From nobody Fri Sep 6 12:49:32 2024 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X0bf56Q5sz5TyLW for ; Fri, 06 Sep 2024 12:49:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X0bf53qnKz49j2 for ; Fri, 6 Sep 2024 12:49:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725626973; a=rsa-sha256; cv=none; b=Jcl7pTyChqTZqTCLDzWtnXFbIblngBYJHiiH5i3P6iqjEIX4IrAqY/bqIEX2nVVWh6xP+H m9wU0DVKVVacmxin7awDx63fsA4lE9+rJUXACGCqCWmtLq8fd9/bEn2opnHKp3vem15Lqz 3SgPeUNeYlDArHL3TVBoNuPz/6yXNPm32un9uRyaWmoGkdN8lxKOOoa6CuaTi+XF66q+qq IJrnYnCuBZsIbhjJHtXtkDA8vGPF6glyj4PAPFQ4uzVLO+bwnvGT5fSlPWe+z5aHgwI2h+ UT+/CZhvhMjaTy1fHXCfL5osDNcAGbbxsYoPt9u1wnrVqHSplKgpSqI6DixPFw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725626973; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hk56Wooxgs8dJVN9j55DWevtILQT1A0OJ6CdUqLeSf4=; b=YIwkNEae0M7cFl+OWX1A2xQLUPMWgUa9X0tdIvM2PZK1souNUvh3Gw/xushR+iMkM/r8eT qUqiBY8ien5XNOirassc81w5bfz5kgqVZE1yF1wxkJ3PFNM7UiXfuIPiohkuUtj37VNDyy +CZIl/OUzqT2WlWtdcCb8lud7LtBAQXQX1B+BSV0Xg3t1RPgpkHWkeZ3lNi/k68t0fQdgs 4gkuokSBiZFwHuCC0ezTpKETi+OmlNeTe1hLoddw5BiDoIC8zRoR1afIXxTHVt83tb6ViO BqjzVkrQuTQsM7R+xJEfl5oO+AWdE3Jy8qkqgM7uRpL0w09SrXLAWIc4NMBAcw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4X0bf45ynXzsKk for ; Fri, 6 Sep 2024 12:49:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 486CnWJ7056915 for ; Fri, 6 Sep 2024 12:49:32 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 486CnWOA056913 for pf@FreeBSD.org; Fri, 6 Sep 2024 12:49:32 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 219803] [patch] PF: implement RFC 4787 REQ 1 and 3 (full cone NAT) Date: Fri, 06 Sep 2024 12:49:32 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-pf@freebsd.org Sender: owner-freebsd-pf@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219803 --- Comment #17 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D390dc369efaaeca2802baf168ddbd7a40= e3afcc8 commit 390dc369efaaeca2802baf168ddbd7a40e3afcc8 Author: Tom Jones AuthorDate: 2024-09-06 11:59:09 +0000 Commit: Tom Jones CommitDate: 2024-09-06 12:48:04 +0000 pf: Add support for endpoint independent NAT bindings for UDP With Endpoint Independent NAT bindings for UDP flows from a NATed source address are always mapped to the same ip:port pair on the NAT router. This allows a client to connect to multiple external servers while appearing as the same host and enables NAT traversal without requiring the client to use a middlebox traversal protocol such as STUN or TURN. Introduce the 'endpoint-independent' option to NAT rules to allow configuration of endpoint independent without effecting existing deployments. This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone' NAT. Using Endpoint Independent NAT changes NAT exhaustion behaviour it does not introduce any additional security considerations compared to other forms of NAT. PR: 219803 Co-authored-by: Damjan Jovanovic Co-authored-by: Naman Sood Reviewed-by: kp Sponsored-by: Tailscale Sponsored-by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D11137 sbin/pfctl/parse.y | 12 +- sbin/pfctl/pfctl_parser.c | 2 + sbin/pfctl/tests/files/pf1021.in (new) | 1 + sbin/pfctl/tests/files/pf1021.ok (new) | 1 + share/man/man4/pf.4 | 6 +- share/man/man5/pf.conf.5 | 12 +- sys/net/pfvar.h | 49 ++++++++- sys/netpfil/pf/pf.c | 195 +++++++++++++++++++++++++++++= +++- sys/netpfil/pf/pf.h | 1 + sys/netpfil/pf/pf_lb.c | 104 ++++++++++++++---- tests/sys/netpfil/pf/nat.sh | 134 ++++++++++++++++++++++ 11 files changed, 489 insertions(+), 28 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.=