1/*
2 * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
3 * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of the project nor the names of its contributors
15 *    may be used to endorse or promote products derived from this software
16 *    without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 */
30
31#ifndef _NATTRAVERSAL_H
32#define _NATTRAVERSAL_H
33
34#include "vendorid.h"
35#ifdef ENABLE_NATT
36#ifdef ENABLE_FRAG
37#include "isakmp_frag.h"
38#endif /* ENABLE_NATT */
39#endif /* ENABLE_FRAG */
40
41#define UDP_ENCAP_ESPINUDP	2	/* to make it compile - we don't use this */
42
43#define	NAT_ANNOUNCED		(1L<<0)
44#define	NAT_DETECTED_ME		(1L<<1)
45#define	NAT_DETECTED_PEER	(1L<<2)
46#define	NAT_PORTS_CHANGED	(1L<<3)
47#define	NAT_KA_QUEUED		(1L<<4)
48#define	NAT_ADD_NON_ESP_MARKER	(1L<<5)
49
50#define	NATT_AVAILABLE(iph1)	((iph1)->natt_flags & NAT_ANNOUNCED)
51
52#define	NAT_DETECTED	(NAT_DETECTED_ME | NAT_DETECTED_PEER)
53
54#define	NON_ESP_MARKER_LEN	sizeof(u_int32_t)
55#define	NON_ESP_MARKER_USE(iph1)	((iph1)->natt_flags & NAT_ADD_NON_ESP_MARKER)
56
57#ifdef ENABLE_NATT
58#ifdef ENABLE_FRAG
59#define PH1_NON_ESP_EXTRA_LEN(iph1, sendbuf) ((iph1->frag && sendbuf->l > ISAKMP_FRAG_MAXLEN) ? 0: (NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0))
60#define PH2_NON_ESP_EXTRA_LEN(iph2, sendbuf) ((iph2->ph1->frag && sendbuf->l > ISAKMP_FRAG_MAXLEN) ? 0: (NON_ESP_MARKER_USE(iph2->ph1) ? NON_ESP_MARKER_LEN : 0))
61#define PH1_FRAG_FLAGS(iph1) (NON_ESP_MARKER_USE(iph1) ? FRAG_PUT_NON_ESP_MARKER : 0)
62#define PH2_FRAG_FLAGS(iph2) (NON_ESP_MARKER_USE(iph2->ph1) ? FRAG_PUT_NON_ESP_MARKER : 0)
63#else
64#define PH1_NON_ESP_EXTRA_LEN(iph1, sendbuf) (NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0)
65#define PH2_NON_ESP_EXTRA_LEN(iph2, sendbuf) (NON_ESP_MARKER_USE(iph2->ph1) ? NON_ESP_MARKER_LEN : 0)
66#define PH1_FRAG_FLAGS(iph1) 0
67#define PH2_FRAG_FLAGS(iph2) 0
68#endif
69#else
70#define PH1_NON_ESP_EXTRA_LEN(iph1, sendbuf) 0
71#define PH2_NON_ESP_EXTRA_LEN(iph2, sendbuf) 0
72#define PH1_FRAG_FLAGS(iph1) 0
73#define PH2_FRAG_FLAGS(iph2) 0
74#endif
75
76/* These are the values from parsing "remote {}"
77   block of the config file. */
78#define NATT_OFF	FALSE	/* = 0 */
79#define NATT_ON		TRUE	/* = 1 */
80#define NATT_FORCE	2
81
82struct ph1natt_options {
83  int		version;
84  u_int16_t	float_port;
85  u_int16_t	mode_udp_tunnel;
86  u_int16_t	mode_udp_transport;
87  u_int16_t	encaps_type; /* ESPINUDP / ESPINUDP_NON_IKE */
88  u_int16_t	mode_udp_diff;
89  u_int16_t	payload_nat_d;
90  u_int16_t	payload_nat_oa;
91};
92
93struct ph2natt {
94  u_int8_t	type;
95  u_int16_t	sport;
96  u_int16_t	dport;
97  struct sockaddr_storage	*oa;
98  u_int16_t	frag;
99};
100
101int natt_vendorid (int vid);
102vchar_t *natt_hash_addr (phase1_handle_t *iph1, struct sockaddr_storage *addr);
103int natt_compare_addr_hash (phase1_handle_t *iph1, vchar_t *natd_received, int natd_seq);
104int natt_udp_encap (int encmode);
105int natt_fill_options (struct ph1natt_options *opts, int version);
106void natt_float_ports (phase1_handle_t *iph1);
107void natt_handle_vendorid (phase1_handle_t *iph1, int vid_numeric);
108int create_natoa_payloads(phase2_handle_t *iph2, vchar_t **, vchar_t **);
109struct sockaddr_storage * process_natoa_payload(vchar_t *buf);
110
111struct payload_list *
112isakmp_plist_append_natt_vids (struct payload_list *plist, vchar_t *vid_natt[MAX_NATT_VID_COUNT]);
113
114/* Walk through all rmconfigs and tell if NAT-T is enabled in at least one. */
115int natt_enabled_in_rmconf (void);
116
117#endif /* _NATTRAVERSAL_H */
118