From nobody Fri Dec 06 09:22:05 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y4Qkj2SKBz5fw3n; Fri, 06 Dec 2024 09:22:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Y4Qkj1y4Jz4jP1; Fri, 6 Dec 2024 09:22:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1733476925; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WBXsHLpjScAP/KkGVvJZECh7ylbwdMpMKlDuBLlRuzY=; b=WGwGNOc9+DhPOC+QiPiEzcWmXUJcUOWdACtIM95Pmv+d0hp6Wuu0qPxviaJfP0IuGg/w4/ rl4SnqtahIW3DzoOx2O4OhO9KvLBDBc53pIeq7hH2HRAYS8PCczPa1NPzXjEXfTw4G14hS gWTt3X8pNgjqLqsndSHuMfIq8O/aK5c0lt6FtmmG+OSABCUwwjev4HZsR9+UvH6wTyqScw speRnQz0VMfXpUuA4LoWe5evv7pDLCm+IyEPPsHKRxuWVR82stNpeDf/+D4WyKNmSRmP2U /1D4DiLr1B1k1YfQnvE2BgcajXRCRh2q+ZEWdwBG8/glOTk1dodWBQp46AaHpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1733476925; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WBXsHLpjScAP/KkGVvJZECh7ylbwdMpMKlDuBLlRuzY=; b=jTGe2Jo7qbVcbshUrssElL9da0EdKbzjrppR2wyYv+ZEZNkhZxU6P6WA7Jt/yleTVXENgS tLq3KzGZ7z9YGbG9kbItNEZyIx3PaHXYuyx98bYPzl3v5c+cfOf4hvCSz7+w0wC/3LYnok AQKE0yU+DZctKSs/hC/HGIRXXBrY+wiyZAYY4YsG5CTPAyREptb9kGslkTqJRVJvRZrNKH JgiDwCyRw1dGkCSCjZKINdRUEHI42VlE4xxVG+1OCNsgrNBr+B7gYUj9LKE7qB9b7xzAVO A8/jSg4bSqulHiNI//Q2BU3ZQLSrNQ1YDn2cxvwMzCD9Tmk829eiaasHo/c+kQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1733476925; a=rsa-sha256; cv=none; b=F/hE9FWBwNxoF1tuVcy54VayAC9qJOxGwWwfKadTcNFFo43h9I+02FiW2ojF66TN4Y24rK ELCafKj5yyxbW7J89Ib3yBEMBubW0ezZqJIL1dku5mxGdjfYEfpxu0w7E9x7CS84/Mk+ud 1fChDHYsHmcfi2VzT+XH4FjEvOh5CXv6PkyhdCx+KPWF1a0zSfLzVLy1dc6rG8DKtKobeK eiqjUfhryiHoOils+26ZzEV9MOPWH8cNalI9/fJwBjd7QImiep4gbtG+0tlrKhaFMG2A4i vaRx37AFi5QltnCgn1uzwRXF5FStfI6kKEDBMg5ATAkEuqEaevgg/lM8nBM7Kw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Y4Qkj1QN2zXsk; Fri, 6 Dec 2024 09:22:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4B69M5Ej017146; Fri, 6 Dec 2024 09:22:05 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4B69M5IF017143; Fri, 6 Dec 2024 09:22:05 GMT (envelope-from git) Date: Fri, 6 Dec 2024 09:22:05 GMT Message-Id: <202412060922.4B69M5IF017143@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Tom Jones Subject: git: ef18594985c0 - main - natd: Enable support for EIM NAT List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: thj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ef18594985c0d569650b44b0ba0171a6fd8703a5 Auto-Submitted: auto-generated The branch main has been updated by thj: URL: https://cgit.FreeBSD.org/src/commit/?id=ef18594985c0d569650b44b0ba0171a6fd8703a5 commit ef18594985c0d569650b44b0ba0171a6fd8703a5 Author: Damjan Jovanovic AuthorDate: 2024-12-06 09:21:06 +0000 Commit: Tom Jones CommitDate: 2024-12-06 09:21:06 +0000 natd: Enable support for EIM NAT Enable support for endpoint-independent mapping ("full cone NAT") via Libalias's UDP NAT. Reviewed by: igoro, thj Differential Revision: https://reviews.freebsd.org/D46689 --- sbin/natd/natd.8 | 23 ++++++++++++++++++++++- sbin/natd/natd.c | 8 ++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/sbin/natd/natd.8 b/sbin/natd/natd.8 index b2edece6cce1..8beff2e66b6a 100644 --- a/sbin/natd/natd.8 +++ b/sbin/natd/natd.8 @@ -1,4 +1,4 @@ -.Dd October 5, 2016 +.Dd December 6, 2024 .Dt NATD 8 .Os .Sh NAME @@ -14,6 +14,7 @@ .Op Fl deny_incoming | d .Op Fl use_sockets | s .Op Fl same_ports | m +.Op Fl udp_eim .Op Fl verbose | v .Op Fl dynamic .Op Fl in_port | i Ar port @@ -114,6 +115,26 @@ With this option, protocols such as RPC will have a better chance of working. If it is not possible to maintain the port number, it will be silently changed as per normal. +.It Fl udp_eim +When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787 +("full cone" NAT of RFC 3489). +All packets from the same internal address:port are mapped to the same NAT +address:port, regardless of their destination address:port. +If filtering rules allow, and if +.Em deny_incoming +is disabled, any other external address:port can +also send to the internal address:port through its mapped NAT address:port. +This is more compatible with applications, and can reduce the need for port +forwarding, but less scalable as each NAT address:port can only be +concurrently used by at most one internal address:port. +.Pp +When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric" +NAT). +Each connection from a particular internal address:port to different +external addresses:ports is mapped to a random and unpredictable NAT +address:port. +Two appplications behind EDM NATs can only connect to each other +by port forwarding on the NAT, or tunnelling through an in-between server. .It Fl verbose | v Do not call .Xr daemon 3 diff --git a/sbin/natd/natd.c b/sbin/natd/natd.c index 29c68987adf4..6a62495dd064 100644 --- a/sbin/natd/natd.c +++ b/sbin/natd/natd.c @@ -1138,6 +1138,14 @@ static struct OptionInfo optionTable[] = { "same_ports", "m" }, + { LibAliasOption, + PKT_ALIAS_UDP_EIM, + YesNo, + "[yes|no]", + "UDP traffic uses endpoint-independent mapping (\"full cone\" NAT)", + "udp_eim", + NULL }, + { Verbose, 0, YesNo,