Bring in some last changes in NAT64 implementation:

o Modify ipfw(8) to be able set any prefix6 not just Well-Known,
  and also show configured prefix6;
o relocate some definitions and macros into proper place;
o convert nat64_debug and nat64_allow_private variables to be
  VNET-compatible;
o add struct nat64_config that keeps generic configuration needed
  to NAT64 code;
o add nat64_check_prefix6() function to check validness of specified
  by user IPv6 prefix according to RFC6052;
o use nat64_check_private_ip4() and nat64_embed_ip4() functions
  instead of nat64_get_ip4() and nat64_set_ip4() macros. This allows
  to use any configured IPv6 prefixes that are allowed by RFC6052;
o introduce NAT64_WKPFX flag, that is set when IPv6 prefix is
  Well-Known IPv6 prefix. It is used to reduce overhead to check this;
o modify nat64lsn_cfg and nat64stl_cfg structures to use nat64_config
  structure. And respectivelly modify the rest of code;
o remove now unused ro argument from nat64_output() function;
o remove __FreeBSD_version ifdef, NAT64 was not merged to older versions;
o add commented -DIPFIREWALL_NAT64_DIRECT_OUTPUT flag to module's Makefile
  as example.

Obtained from:	Yandex LLC
MFC after:	1 month
Sponsored by:	Yandex LLC

3 files changed, 20 insertions, 16 deletions

diff --git a/sbin/ipfw/ipfw2.h b/sbin/ipfw/ipfw2.h
index 7791ed71fc66..6834d411f36c 100644
--- a/sbin/ipfw/ipfw2.h
+++ b/sbin/ipfw/ipfw2.h
@@ -384,6 +384,7 @@ void ipfw_nat64lsn_handler(int ac, char *av[]);
 void ipfw_nat64stl_handler(int ac, char *av[]);
 void ipfw_nptv6_handler(int ac, char *av[]);
 int ipfw_check_object_name(const char *name);
+int ipfw_check_nat64prefix(const struct in6_addr *prefix, int length);
 
 #ifdef PF
 /* altq.c */
diff --git a/sbin/ipfw/nat64lsn.c b/sbin/ipfw/nat64lsn.c
index 7fd3c7770060..a364f0178556 100644
--- a/sbin/ipfw/nat64lsn.c
+++ b/sbin/ipfw/nat64lsn.c
@@ -428,13 +428,17 @@ nat64lsn_create(const char *name, uint8_t set, int ac, char **av)
 			flags |= NAT64LSN_HAS_PREFIX4;
 			ac--; av++;
 			break;
-#if 0
 		case TOK_PREFIX6:
 			NEED1("IPv6 prefix required");
 			nat64lsn_parse_prefix(*av, AF_INET6, &cfg->prefix6,
 			    &cfg->plen6);
+			if (ipfw_check_nat64prefix(&cfg->prefix6,
+			    cfg->plen6) != 0)
+				errx(EX_USAGE, "Bad prefix6 %s", *av);
+
 			ac--; av++;
 			break;
+#if 0
 		case TOK_AGG_LEN:
 			NEED1("Aggregation prefix len required");
 			cfg->agg_prefix_len = nat64lsn_parse_int(*av, opt);
@@ -767,10 +771,10 @@ nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *name, uint8_t set)
 	if (co.use_set != 0 || cfg->set != 0)
 		printf("set %u ", cfg->set);
 	inet_ntop(AF_INET, &cfg->prefix4, abuf, sizeof(abuf));
-	printf("nat64lsn %s prefix4 %s/%u ", cfg->name, abuf, cfg->plen4);
-#if 0
+	printf("nat64lsn %s prefix4 %s/%u", cfg->name, abuf, cfg->plen4);
 	inet_ntop(AF_INET6, &cfg->prefix6, abuf, sizeof(abuf));
-	printf("prefix6 %s/%u", abuf, cfg->plen6);
+	printf(" prefix6 %s/%u", abuf, cfg->plen6);
+#if 0
 	printf("agg_len %u agg_count %u ", cfg->agg_prefix_len,
 	    cfg->agg_prefix_max);
 	if (cfg->min_port != NAT64LSN_PORT_MIN ||
diff --git a/sbin/ipfw/nat64stl.c b/sbin/ipfw/nat64stl.c
index 6cd936c4c469..27653aa5b4df 100644
--- a/sbin/ipfw/nat64stl.c
+++ b/sbin/ipfw/nat64stl.c
@@ -49,7 +49,6 @@ __FBSDID("$FreeBSD$");
 #include <netinet6/ip_fw_nat64.h>
 #include <arpa/inet.h>
 
