diff options
author | Andrey V. Elsukov <ae@FreeBSD.org> | 2019-03-18 10:39:14 +0000 |
---|---|---|
committer | Andrey V. Elsukov <ae@FreeBSD.org> | 2019-03-18 10:39:14 +0000 |
commit | b11efc1eb69ff1e1cf7f2578f4db0b8ad18b6471 (patch) | |
tree | b865918ae4f16eba9d81e93cab3c9112deb541a1 /sbin/ipfw | |
parent | 783efeb544308e34e696907bac3dfb0813fc1d3e (diff) | |
download | src-b11efc1eb69ff1e1cf7f2578f4db0b8ad18b6471.tar.gz src-b11efc1eb69ff1e1cf7f2578f4db0b8ad18b6471.zip |
Modify struct nat64_config.
Add second IPv6 prefix to generic config structure and rename another
fields to conform to RFC6877. Now it contains two prefixes and length:
PLAT is provider-side translator that translates N:1 global IPv6 addresses
to global IPv4 addresses. CLAT is customer-side translator (XLAT) that
algorithmically translates 1:1 IPv4 addresses to global IPv6 addresses.
Use PLAT prefix in stateless (nat64stl) and stateful (nat64lsn)
translators.
Modify nat64_extract_ip4() and nat64_embed_ip4() functions to accept
prefix length and use plat_plen to specify prefix length.
Retire net.inet.ip.fw.nat64_allow_private sysctl variable.
Add NAT64_ALLOW_PRIVATE flag and use "allow_private" config option to
configure this ability separately for each NAT64 instance.
Obtained from: Yandex LLC
MFC after: 1 month
Sponsored by: Yandex LLC
Notes
Notes:
svn path=/head/; revision=345262
Diffstat (limited to 'sbin/ipfw')
-rw-r--r-- | sbin/ipfw/ipfw.8 | 28 | ||||
-rw-r--r-- | sbin/ipfw/ipfw2.h | 2 | ||||
-rw-r--r-- | sbin/ipfw/nat64lsn.c | 16 | ||||
-rw-r--r-- | sbin/ipfw/nat64stl.c | 16 |
4 files changed, 51 insertions, 11 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index d0b584db5438..9b7cecd8db44 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 1, 2019 +.Dd March 18, 2019 .Dt IPFW 8 .Os .Sh NAME @@ -3413,6 +3413,14 @@ With you are able to see each handled packet before and after translation. .It Cm -log Turn off logging of all handled packets via BPF. +.It Cm allow_private +Turn on processing private IPv4 addresses. By default IPv6 packets with +destinations mapped to private address ranges defined by RFC1918 are not +processed. +.It Cm -allow_private +Turn off private address handling in +.Nm nat64 +instance. .El .Pp To inspect a states table of stateful NAT64 the following command can be used: @@ -3460,6 +3468,14 @@ Turn on logging of all handled packets via BPF through interface. .It Cm -log Turn off logging of all handled packets via BPF. +.It Cm allow_private +Turn on processing private IPv4 addresses. By default IPv6 packets with +destinations mapped to private address ranges defined by RFC1918 are not +processed. +.It Cm -allow_private +Turn off private address handling in +.Nm nat64 +instance. .El .Pp Note that the behavior of stateless translator with respect to not matched @@ -3948,16 +3964,6 @@ Default is no. Controls whether bridged packets are passed to .Nm . Default is no. -.It Va net.inet.ip.fw.nat64_allow_private : No 0 -Defines how -.Nm nat64 -handles private IPv4 addresses: -.Bl -tag -width indent -.It Cm 0 -Packets with private IPv4 will not be handled by translator -.It Cm 1 -Translator will accept and process packets with private IPv4 addresses. -.El .It Va net.inet.ip.fw.nat64_debug : No 0 Controls debugging messages produced by .Nm ipfw_nat64 diff --git a/sbin/ipfw/ipfw2.h b/sbin/ipfw/ipfw2.h index 8e279389a1eb..8f07335de9f6 100644 --- a/sbin/ipfw/ipfw2.h +++ b/sbin/ipfw/ipfw2.h @@ -288,6 +288,8 @@ enum tokens { TOK_UDP_AGE, TOK_ICMP_AGE, TOK_LOGOFF, + TOK_PRIVATE, + TOK_PRIVATEOFF, /* NPTv6 tokens */ TOK_NPTV6, diff --git a/sbin/ipfw/nat64lsn.c b/sbin/ipfw/nat64lsn.c index a364f0178556..776613c47183 100644 --- a/sbin/ipfw/nat64lsn.c +++ b/sbin/ipfw/nat64lsn.c @@ -377,6 +377,8 @@ static struct _s_x nat64newcmds[] = { { "icmp_age", TOK_ICMP_AGE }, { "log", TOK_LOG }, { "-log", TOK_LOGOFF }, + { "allow_private", TOK_PRIVATE }, + { "-allow_private", TOK_PRIVATEOFF }, { NULL, 0 } }; @@ -522,6 +524,12 @@ nat64lsn_create(const char *name, uint8_t set, int ac, char **av) case TOK_LOGOFF: cfg->flags &= ~NAT64_LOG; break; + case TOK_PRIVATE: + cfg->flags |= NAT64_ALLOW_PRIVATE; + break; + case TOK_PRIVATEOFF: + cfg->flags &= ~NAT64_ALLOW_PRIVATE; + break; } } @@ -627,6 +635,12 @@ nat64lsn_config(const char *name, uint8_t set, int ac, char **av) case TOK_LOGOFF: cfg->flags &= ~NAT64_LOG; break; + case TOK_PRIVATE: + cfg->flags |= NAT64_ALLOW_PRIVATE; + break; + case TOK_PRIVATEOFF: + cfg->flags &= ~NAT64_ALLOW_PRIVATE; + break; default: errx(EX_USAGE, "Can't change %s option", opt); } @@ -801,6 +815,8 @@ nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *name, uint8_t set) printf(" icmp_age %u", cfg->st_icmp_ttl); if (cfg->flags & NAT64_LOG) printf(" log"); + if (cfg->flags & NAT64_ALLOW_PRIVATE) + printf(" allow_private"); printf("\n"); return (0); } diff --git a/sbin/ipfw/nat64stl.c b/sbin/ipfw/nat64stl.c index 27653aa5b4df..867f3a6629f6 100644 --- a/sbin/ipfw/nat64stl.c +++ b/sbin/ipfw/nat64stl.c @@ -196,6 +196,8 @@ static struct _s_x nat64newcmds[] = { { "prefix6", TOK_PREFIX6 }, { "log", TOK_LOG }, { "-log", TOK_LOGOFF }, + { "allow_private", TOK_PRIVATE }, + { "-allow_private", TOK_PRIVATEOFF }, { NULL, 0 } }; @@ -263,6 +265,12 @@ nat64stl_create(const char *name, uint8_t set, int ac, char *av[]) case TOK_LOGOFF: cfg->flags &= ~NAT64_LOG; break; + case TOK_PRIVATE: + cfg->flags |= NAT64_ALLOW_PRIVATE; + break; + case TOK_PRIVATEOFF: + cfg->flags &= ~NAT64_ALLOW_PRIVATE; + break; } } @@ -332,6 +340,12 @@ nat64stl_config(const char *name, uint8_t set, int ac, char **av) case TOK_LOGOFF: cfg->flags &= ~NAT64_LOG; break; + case TOK_PRIVATE: + cfg->flags |= NAT64_ALLOW_PRIVATE; + break; + case TOK_PRIVATEOFF: + cfg->flags &= ~NAT64_ALLOW_PRIVATE; + break; default: errx(EX_USAGE, "Can't change %s option", opt); } @@ -451,6 +465,8 @@ nat64stl_show_cb(ipfw_nat64stl_cfg *cfg, const char *name, uint8_t set) printf(" prefix6 %s/%u", abuf, cfg->plen6); if (cfg->flags & NAT64_LOG) printf(" log"); + if (cfg->flags & NAT64_ALLOW_PRIVATE) + printf(" allow_private"); printf("\n"); return (0); } |