Date: Fri, 06 Sep 2024 12:49:32 +0000 From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 219803] [patch] PF: implement RFC 4787 REQ 1 and 3 (full cone NAT) Message-ID: <bug-219803-16861-QQ1oVCA5Gw@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-219803-16861@https.bugs.freebsd.org/bugzilla/> References: <bug-219803-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219803 --- Comment #17 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D390dc369efaaeca2802baf168ddbd7a40= e3afcc8 commit 390dc369efaaeca2802baf168ddbd7a40e3afcc8 Author: Tom Jones <thj@FreeBSD.org> AuthorDate: 2024-09-06 11:59:09 +0000 Commit: Tom Jones <thj@FreeBSD.org> CommitDate: 2024-09-06 12:48:04 +0000 pf: Add support for endpoint independent NAT bindings for UDP With Endpoint Independent NAT bindings for UDP flows from a NATed source address are always mapped to the same ip:port pair on the NAT router. This allows a client to connect to multiple external servers while appearing as the same host and enables NAT traversal without requiring the client to use a middlebox traversal protocol such as STUN or TURN. Introduce the 'endpoint-independent' option to NAT rules to allow configuration of endpoint independent without effecting existing deployments. This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone' NAT. Using Endpoint Independent NAT changes NAT exhaustion behaviour it does not introduce any additional security considerations compared to other forms of NAT. PR: 219803 Co-authored-by: Damjan Jovanovic <damjan.jov@gmail.com> Co-authored-by: Naman Sood <mail@nsood.in> Reviewed-by: kp Sponsored-by: Tailscale Sponsored-by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D11137 sbin/pfctl/parse.y | 12 +- sbin/pfctl/pfctl_parser.c | 2 + sbin/pfctl/tests/files/pf1021.in (new) | 1 + sbin/pfctl/tests/files/pf1021.ok (new) | 1 + share/man/man4/pf.4 | 6 +- share/man/man5/pf.conf.5 | 12 +- sys/net/pfvar.h | 49 ++++++++- sys/netpfil/pf/pf.c | 195 +++++++++++++++++++++++++++++= +++- sys/netpfil/pf/pf.h | 1 + sys/netpfil/pf/pf_lb.c | 104 ++++++++++++++---- tests/sys/netpfil/pf/nat.sh | 134 ++++++++++++++++++++++ 11 files changed, 489 insertions(+), 28 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-219803-16861-QQ1oVCA5Gw>