From nobody Fri Dec 06 09:19:32 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y4Qgm3xNyz5fvyV; Fri, 06 Dec 2024 09:19:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Y4Qgm3Q4tz4hxG; Fri, 6 Dec 2024 09:19:32 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1733476772; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JGDy26q79MF0U6CXMWJoUNkvwIWb0GfcFewPpWNskgo=; b=WiAFdCHcbRwNdxVBoT6wxfTPLRg11Z1XL65mMeBxoakJZv/41emE4zLt0mZtGY95j05vbb XEElBy4z2Q+10r1sbfRi7dNTdeLTu4+UxOoJ4z0w1liNLSk2/qJwPiyUil/gHgrAF4g/DL Blv4mubj7HX0UuufIPuqfhniRg4ehW+I3+c/i3OqGTtnvw9psxRDQpwejBslGmjemTEGHG JDuIvHz3+4jTZ7BjX/GtkO2qWxXwenq9rR5zvpsUYqcXwkgfmc5geU2t2wftpuh0Y5GePi wcUT4QH0uSSRaDWHlaA8X8fHYuuPQQk/c5Eb9Fk7eXeJWG90aAKH1xRSs1CbpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1733476772; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JGDy26q79MF0U6CXMWJoUNkvwIWb0GfcFewPpWNskgo=; b=oH8Eb6FfabqcPoHDYJat9ZyJRYod3dcBdiY62wZcVhNiG094pguQu0CDji8KWH4dvJjXdj cWHn8H7mj121ngmr+8sNAJ4n+NYPPh24bdvr1Pow9q/kydzjwzApQMdtPFO31meuvar0SA WVGYW7i+LmoIUIluQw8cPDH0fadvu793BZzuuo5Pkdn6Sxlg3vUL1ZekL1GFMHMizPqy3v mh/5RaRtZ7jgvk/jSdkl1fhKp1biyYLl3a9d0H3OMyfbJFq32GOZqnKw0qcrm7ksJhbJCE RqDfImgCUXaJpDu9yZ20CZ8E2rJTqd8GWVkqf1NoJHBcvBmvnum/E+Tysi9Mlg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1733476772; a=rsa-sha256; cv=none; b=NO/9iYHrqtHDBsjWwopMbMtocdZn5UV8vZSOdqOEnZMGiXXwPgFma+CaRRH25Jr2drZ992 OFrQWbZj6iRkD4XkHSwusO2OaW5SdgI5mnLTmlysyq18GrItJGafo7jHN5VSK4b7mQKyBf Fa2TFOhrpnxvjF+op/VRzzzlCwi6sZoeINfRVBiHoaKFOb5bYBj2y7/f+tvw83VMA4X5Ra o/aq4OL4Acm249vQWcMkR3MvY1eMcnhW6umofG7HSPY32BB5h789puuLuMtXDemDQCS/+4 MMRBr28gHn5YgH2HeMqhHwVQhJTMhXvpIEmgjHys8PMd8EeOR1c8pRzggTfoHQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Y4Qgm2b0yzXmV; Fri, 6 Dec 2024 09:19:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4B69JWnU000706; Fri, 6 Dec 2024 09:19:32 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4B69JW5c000703; Fri, 6 Dec 2024 09:19:32 GMT (envelope-from git) Date: Fri, 6 Dec 2024 09:19:32 GMT Message-Id: <202412060919.4B69JW5c000703@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Tom Jones Subject: git: b6c90b909905 - main - ipfw : Enable support for EIM NAT List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: thj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b6c90b909905a48c6f8ad027ff259e64d5d0e762 Auto-Submitted: auto-generated The branch main has been updated by thj: URL: https://cgit.FreeBSD.org/src/commit/?id=b6c90b909905a48c6f8ad027ff259e64d5d0e762 commit b6c90b909905a48c6f8ad027ff259e64d5d0e762 Author: Damjan Jovanovic AuthorDate: 2024-12-06 09:17:34 +0000 Commit: Tom Jones CommitDate: 2024-12-06 09:18:09 +0000 ipfw : Enable support for EIM NAT Enable support for endpoint-independent mapping ("full cone NAT") via Libalias's UDP NAT. Reviewed by: igoro, thj Differential Revision: https://reviews.freebsd.org/D46689D --- sbin/ipfw/ipfw.8 | 22 +++++++++++++++++++++- sbin/ipfw/ipfw2.h | 1 + sbin/ipfw/main.c | 2 +- sbin/ipfw/nat.c | 8 ++++++++ 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 715d8580f1ce..bc78ae1c655b 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,5 +1,5 @@ .