aboutsummaryrefslogtreecommitdiff
path: root/sbin/ipfw
diff options
context:
space:
mode:
authorAndrey V. Elsukov <ae@FreeBSD.org>2019-03-18 10:39:14 +0000
committerAndrey V. Elsukov <ae@FreeBSD.org>2019-03-18 10:39:14 +0000
commitb11efc1eb69ff1e1cf7f2578f4db0b8ad18b6471 (patch)
treeb865918ae4f16eba9d81e93cab3c9112deb541a1 /sbin/ipfw
parent783efeb544308e34e696907bac3dfb0813fc1d3e (diff)
downloadsrc-b11efc1eb69ff1e1cf7f2578f4db0b8ad18b6471.tar.gz
src-b11efc1eb69ff1e1cf7f2578f4db0b8ad18b6471.zip
Modify struct nat64_config.
Add second IPv6 prefix to generic config structure and rename another fields to conform to RFC6877. Now it contains two prefixes and length: PLAT is provider-side translator that translates N:1 global IPv6 addresses to global IPv4 addresses. CLAT is customer-side translator (XLAT) that algorithmically translates 1:1 IPv4 addresses to global IPv6 addresses. Use PLAT prefix in stateless (nat64stl) and stateful (nat64lsn) translators. Modify nat64_extract_ip4() and nat64_embed_ip4() functions to accept prefix length and use plat_plen to specify prefix length. Retire net.inet.ip.fw.nat64_allow_private sysctl variable. Add NAT64_ALLOW_PRIVATE flag and use "allow_private" config option to configure this ability separately for each NAT64 instance. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC
Notes
Notes: svn path=/head/; revision=345262
Diffstat (limited to 'sbin/ipfw')
-rw-r--r--sbin/ipfw/ipfw.828
-rw-r--r--sbin/ipfw/ipfw2.h2
-rw-r--r--sbin/ipfw/nat64lsn.c16
-rw-r--r--sbin/ipfw/nat64stl.c16
4 files changed, 51 insertions, 11 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index d0b584db5438..9b7cecd8db44 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 1, 2019
+.Dd March 18, 2019
.Dt IPFW 8
.Os
.Sh NAME
@@ -3413,6 +3413,14 @@ With
you are able to see each handled packet before and after translation.
.It Cm -log
Turn off logging of all handled packets via BPF.
+.It Cm allow_private
+Turn on processing private IPv4 addresses. By default IPv6 packets with
+destinations mapped to private address ranges defined by RFC1918 are not
+processed.
+.It Cm -allow_private
+Turn off private address handling in
+.Nm nat64
+instance.
.El
.Pp
To inspect a states table of stateful NAT64 the following command can be used:
@@ -3460,6 +3468,14 @@ Turn on logging of all handled packets via BPF through
interface.
.It Cm -log
Turn off logging of all handled packets via BPF.
+.It Cm allow_private
+Turn on processing private IPv4 addresses. By default IPv6 packets with
+destinations mapped to private address ranges defined by RFC1918 are not
+processed.
+.It Cm -allow_private
+Turn off private address handling in
+.Nm nat64
+instance.
.El
.Pp
Note that the behavior of stateless translator with respect to not matched
@@ -3948,16 +3964,6 @@ Default is no.
Controls whether bridged packets are passed to
.Nm .
Default is no.
-.It Va net.inet.ip.fw.nat64_allow_private : No 0
-Defines how
-.Nm nat64
-handles private IPv4 addresses:
-.Bl -tag -width indent
-.It Cm 0
-Packets with private IPv4 will not be handled by translator
-.It Cm 1
-Translator will accept and process packets with private IPv4 addresses.
