git: ef18594985c0 - main - natd: Enable support for EIM NAT

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Tom Jones <thj_at_FreeBSD.org>
Date: Fri, 06 Dec 2024 09:22:05 UTC
The branch main has been updated by thj:

URL: https://cgit.FreeBSD.org/src/commit/?id=ef18594985c0d569650b44b0ba0171a6fd8703a5

commit ef18594985c0d569650b44b0ba0171a6fd8703a5
Author:     Damjan Jovanovic <damjan.jov@gmail.com>
AuthorDate: 2024-12-06 09:21:06 +0000
Commit:     Tom Jones <thj@FreeBSD.org>
CommitDate: 2024-12-06 09:21:06 +0000

    natd: Enable support for EIM NAT
    
    Enable support for endpoint-independent mapping ("full cone NAT") via
    Libalias's UDP NAT.
    
    Reviewed by:    igoro, thj
    Differential Revision:  https://reviews.freebsd.org/D46689
---
 sbin/natd/natd.8 | 23 ++++++++++++++++++++++-
 sbin/natd/natd.c |  8 ++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/sbin/natd/natd.8 b/sbin/natd/natd.8
index b2edece6cce1..8beff2e66b6a 100644
--- a/sbin/natd/natd.8
+++ b/sbin/natd/natd.8
@@ -1,4 +1,4 @@
-.Dd October 5, 2016
+.Dd December 6, 2024
 .Dt NATD 8
 .Os
 .Sh NAME
@@ -14,6 +14,7 @@
 .Op Fl deny_incoming | d
 .Op Fl use_sockets | s
 .Op Fl same_ports | m
+.Op Fl udp_eim
 .Op Fl verbose | v
 .Op Fl dynamic
 .Op Fl in_port | i Ar port
@@ -114,6 +115,26 @@ With this option, protocols such as RPC will have a better chance
 of working.
 If it is not possible to maintain the port number, it will be silently
 changed as per normal.
+.It Fl udp_eim
+When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787
+("full cone" NAT of RFC 3489).
+All packets from the same internal address:port are mapped to the same NAT
+address:port, regardless of their destination address:port.
+If filtering rules allow, and if
+.Em deny_incoming
+is disabled, any other external address:port can
+also send to the internal address:port through its mapped NAT address:port.
+This is more compatible with applications, and can reduce the need for port
+forwarding, but less scalable as each NAT address:port can only be
+concurrently used by at most one internal address:port.
+.Pp
+When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric"
+NAT).
+Each connection from a particular internal address:port to different
+external addresses:ports is mapped to a random and unpredictable NAT
+address:port.
+Two appplications behind EDM NATs can only connect to each other
+by port forwarding on the NAT, or tunnelling through an in-between server.
 .It Fl verbose | v
 Do not call
 .Xr daemon 3
diff --git a/sbin/natd/natd.c b/sbin/natd/natd.c
index 29c68987adf4..6a62495dd064 100644
--- a/sbin/natd/natd.c
+++ b/sbin/natd/natd.c
@@ -1138,6 +1138,14 @@ static struct OptionInfo optionTable[] = {
 		"same_ports",
 		"m" },
 
+	{ LibAliasOption,
+		PKT_ALIAS_UDP_EIM,
+		YesNo,
+		"[yes|no]",
+		"UDP traffic uses endpoint-independent mapping (\"full cone\" NAT)",
+		"udp_eim",
+		NULL },
+
 	{ Verbose,
 		0,
 		YesNo,