struct ipnat {
struct ipnat *in_next;
void *in_ifp;
void *in_apr;
u_int in_space;
u_int in_use;
struct in_addr in_nextip;
u_short in_pnext;
u_short in_flags;
u_short in_port[2];
struct in_addr in_in[2];
struct in_addr in_out[2];
int in_redir;
char in_ifname[IFNAMSIZ];
char in_plabel[APR_LABELLEN];
char in_p;
u_short in_dport;
} ipnat_t;
#define in_pmin in_port[0]
#define in_pmax in_port[1]
#define in_nip in_nextip.s_addr
#define in_inip in_in[0].s_addr
#define in_inmsk in_in[1].s_addr
#define in_outip in_out[0].s_addr
#define in_outmsk in_out[1].s_addr
.Ed
.Pp
Where recognised values for
.Fa in_redir
are:
.Bd -literal -offset indent
#define NAT_MAP 0x01
#define NAT_REDIRECT 0x02
#define NAT_BIMAP (NAT_MAP|NAT_REDIRECT)
.Ed
.Pp
The structure
.Fa natstat
is defined as:
.Bd -literal -offset indent
typedef struct natstat {
u_long ns_mapped[2];
u_long ns_rules;
u_long ns_added;
u_long ns_expire;
u_long ns_inuse;
u_long ns_logged;
u_long ns_logfail;
nat_t **ns_table[2];
ipnat_t *ns_list;
void *ns_apslist;
} natstat_t;
.Ed
.Pp
The NAT kernel tables are hash tables of size
.Dv NAT_SIZE
(default is 367).
.Sh FILES
.Bl -tag -width /dev/ipnat -compact
.It Pa /dev/ipnat
.El
.Sh SEE ALSO
.Xr ipf 1 ,
.Xr ipftest 1 ,
.Xr ipf 4 ,
.Xr ipl 4 ,
.Xr ipf 5 ,
.Xr ipnat 5 ,
.Xr ipnat 8 ,
.Xr ipfstat 8 ,
.Xr ipmon 8
.Pp
http://coombs.anu.edu.au/ipfilter/
.Sh BUGS
It would be nice if there were more flexibility when adding and deleting
filter rules.
|