-.El
.It Va net.inet.ip.fw.nat64_debug : No 0
Controls debugging messages produced by
.Nm ipfw_nat64
diff --git a/sbin/ipfw/ipfw2.h b/sbin/ipfw/ipfw2.h
index 8e279389a1eb..8f07335de9f6 100644
--- a/sbin/ipfw/ipfw2.h
+++ b/sbin/ipfw/ipfw2.h
@@ -288,6 +288,8 @@ enum tokens {
TOK_UDP_AGE,
TOK_ICMP_AGE,
TOK_LOGOFF,
+ TOK_PRIVATE,
+ TOK_PRIVATEOFF,
/* NPTv6 tokens */
TOK_NPTV6,
diff --git a/sbin/ipfw/nat64lsn.c b/sbin/ipfw/nat64lsn.c
index a364f0178556..776613c47183 100644
--- a/sbin/ipfw/nat64lsn.c
+++ b/sbin/ipfw/nat64lsn.c
@@ -377,6 +377,8 @@ static struct _s_x nat64newcmds[] = {
{ "icmp_age", TOK_ICMP_AGE },
{ "log", TOK_LOG },
{ "-log", TOK_LOGOFF },
+ { "allow_private", TOK_PRIVATE },
+ { "-allow_private", TOK_PRIVATEOFF },
{ NULL, 0 }
};
@@ -522,6 +524,12 @@ nat64lsn_create(const char *name, uint8_t set, int ac, char **av)
case TOK_LOGOFF:
cfg->flags &= ~NAT64_LOG;
break;
+ case TOK_PRIVATE:
+ cfg->flags |= NAT64_ALLOW_PRIVATE;
+ break;
+ case TOK_PRIVATEOFF:
+ cfg->flags &= ~NAT64_ALLOW_PRIVATE;
+ break;
}
}
@@ -627,6 +635,12 @@ nat64lsn_config(const char *name, uint8_t set, int ac, char **av)
case TOK_LOGOFF:
cfg->flags &= ~NAT64_LOG;
break;
+ case TOK_PRIVATE:
+ cfg->flags |= NAT64_ALLOW_PRIVATE;
+ break;
+ case TOK_PRIVATEOFF:
+ cfg->flags &= ~NAT64_ALLOW_PRIVATE;
+ break;
default:
errx(EX_USAGE, "Can't change %s option", opt);
}
@@ -801,6 +815,8 @@ nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *name, uint8_t set)
printf(" icmp_age %u", cfg->st_icmp_ttl);
if (cfg->flags & NAT64_LOG)
printf(" log");
+ if (cfg->flags & NAT64_ALLOW_PRIVATE)
+ printf(" allow_private");
printf("\n");
return (0);
}
diff --git a/sbin/ipfw/nat64stl.c b/sbin/ipfw/nat64stl.c
index 27653aa5b4df..867f3a6629f6 100644
--- a/sbin/ipfw/nat64stl.c
+++ b/sbin/ipfw/nat64stl.c
@@ -196,6 +196,8 @@ static struct _s_x nat64newcmds[] = {
{ "prefix6", TOK_PREFIX6 },
{ "log", TOK_LOG },
{ "-log", TOK_LOGOFF },
+ { "allow_private", TOK_PRIVATE },
+ { "-allow_private", TOK_PRIVATEOFF },
{ NULL, 0 }
};
@@ -263,6 +265,12 @@ nat64stl_create(const char *name, uint8_t set, int ac, char *av[])
case TOK_LOGOFF:
cfg->flags &= ~NAT64_LOG;
break;
+ case TOK_PRIVATE:
+ cfg->flags |= NAT64_ALLOW_PRIVATE;
+ break;
+ case TOK_PRIVATEOFF:
+ cfg->flags &= ~NAT64_ALLOW_PRIVATE;
+ break;
}
}
@@ -332,6 +340,12 @@ nat64stl_config(const char *name, uint8_t set, int ac, char **av)
case TOK_LOGOFF:
cfg->flags &= ~NAT64_LOG;
break;
+ case TOK_PRIVATE:
+ cfg->flags |= NAT64_ALLOW_PRIVATE;
+ break;
+ case TOK_PRIVATEOFF:
+ cfg->flags &= ~NAT64_ALLOW_PRIVATE;
+ break;
default:
errx(EX_USAGE, "Can't change %s option", opt);
}
@@ -451,6 +465,8 @@ nat64stl_show_cb(ipfw_nat64stl_cfg *cfg, const char *name, uint8_t set)
printf(" prefix6 %s/%u", abuf, cfg->plen6);
if (cfg->flags & NAT64_LOG)
printf(" log");
+ if (cfg->flags & NAT64_ALLOW_PRIVATE)
+ printf(" allow_private");
printf("\n");
return (0);
}