\" -.Dd December 17, 2023 +.Dd December 6, 2024 .Dt IPFW 8 .Os .Sh NAME @@ -3403,6 +3403,26 @@ Skip instance in case of global state lookup (see below). .It Cm port_range Ar lower-upper Set the aliasing ports between the ranges given. Upper port has to be greater than lower. +.It Cm udp_eim +When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787 +("full cone" NAT of RFC 3489). +All packets from the same internal address:port are mapped to the same NAT +address:port, regardless of their destination address:port. +If filtering rules allow, and if +.Em deny_in +is unset, any other external address:port can +also send to the internal address:port through its mapped NAT address:port. +This is more compatible with applications, and can reduce the need for port +forwarding, but less scalable as each NAT address:port can only be +concurrently used by at most one internal address:port. +.Pp +When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric" +NAT). +Each connection from a particular internal address:port to different +external addresses:ports is mapped to a random and unpredictable NAT +address:port. +Two appplications behind EDM NATs can only connect to each other +by port forwarding on the NAT, or tunnelling through an in-between server. .El .Pp Some special values can be supplied instead of diff --git a/sbin/ipfw/ipfw2.h b/sbin/ipfw/ipfw2.h index 2137719296f9..0c0bf32e94d6 100644 --- a/sbin/ipfw/ipfw2.h +++ b/sbin/ipfw/ipfw2.h @@ -324,6 +324,7 @@ enum tokens { TOK_SETMARK, TOK_SKIPACTION, + TOK_UDP_EIM, }; /* diff --git a/sbin/ipfw/main.c b/sbin/ipfw/main.c index 1e5f4fbafc1d..92c593f4f09e 100644 --- a/sbin/ipfw/main.c +++ b/sbin/ipfw/main.c @@ -43,7 +43,7 @@ help(void) "add [num] [set N] [prob x] RULE-BODY\n" "{pipe|queue} N config PIPE-BODY\n" "[pipe|queue] {zero|delete|show} [N{,N}]\n" -"nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|unreg_cgn|\n" +"nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|unreg_cgn|udp_eim|\n" " reset|reverse|proxy_only|redirect_addr linkspec|\n" " redirect_port linkspec|redirect_proto linkspec|\n" " port_range lower-upper}\n" diff --git a/sbin/ipfw/nat.c b/sbin/ipfw/nat.c index a96da30c9f8b..db74abaab233 100644 --- a/sbin/ipfw/nat.c +++ b/sbin/ipfw/nat.c @@ -67,6 +67,7 @@ static struct _s_x nat_params[] = { { "redirect_addr", TOK_REDIR_ADDR }, { "redirect_port", TOK_REDIR_PORT }, { "redirect_proto", TOK_REDIR_PROTO }, + { "udp_eim", TOK_UDP_EIM }, { NULL, 0 } /* terminator */ }; @@ -676,6 +677,9 @@ nat_show_cfg(struct nat44_cfg_nat *n, void *arg __unused) } else if (n->mode & PKT_ALIAS_PROXY_ONLY) { printf(" proxy_only"); n->mode &= ~PKT_ALIAS_PROXY_ONLY; + } else if (n->mode & PKT_ALIAS_UDP_EIM) { + printf(" udp_eim"); + n->mode &= ~PKT_ALIAS_UDP_EIM; } } /* Print all the redirect's data configuration. */ @@ -821,6 +825,7 @@ ipfw_config_nat(int ac, char **av) case TOK_RESET_ADDR: case TOK_ALIAS_REV: case TOK_PROXY_ONLY: + case TOK_UDP_EIM: break; case TOK_REDIR_ADDR: if (ac1 < 2) @@ -927,6 +932,9 @@ ipfw_config_nat(int ac, char **av) case TOK_PROXY_ONLY: n->mode |= PKT_ALIAS_PROXY_ONLY; break; + case TOK_UDP_EIM: + n->mode |= PKT_ALIAS_UDP_EIM; + break; /* * All the setup_redir_* functions work directly in * the final buffer, see above for details.