From owner-svn-src-head@freebsd.org  Fri Jan 24 20:35:43 2020
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5AC341FB4AE;
 Fri, 24 Jan 2020 20:35:43 +0000 (UTC)
 (envelope-from melifaro@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4849rb1Wwjz4WhT;
 Fri, 24 Jan 2020 20:35:43 +0000 (UTC)
 (envelope-from melifaro@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2F9852CDDA;
 Fri, 24 Jan 2020 20:35:43 +0000 (UTC)
 (envelope-from melifaro@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 00OKZhin079889;
 Fri, 24 Jan 2020 20:35:43 GMT (envelope-from melifaro@FreeBSD.org)
Received: (from melifaro@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 00OKZfjA079882;
 Fri, 24 Jan 2020 20:35:41 GMT (envelope-from melifaro@FreeBSD.org)
Message-Id: <202001242035.00OKZfjA079882@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: melifaro set sender to
 melifaro@FreeBSD.org using -f
From: "Alexander V. Chernikov" <melifaro@FreeBSD.org>
Date: Fri, 24 Jan 2020 20:35:41 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r357092 - in head: sbin/ipfw sys/netinet/libalias
X-SVN-Group: head
X-SVN-Commit-Author: melifaro
X-SVN-Commit-Paths: in head: sbin/ipfw sys/netinet/libalias
X-SVN-Commit-Revision: 357092
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 20:35:43 -0000

Author: melifaro
Date: Fri Jan 24 20:35:41 2020
New Revision: 357092
URL: https://svnweb.freebsd.org/changeset/base/357092

Log:
  Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw.
  
  In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added.
   This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC 6598 aware.
  Also, we add a new NAT option to ipfw called unreg_cgn, which is like
   unreg_only, but also is RFC 6598-aware.  The reason for the new
   flags/options is to avoid breaking existing networks, especially those
   which rely on RFC 6598 as an external address.
  
  Submitted by:	Neel Chauhan <neel AT neelc DOT org>
  MFC after:	2 weeks
  Differential Revision:	https://reviews.freebsd.org/D22877

Modified:
  head/sbin/ipfw/ipfw.8
  head/sbin/ipfw/ipfw2.h
  head/sbin/ipfw/main.c
  head/sbin/ipfw/nat.c
  head/sys/netinet/libalias/alias.c
  head/sys/netinet/libalias/alias.h
  head/sys/netinet/libalias/libalias.3

Modified: head/sbin/ipfw/ipfw.8
==============================================================================
--- head/sbin/ipfw/ipfw.8	Fri Jan 24 19:42:53 2020	(r357091)
+++ head/sbin/ipfw/ipfw.8	Fri Jan 24 20:35:41 2020	(r357092)
@@ -3233,8 +3233,11 @@ Deny any incoming connection from outside world.
 Try to leave the alias port numbers unchanged from
 the actual local port numbers.
 .It Cm unreg_only
-Traffic on the local network not originating from an
+Traffic on the local network not originating from a RFC 1918
 unregistered address spaces will be ignored.
+.It Cm unreg_cgn
+Like unreg_only, but includes the RFC 6598 (Carrier Grade NAT)
+address range.
 .It Cm reset
 Reset table of the packet aliasing engine on address change.
 .It Cm reverse

Modified: head/sbin/ipfw/ipfw2.h
==============================================================================
--- head/sbin/ipfw/ipfw2.h	Fri Jan 24 19:42:53 2020	(r357091)
+++ head/sbin/ipfw/ipfw2.h	Fri Jan 24 20:35:41 2020	(r357092)
@@ -220,6 +220,7 @@ enum tokens {
 	TOK_DENY_INC,
 	TOK_SAME_PORTS,
 	TOK_UNREG_ONLY,
+	TOK_UNREG_CGN,
 	TOK_SKIP_GLOBAL,
 	TOK_RESET_ADDR,
 	TOK_ALIAS_REV,

Modified: head/sbin/ipfw/main.c
==============================================================================
--- head/sbin/ipfw/main.c	Fri Jan 24 19:42:53 2020	(r357091)
+++ head/sbin/ipfw/main.c	Fri Jan 24 20:35:41 2020	(r357092)
@@ -43,8 +43,8 @@ help(void)
 "add [num] [set N] [prob x] RULE-BODY\n"
 "{pipe|queue} N config PIPE-BODY\n"
 "[pipe|queue] {zero|delete|show} [N{,N}]\n"
-"nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|reset|\n"
-"		reverse|proxy_only|redirect_addr linkspec|\n"
+"nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|unreg_cgn|\n"
+"		reset|reverse|proxy_only|redirect_addr linkspec|\n"
 "		redirect_port linkspec|redirect_proto linkspec}\n"
 "set [disable N... enable N...] | move [rule] X to Y | swap X Y | show\n"
 "set N {show|list|zero|resetlog|delete} [N{,N}] | flush\n"

