diff options
| author | Andrey V. Elsukov <ae@FreeBSD.org> | 2018-10-21 16:29:12 +0000 |
|---|---|---|
| committer | Andrey V. Elsukov <ae@FreeBSD.org> | 2018-10-21 16:29:12 +0000 |
| commit | aa2715612cbe9deb76e56c8a87bd7cdaea181505 (patch) | |
| tree | 0904dad0fd5a7e9751c36fca27fa37e68af5686d /sbin | |
| parent | 91e8ea7f5c6025d1e733d880b136ef3f4918a25f (diff) | |
| download | src-aa2715612cbe9deb76e56c8a87bd7cdaea181505.tar.gz src-aa2715612cbe9deb76e56c8a87bd7cdaea181505.zip | |
Retire IPFIREWALL_NAT64_DIRECT_OUTPUT kernel option. And add ability
to switch the output method in run-time. Also document some sysctl
variables that can by changed for NAT64 module.
NAT64 had compile time option IPFIREWALL_NAT64_DIRECT_OUTPUT to use
if_output directly from nat64 module. By default is used netisr based
output method. Now both methods can be used, but they require different
handling by rules.
Obtained from: Yandex LLC
MFC after: 3 weeks
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D16647
Notes
Notes:
svn path=/head/; revision=339542
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 46 |
1 files changed, 43 insertions, 3 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index acb4d347644d..425471836125 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 27, 2018 +.Dd October 21, 2018 .Dt IPFW 8 .Os .Sh NAME @@ -3289,9 +3289,14 @@ Make sure that ND6 neighbor solicitation (ICMPv6 type 135) and neighbor advertisement (ICMPv6 type 136) messages will not be handled by translation rules. .Pp -After translation NAT64 translator sends packets through corresponding netisr -queue. +After translation NAT64 translator by default sends packets through +corresponding netisr queue. Thus translator host should be configured as IPv4 and IPv6 router. +Also this means, that a packet is handled by firewall twice. +First time an original packet is handled and consumed by translator, +and then it is handled again as translated packet. +This behavior can be changed by sysctl variable +.Va net.inet.ip.fw.nat64_direct_output . .Pp The stateful NAT64 configuration command is the following: .Bd -ragged -offset indent @@ -3914,6 +3919,41 @@ Default is no. Controls whether bridged packets are passed to .Nm . Default is no. +.It Va net.inet.ip.fw.nat64_allow_private : No 0 +Defines how +.Nm nat64 +handles private IPv4 addresses: +.Bl -tag -width indent +.It Cm 0 +Packets with private IPv4 will not be handled by translator +.It Cm 1 +Translator will accept and process packets with private IPv4 addresses. +.El +.It Va net.inet.ip.fw.nat64_debug : No 0 +Controls debugging messages produced by +.Nm ipfw_nat64 +module. +.It Va net.inet.ip.fw.nat64_direct_output : No 0 +Controls the output method used by +.Nm ipfw_nat64 +module: +.Bl -tag -width indent +.It Cm 0 +A packet is handled by +.Nm ipfw +twice. +First time an original packet is handled by +.Nm ipfw +and consumed by +.Nm ipfw_nat64 +translator. +Then translated packet is queued via netisr to input processing again. +.It Cm 1 +A packet is handled by +.Nm ipfw +only once, and after translation it will be pushed directly to outgoing +interface. +.El .El .Sh INTERNAL DIAGNOSTICS There are some commands that may be useful to understand current state |