diff options
author | Andrey V. Elsukov <ae@FreeBSD.org> | 2018-05-09 11:59:24 +0000 |
---|---|---|
committer | Andrey V. Elsukov <ae@FreeBSD.org> | 2018-05-09 11:59:24 +0000 |
commit | 782360dec3ea425bf81060228b9d891d82f5d29a (patch) | |
tree | 0480dd87666bbbd0f41fa7ed1a8655b148d5c38e /sbin | |
parent | 19703503bafc826c854479cc150305545e0122e0 (diff) | |
download | src-782360dec3ea425bf81060228b9d891d82f5d29a.tar.gz src-782360dec3ea425bf81060228b9d891d82f5d29a.zip |
Bring in some last changes in NAT64 implementation:
o Modify ipfw(8) to be able set any prefix6 not just Well-Known,
and also show configured prefix6;
o relocate some definitions and macros into proper place;
o convert nat64_debug and nat64_allow_private variables to be
VNET-compatible;
o add struct nat64_config that keeps generic configuration needed
to NAT64 code;
o add nat64_check_prefix6() function to check validness of specified
by user IPv6 prefix according to RFC6052;
o use nat64_check_private_ip4() and nat64_embed_ip4() functions
instead of nat64_get_ip4() and nat64_set_ip4() macros. This allows
to use any configured IPv6 prefixes that are allowed by RFC6052;
o introduce NAT64_WKPFX flag, that is set when IPv6 prefix is
Well-Known IPv6 prefix. It is used to reduce overhead to check this;
o modify nat64lsn_cfg and nat64stl_cfg structures to use nat64_config
structure. And respectivelly modify the rest of code;
o remove now unused ro argument from nat64_output() function;
o remove __FreeBSD_version ifdef, NAT64 was not merged to older versions;
o add commented -DIPFIREWALL_NAT64_DIRECT_OUTPUT flag to module's Makefile
as example.
Obtained from: Yandex LLC
MFC after: 1 month
Sponsored by: Yandex LLC
Notes
Notes:
svn path=/head/; revision=333403
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/ipfw/ipfw2.h | 1 | ||||
-rw-r--r-- | sbin/ipfw/nat64lsn.c | 12 | ||||
-rw-r--r-- | sbin/ipfw/nat64stl.c | 23 |
3 files changed, 20 insertions, 16 deletions
diff --git a/sbin/ipfw/ipfw2.h b/sbin/ipfw/ipfw2.h index 7791ed71fc66..6834d411f36c 100644 --- a/sbin/ipfw/ipfw2.h +++ b/sbin/ipfw/ipfw2.h @@ -384,6 +384,7 @@ void ipfw_nat64lsn_handler(int ac, char *av[]); void ipfw_nat64stl_handler(int ac, char *av[]); void ipfw_nptv6_handler(int ac, char *av[]); int ipfw_check_object_name(const char *name); +int ipfw_check_nat64prefix(const struct in6_addr *prefix, int length); #ifdef PF /* altq.c */ diff --git a/sbin/ipfw/nat64lsn.c b/sbin/ipfw/nat64lsn.c index 7fd3c7770060..a364f0178556 100644 --- a/sbin/ipfw/nat64lsn.c +++ b/sbin/ipfw/nat64lsn.c @@ -428,13 +428,17 @@ nat64lsn_create(const char *name, uint8_t set, int ac, char **av) flags |= NAT64LSN_HAS_PREFIX4; ac--; av++; break; -#if 0 case TOK_PREFIX6: NEED1("IPv6 prefix required"); nat64lsn_parse_prefix(*av, AF_INET6, &cfg->prefix6, &cfg->plen6); + if (ipfw_check_nat64prefix(&cfg->prefix6, + cfg->plen6) != 0) + errx(EX_USAGE, "Bad prefix6 %s", *av); + ac--; av++; break; +#if 0 case TOK_AGG_LEN: NEED1("Aggregation prefix len required"); cfg->agg_prefix_len = nat64lsn_parse_int(*av, opt); @@ -767,10 +771,10 @@ nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *name, uint8_t set) if (co.use_set != 0 || cfg->set != 0) printf("set %u ", cfg->set); inet_ntop(AF_INET, &cfg->prefix4, abuf, sizeof(abuf)); - printf("nat64lsn %s prefix4 %s/%u ", cfg->name, abuf, cfg->plen4); -#if 0 + printf("nat64lsn %s prefix4 %s/%u", cfg->name, abuf, cfg->plen4); inet_ntop(AF_INET6, &cfg->prefix6, abuf, sizeof(abuf)); - printf("prefix6 %s/%u", abuf, cfg->plen6); + printf(" prefix6 %s/%u", abuf, cfg->plen6); +#if 0 printf("agg_len %u agg_count %u ", cfg->agg_prefix_len, cfg->agg_prefix_max); if (cfg->min_port != NAT64LSN_PORT_MIN || diff --git a/sbin/ipfw/nat64stl.c b/sbin/ipfw/nat64stl.c index 6cd936c4c469..27653aa5b4df 100644 --- a/sbin/ipfw/nat64stl.c +++ b/sbin/ipfw/nat64stl.c @@ -49,7 +49,6 @@ __FBSDID("$FreeBSD$"); #include <netinet6/ip_fw_nat64.h> #include <arpa/inet.h> -static int nat64stl_check_prefix(struct in6_addr *prefix, int length); typedef int (nat64stl_cb_t)(ipfw_nat64stl_cfg *i, const char *name, uint8_t set); static int nat64stl_foreach(nat64stl_cb_t *f, const char *name, uint8_t set, @@ -80,13 +79,10 @@ static struct _s_x nat64cmds[] = { ((a)->__u6_addr.__u6_addr32[0] == IPV6_ADDR_INT32_WKPFX && \ (a)->__u6_addr.__u6_addr32[1] == 0 && \ (a)->__u6_addr.__u6_addr32[2] == 0) -static int -nat64stl_check_prefix(struct in6_addr *prefix, int length) +int +ipfw_check_nat64prefix(const struct in6_addr *prefix, int length) { - if (IN6_IS_ADDR_WKPFX(prefix) && length == 96) - return (0); -#if 0 switch (length) { case 32: case 40: @@ -95,21 +91,20 @@ nat64stl_check_prefix(struct in6_addr *prefix, int length) case 64: /* Well-known prefix has 96 prefix length */ if (IN6_IS_ADDR_WKPFX(prefix)) - return (1); + return (EINVAL); /* FALLTHROUGH */ case 96: /* Bits 64 to 71 must be set to zero */ if (prefix->__u6_addr.__u6_addr8[8] != 0) - return (1); + return (EINVAL); /* XXX: looks incorrect */ if (IN6_IS_ADDR_MULTICAST(prefix) || IN6_IS_ADDR_UNSPECIFIED(prefix) || IN6_IS_ADDR_LOOPBACK(prefix)) - return (1); + return (EINVAL); return (0); } -#endif - return (1); + return (EINVAL); } static struct _s_x nat64statscmds[] = { @@ -255,7 +250,7 @@ nat64stl_create(const char *name, uint8_t set, int ac, char *av[]) errx(EX_USAGE, "Bad prefix: %s", *av); cfg->plen6 = strtol(p, NULL, 10); - if (nat64stl_check_prefix(&cfg->prefix6, + if (ipfw_check_nat64prefix(&cfg->prefix6, cfg->plen6) != 0) errx(EX_USAGE, "Bad prefix length: %s", p); @@ -439,6 +434,7 @@ nat64stl_reset_stats(const char *name, uint8_t set) static int nat64stl_show_cb(ipfw_nat64stl_cfg *cfg, const char *name, uint8_t set) { + char abuf[INET6_ADDRSTRLEN]; if (name != NULL && strcmp(cfg->name, name) != 0) return (ESRCH); @@ -448,8 +444,11 @@ nat64stl_show_cb(ipfw_nat64stl_cfg *cfg, const char *name, uint8_t set) if (co.use_set != 0 || cfg->set != 0) printf("set %u ", cfg->set); + printf("nat64stl %s table4 %s table6 %s", cfg->name, cfg->ntlv4.name, cfg->ntlv6.name); + inet_ntop(AF_INET6, &cfg->prefix6, abuf, sizeof(abuf)); + printf(" prefix6 %s/%u", abuf, cfg->plen6); if (cfg->flags & NAT64_LOG) printf(" log"); printf("\n"); |