Modified: head/sbin/ipfw/nat.c
==============================================================================
--- head/sbin/ipfw/nat.c	Fri Jan 24 19:42:53 2020	(r357091)
+++ head/sbin/ipfw/nat.c	Fri Jan 24 20:35:41 2020	(r357092)
@@ -60,6 +60,7 @@ static struct _s_x nat_params[] = {
  	{ "deny_in",		TOK_DENY_INC },
  	{ "same_ports",		TOK_SAME_PORTS },
  	{ "unreg_only",		TOK_UNREG_ONLY },
+ 	{ "unreg_cgn",		TOK_UNREG_CGN },
 	{ "skip_global",	TOK_SKIP_GLOBAL },
  	{ "reset",		TOK_RESET_ADDR },
  	{ "reverse",		TOK_ALIAS_REV },
@@ -663,6 +664,9 @@ nat_show_cfg(struct nat44_cfg_nat *n, void *arg)
 		} else if (n->mode & PKT_ALIAS_UNREGISTERED_ONLY) {
 			printf(" unreg_only");
 			n->mode &= ~PKT_ALIAS_UNREGISTERED_ONLY;
+		} else if (n->mode & PKT_ALIAS_UNREGISTERED_CGN) {
+			printf(" unreg_cgn");
+			n->mode &= ~PKT_ALIAS_UNREGISTERED_CGN;
 		} else if (n->mode & PKT_ALIAS_RESET_ON_ADDR_CHANGE) {
 			printf(" reset");
 			n->mode &= ~PKT_ALIAS_RESET_ON_ADDR_CHANGE;

Modified: head/sys/netinet/libalias/alias.c
==============================================================================
--- head/sys/netinet/libalias/alias.c	Fri Jan 24 19:42:53 2020	(r357091)
+++ head/sys/netinet/libalias/alias.c	Fri Jan 24 20:35:41 2020	(r357092)
@@ -1413,6 +1413,10 @@ getout:
 #define UNREG_ADDR_C_LOWER 0xc0a80000
 #define UNREG_ADDR_C_UPPER 0xc0a8ffff
 
+/* 100.64.0.0  -> 100.127.255.255 (RFC 6598 - Carrier Grade NAT) */
+#define UNREG_ADDR_CGN_LOWER 0x64400000
+#define UNREG_ADDR_CGN_UPPER 0x647fffff
+
 int
 LibAliasOut(struct libalias *la, char *ptr, int maxpacketsize)
 {
@@ -1464,7 +1468,8 @@ LibAliasOutLocked(struct libalias *la, char *ptr,	/* v
 	}
 
 	addr_save = GetDefaultAliasAddress(la);
-	if (la->packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY) {
+	if (la->packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY ||
+	    la->packetAliasMode & PKT_ALIAS_UNREGISTERED_CGN) {
 		u_long addr;
 		int iclass;
 
@@ -1476,6 +1481,9 @@ LibAliasOutLocked(struct libalias *la, char *ptr,	/* v
 			iclass = 2;
 		else if (addr >= UNREG_ADDR_A_LOWER && addr <= UNREG_ADDR_A_UPPER)
 			iclass = 1;
+		else if (addr >= UNREG_ADDR_CGN_LOWER && addr <= UNREG_ADDR_CGN_UPPER &&
+		    la->packetAliasMode & PKT_ALIAS_UNREGISTERED_CGN)
+			iclass = 4;
 
 		if (iclass == 0) {
 			SetDefaultAliasAddress(la, pip->ip_src);

Modified: head/sys/netinet/libalias/alias.h
==============================================================================
--- head/sys/netinet/libalias/alias.h	Fri Jan 24 19:42:53 2020	(r357091)
+++ head/sys/netinet/libalias/alias.h	Fri Jan 24 20:35:41 2020	(r357092)
@@ -228,6 +228,14 @@ struct mbuf    *m_megapullup(struct mbuf *, int);
  */
 #define	PKT_ALIAS_SKIP_GLOBAL		0x200
 
+/*
+ * Like PKT_ALIAS_UNREGISTERED_ONLY, but includes the RFC 6598
+ * (Carrier Grade NAT) address range as follows:
+ *
+ *		100.64.0.0   ->   100.127.255.255
+ */
+#define	PKT_ALIAS_UNREGISTERED_CGN	0x400
+
 /* Function return codes. */
 #define	PKT_ALIAS_ERROR			-1
 #define	PKT_ALIAS_OK			1

Modified: head/sys/netinet/libalias/libalias.3
==============================================================================
--- head/sys/netinet/libalias/libalias.3	Fri Jan 24 19:42:53 2020	(r357091)
+++ head/sys/netinet/libalias/libalias.3	Fri Jan 24 20:35:41 2020	(r357092)
@@ -212,6 +212,11 @@ This option is useful in the case that the packet alia
 registered and unregistered subnets on different interfaces.
 The registered subnet is fully accessible to the outside world, so traffic
 from it does not need to be passed through the packet aliasing engine.
+.It Dv PKT_ALIAS_UNREGISTERED_CGN
+Like PKT_ALIAS_UNREGISTERED_ONLY, but includes the RFC 6598 (Carrier Grade
+NAT) subnet as follows:
+.Pp
+100.64.0.0   ->  100.127.255.255  (RFC 6598 subnet)
 .It Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE
 When this mode bit is set and
 .Fn LibAliasSetAddress