-static int nat64stl_check_prefix(struct in6_addr *prefix, int length);
 typedef int (nat64stl_cb_t)(ipfw_nat64stl_cfg *i, const char *name,
     uint8_t set);
 static int nat64stl_foreach(nat64stl_cb_t *f, const char *name, uint8_t set,
@@ -80,13 +79,10 @@ static struct _s_x nat64cmds[] = {
     ((a)->__u6_addr.__u6_addr32[0] == IPV6_ADDR_INT32_WKPFX &&	\
 	(a)->__u6_addr.__u6_addr32[1] == 0 &&			\
 	(a)->__u6_addr.__u6_addr32[2] == 0)
-static int
-nat64stl_check_prefix(struct in6_addr *prefix, int length)
+int
+ipfw_check_nat64prefix(const struct in6_addr *prefix, int length)
 {
 
-	if (IN6_IS_ADDR_WKPFX(prefix) && length == 96)
-		return (0);
-#if 0
 	switch (length) {
 	case 32:
 	case 40:
@@ -95,21 +91,20 @@ nat64stl_check_prefix(struct in6_addr *prefix, int length)
 	case 64:
 		/* Well-known prefix has 96 prefix length */
 		if (IN6_IS_ADDR_WKPFX(prefix))
-			return (1);
+			return (EINVAL);
 		/* FALLTHROUGH */
 	case 96:
 		/* Bits 64 to 71 must be set to zero */
 		if (prefix->__u6_addr.__u6_addr8[8] != 0)
-			return (1);
+			return (EINVAL);
 		/* XXX: looks incorrect */
 		if (IN6_IS_ADDR_MULTICAST(prefix) ||
 		    IN6_IS_ADDR_UNSPECIFIED(prefix) ||
 		    IN6_IS_ADDR_LOOPBACK(prefix))
-			return (1);
+			return (EINVAL);
 		return (0);
 	}
-#endif
-	return (1);
+	return (EINVAL);
 }
 
 static struct _s_x nat64statscmds[] = {
@@ -255,7 +250,7 @@ nat64stl_create(const char *name, uint8_t set, int ac, char *av[])
 				errx(EX_USAGE,
 				    "Bad prefix: %s", *av);
 			cfg->plen6 = strtol(p, NULL, 10);
-			if (nat64stl_check_prefix(&cfg->prefix6,
+			if (ipfw_check_nat64prefix(&cfg->prefix6,
 			    cfg->plen6) != 0)
 				errx(EX_USAGE,
 				    "Bad prefix length: %s", p);
@@ -439,6 +434,7 @@ nat64stl_reset_stats(const char *name, uint8_t set)
 static int
 nat64stl_show_cb(ipfw_nat64stl_cfg *cfg, const char *name, uint8_t set)
 {
+	char abuf[INET6_ADDRSTRLEN];
 
 	if (name != NULL && strcmp(cfg->name, name) != 0)
 		return (ESRCH);
@@ -448,8 +444,11 @@ nat64stl_show_cb(ipfw_nat64stl_cfg *cfg, const char *name, uint8_t set)
 
 	if (co.use_set != 0 || cfg->set != 0)
 		printf("set %u ", cfg->set);
+
 	printf("nat64stl %s table4 %s table6 %s",
 	    cfg->name, cfg->ntlv4.name, cfg->ntlv6.name);
+	inet_ntop(AF_INET6, &cfg->prefix6, abuf, sizeof(abuf));
+	printf(" prefix6 %s/%u", abuf, cfg->plen6);
 	if (cfg->flags & NAT64_LOG)
 		printf(" log");
 	printf("\n");