aboutsummaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
authorKurosawa Takahiro <takahiro.kurosawa@gmail.com>2021-04-13 08:50:00 +0000
committerKristof Provost <kp@FreeBSD.org>2021-05-11 15:04:45 +0000
commite49799dcf14e7026f377d26a70fe0a3a3d15390a (patch)
tree8b0788dd824a3407cb6df0697a014445517f052d /share
parent0d0eb707b43e2b222434a98265db1fe7c3e3f3a8 (diff)
downloadsrc-e49799dcf14e7026f377d26a70fe0a3a3d15390a.tar.gz
src-e49799dcf14e7026f377d26a70fe0a3a3d15390a.zip
pf: Implement the NAT source port selection of MAP-E Customer Edge
MAP-E (RFC 7597) requires special care for selecting source ports in NAT operation on the Customer Edge because a part of bits of the port numbers are used by the Border Relay to distinguish another side of the IPv4-over-IPv6 tunnel. PR: 254577 Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D29468 (cherry picked from commit 2aa21096c7349390f22aa5d06b373a575baed1b4)
Diffstat (limited to 'share')
-rw-r--r--share/man/man5/pf.conf.524
1 files changed, 23 insertions, 1 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index d31d20e29bea..52a7331c7cb2 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1998,6 +1998,27 @@ rules, the
option prevents
.Xr pf 4
from modifying the source port on TCP and UDP packets.
+.It Xo Ar map-e-portset Aq Ar psid-offset
+.No / Aq Ar psid-len
+.No / Aq Ar psid
+.Xc
+With
+.Ar nat
+rules, the
+.Ar map-e-portset
+option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
+In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
+interface and pass rules for encapsulated packets are required in addition
+to the map-e-portset nat rule.
+.Pp
+For example:
+.Bd -literal -offset indent
+nat on $gif_mape_if from $int_if:network to any \e
+ -> $ipv4_mape_src map-e-portset 6/8/0x34
+.Ed
+.Pp
+sets PSID offset 6, PSID length 8, PSID 0x34.
+.Ed
.El
.Pp
Additionally, the
@@ -2893,7 +2914,8 @@ nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged" string ]
[ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
- [ portspec ] [ pooltype ] [ "static-port" ] ]
+ [ portspec ] [ pooltype ] [ "static-port" ]
+ [ "map-e-portset" number "/" number "/" number ] ]
binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" interface-name ] [ af ]