1/* 2 * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany. 3 * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of the project nor the names of its contributors 15 * may be used to endorse or promote products derived from this software 16 * without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30 31#ifndef _NATTRAVERSAL_H 32#define _NATTRAVERSAL_H 33 34#include "vendorid.h" 35#ifdef ENABLE_NATT 36#ifdef ENABLE_FRAG 37#include "isakmp_frag.h" 38#endif /* ENABLE_NATT */ 39#endif /* ENABLE_FRAG */ 40 41#define UDP_ENCAP_ESPINUDP 2 /* to make it compile - we don't use this */ 42 43#define NAT_ANNOUNCED (1L<<0) 44#define NAT_DETECTED_ME (1L<<1) 45#define NAT_DETECTED_PEER (1L<<2) 46#define NAT_PORTS_CHANGED (1L<<3) 47#define NAT_KA_QUEUED (1L<<4) 48#define NAT_ADD_NON_ESP_MARKER (1L<<5) 49 50#define NATT_AVAILABLE(iph1) ((iph1)->natt_flags & NAT_ANNOUNCED) 51 52#define NAT_DETECTED (NAT_DETECTED_ME | NAT_DETECTED_PEER) 53 54#define NON_ESP_MARKER_LEN sizeof(u_int32_t) 55#define NON_ESP_MARKER_USE(iph1) ((iph1)->natt_flags & NAT_ADD_NON_ESP_MARKER) 56 57#ifdef ENABLE_NATT 58#ifdef ENABLE_FRAG 59#define PH1_NON_ESP_EXTRA_LEN(iph1, sendbuf) ((iph1->frag && sendbuf->l > ISAKMP_FRAG_MAXLEN) ? 0: (NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0)) 60#define PH2_NON_ESP_EXTRA_LEN(iph2, sendbuf) ((iph2->ph1->frag && sendbuf->l > ISAKMP_FRAG_MAXLEN) ? 0: (NON_ESP_MARKER_USE(iph2->ph1) ? NON_ESP_MARKER_LEN : 0)) 61#define PH1_FRAG_FLAGS(iph1) (NON_ESP_MARKER_USE(iph1) ? FRAG_PUT_NON_ESP_MARKER : 0) 62#define PH2_FRAG_FLAGS(iph2) (NON_ESP_MARKER_USE(iph2->ph1) ? FRAG_PUT_NON_ESP_MARKER : 0) 63#else 64#define PH1_NON_ESP_EXTRA_LEN(iph1, sendbuf) (NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0) 65#define PH2_NON_ESP_EXTRA_LEN(iph2, sendbuf) (NON_ESP_MARKER_USE(iph2->ph1) ? NON_ESP_MARKER_LEN : 0) 66#define PH1_FRAG_FLAGS(iph1) 0 67#define PH2_FRAG_FLAGS(iph2) 0 68#endif 69#else 70#define PH1_NON_ESP_EXTRA_LEN(iph1, sendbuf) 0 71#define PH2_NON_ESP_EXTRA_LEN(iph2, sendbuf) 0 72#define PH1_FRAG_FLAGS(iph1) 0 73#define PH2_FRAG_FLAGS(iph2) 0 74#endif 75 76/* These are the values from parsing "remote {}" 77 block of the config file. */ 78#define NATT_OFF FALSE /* = 0 */ 79#define NATT_ON TRUE /* = 1 */ 80#define NATT_FORCE 2 81 82struct ph1natt_options { 83 int version; 84 u_int16_t float_port; 85 u_int16_t mode_udp_tunnel; 86 u_int16_t mode_udp_transport; 87 u_int16_t encaps_type; /* ESPINUDP / ESPINUDP_NON_IKE */ 88 u_int16_t mode_udp_diff; 89 u_int16_t payload_nat_d; 90 u_int16_t payload_nat_oa; 91}; 92 93struct ph2natt { 94 u_int8_t type; 95 u_int16_t sport; 96 u_int16_t dport; 97 struct sockaddr_storage *oa; 98 u_int16_t frag; 99}; 100 101int natt_vendorid (int vid); 102vchar_t *natt_hash_addr (phase1_handle_t *iph1, struct sockaddr_storage *addr); 103int natt_compare_addr_hash (phase1_handle_t *iph1, vchar_t *natd_received, int natd_seq); 104int natt_udp_encap (int encmode); 105int natt_fill_options (struct ph1natt_options *opts, int version); 106void natt_float_ports (phase1_handle_t *iph1); 107void natt_handle_vendorid (phase1_handle_t *iph1, int vid_numeric); 108int create_natoa_payloads(phase2_handle_t *iph2, vchar_t **, vchar_t **); 109struct sockaddr_storage * process_natoa_payload(vchar_t *buf); 110 111struct payload_list * 112isakmp_plist_append_natt_vids (struct payload_list *plist, vchar_t *vid_natt[MAX_NATT_VID_COUNT]); 113 114/* Walk through all rmconfigs and tell if NAT-T is enabled in at least one. */ 115int natt_enabled_in_rmconf (void); 116 117#endif /* _NATTRAVERSAL_H */ 118