aboutsummaryrefslogtreecommitdiff
path: root/sbin/ipfw
diff options
context:
space:
mode:
authorAlexander V. Chernikov <melifaro@FreeBSD.org>2020-01-24 20:35:41 +0000
committerAlexander V. Chernikov <melifaro@FreeBSD.org>2020-01-24 20:35:41 +0000
commit75b893375fbc9a10f09f31ca773087e575fa3558 (patch)
treeb8187f23442ad49f736000fc83956785593fa89c /sbin/ipfw
parentcd0047f3a9f3531d9181ca1cd38f554f6351af6c (diff)
downloadsrc-75b893375fbc9a10f09f31ca773087e575fa3558.tar.gz
src-75b893375fbc9a10f09f31ca773087e575fa3558.zip
Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw.
In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added. This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC 6598 aware. Also, we add a new NAT option to ipfw called unreg_cgn, which is like unreg_only, but also is RFC 6598-aware. The reason for the new flags/options is to avoid breaking existing networks, especially those which rely on RFC 6598 as an external address. Submitted by: Neel Chauhan <neel AT neelc DOT org> MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D22877
Notes
Notes: svn path=/head/; revision=357092
Diffstat (limited to 'sbin/ipfw')
-rw-r--r--sbin/ipfw/ipfw.85
-rw-r--r--sbin/ipfw/ipfw2.h1
-rw-r--r--sbin/ipfw/main.c4
-rw-r--r--sbin/ipfw/nat.c4
4 files changed, 11 insertions, 3 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index bcc8017a571b..ea35a2767845 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -3233,8 +3233,11 @@ Deny any incoming connection from outside world.
Try to leave the alias port numbers unchanged from
the actual local port numbers.
.It Cm unreg_only
-Traffic on the local network not originating from an
+Traffic on the local network not originating from a RFC 1918
unregistered address spaces will be ignored.
+.It Cm unreg_cgn
+Like unreg_only, but includes the RFC 6598 (Carrier Grade NAT)
+address range.
.It Cm reset
Reset table of the packet aliasing engine on address change.
.It Cm reverse
diff --git a/sbin/ipfw/ipfw2.h b/sbin/ipfw/ipfw2.h
index 215416eecc8a..2579dc5f51ae 100644
--- a/sbin/ipfw/ipfw2.h
+++ b/sbin/ipfw/ipfw2.h
@@ -220,6 +220,7 @@ enum tokens {
TOK_DENY_INC,
TOK_SAME_PORTS,
TOK_UNREG_ONLY,
+ TOK_UNREG_CGN,
TOK_SKIP_GLOBAL,
TOK_RESET_ADDR,
TOK_ALIAS_REV,
diff --git a/sbin/ipfw/main.c b/sbin/ipfw/main.c
index b1a410a8412e..9688952ec39c 100644
--- a/sbin/ipfw/main.c
+++ b/sbin/ipfw/main.c
@@ -43,8 +43,8 @@ help(void)
"add [num] [set N] [prob x] RULE-BODY\n"
"{pipe|queue} N config PIPE-BODY\n"
"[pipe|queue] {zero|delete|show} [N{,N}]\n"
-"nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|reset|\n"
-" reverse|proxy_only|redirect_addr linkspec|\n"
+"nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|unreg_cgn|\n"
+" reset|reverse|proxy_only|redirect_addr linkspec|\n"
" redirect_port linkspec|redirect_proto linkspec}\n"
"set [disable N... enable N...] | move [rule] X to Y | swap X Y | show\n"
"set N {show|list|zero|resetlog|delete} [N{,N}] | flush\n"
diff --git a/sbin/ipfw/nat.c b/sbin/ipfw/nat.c
index aced8ea10ecb..6c861e7c2c27 100644
--- a/sbin/ipfw/nat.c
+++ b/sbin/ipfw/nat.c
@@ -60,6 +60,7 @@ static struct _s_x nat_params[] = {
{ "deny_in", TOK_DENY_INC },
{ "same_ports", TOK_SAME_PORTS },
{ "unreg_only", TOK_UNREG_ONLY },
+ { "unreg_cgn", TOK_UNREG_CGN },
{ "skip_global", TOK_SKIP_GLOBAL },
{ "reset", TOK_RESET_ADDR },
{ "reverse", TOK_ALIAS_REV },
@@ -663,6 +664,9 @@ nat_show_cfg(struct nat44_cfg_nat *n, void *arg)
} else if (n->mode & PKT_ALIAS_UNREGISTERED_ONLY) {
printf(" unreg_only");
n->mode &= ~PKT_ALIAS_UNREGISTERED_ONLY;
+ } else if (n->mode & PKT_ALIAS_UNREGISTERED_CGN) {
+ printf(" unreg_cgn");
+ n->mode &= ~PKT_ALIAS_UNREGISTERED_CGN;
} else if (n->mode & PKT_ALIAS_RESET_ON_ADDR_CHANGE) {
printf(" reset");
n->mode &= ~PKT_ALIAS_RESET_ON_ADDR_CHANGE;