Date: Sat, 13 Aug 2016 22:51:37 +0000 (UTC) From: Garrett Cooper <ngie@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r304062 - in projects/netbsd-tests-update-12: cddl/contrib/opensolaris/tools/ctf/cvt sbin/ipfw share/timedef sys/conf sys/kern sys/modules sys/modules/ipfw sys/modules/ipfw_nat64 sys/ne... Message-ID: <201608132251.u7DMpboZ093082@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ngie Date: Sat Aug 13 22:51:36 2016 New Revision: 304062 URL: https://svnweb.freebsd.org/changeset/base/304062 Log: MFhead @ r304061 Added: projects/netbsd-tests-update-12/sbin/ipfw/nat64lsn.c - copied unchanged from r304061, head/sbin/ipfw/nat64lsn.c projects/netbsd-tests-update-12/sbin/ipfw/nat64stl.c - copied unchanged from r304061, head/sbin/ipfw/nat64stl.c projects/netbsd-tests-update-12/sys/modules/ipfw_nat64/ - copied from r304061, head/sys/modules/ipfw_nat64/ projects/netbsd-tests-update-12/sys/netinet6/ip_fw_nat64.h - copied unchanged from r304061, head/sys/netinet6/ip_fw_nat64.h projects/netbsd-tests-update-12/sys/netpfil/ipfw/ip_fw_bpf.c - copied unchanged from r304061, head/sys/netpfil/ipfw/ip_fw_bpf.c projects/netbsd-tests-update-12/sys/netpfil/ipfw/nat64/ - copied from r304061, head/sys/netpfil/ipfw/nat64/ Modified: projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/dwarf.c projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/merge.c projects/netbsd-tests-update-12/sbin/ipfw/Makefile projects/netbsd-tests-update-12/sbin/ipfw/ipfw.8 projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.c projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.h projects/netbsd-tests-update-12/sbin/ipfw/main.c projects/netbsd-tests-update-12/sbin/ipfw/nptv6.c projects/netbsd-tests-update-12/sbin/ipfw/tables.c projects/netbsd-tests-update-12/share/timedef/af_ZA.UTF-8.src projects/netbsd-tests-update-12/share/timedef/am_ET.UTF-8.src projects/netbsd-tests-update-12/share/timedef/ar_JO.UTF-8.src projects/netbsd-tests-update-12/share/timedef/ar_MA.UTF-8.src projects/netbsd-tests-update-12/share/timedef/ar_SA.UTF-8.src projects/netbsd-tests-update-12/share/timedef/be_BY.CP1131.src projects/netbsd-tests-update-12/share/timedef/be_BY.CP1251.src projects/netbsd-tests-update-12/share/timedef/be_BY.ISO8859-5.src projects/netbsd-tests-update-12/share/timedef/be_BY.UTF-8.src projects/netbsd-tests-update-12/share/timedef/bg_BG.CP1251.src projects/netbsd-tests-update-12/share/timedef/bg_BG.UTF-8.src projects/netbsd-tests-update-12/share/timedef/ca_IT.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/ca_IT.UTF-8.src projects/netbsd-tests-update-12/share/timedef/cs_CZ.ISO8859-2.src projects/netbsd-tests-update-12/share/timedef/cs_CZ.UTF-8.src projects/netbsd-tests-update-12/share/timedef/da_DK.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/da_DK.UTF-8.src projects/netbsd-tests-update-12/share/timedef/de_AT.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/de_AT.UTF-8.src projects/netbsd-tests-update-12/share/timedef/de_DE.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/de_DE.UTF-8.src projects/netbsd-tests-update-12/share/timedef/el_GR.ISO8859-7.src projects/netbsd-tests-update-12/share/timedef/el_GR.UTF-8.src projects/netbsd-tests-update-12/share/timedef/en_CA.UTF-8.src projects/netbsd-tests-update-12/share/timedef/en_GB.UTF-8.src projects/netbsd-tests-update-12/share/timedef/en_IE.UTF-8.src projects/netbsd-tests-update-12/share/timedef/en_PH.UTF-8.src projects/netbsd-tests-update-12/share/timedef/en_SG.UTF-8.src projects/netbsd-tests-update-12/share/timedef/en_US.UTF-8.src projects/netbsd-tests-update-12/share/timedef/en_ZA.UTF-8.src projects/netbsd-tests-update-12/share/timedef/es_AR.ISO8859-1.src projects/netbsd-tests-update-12/share/timedef/es_CR.UTF-8.src projects/netbsd-tests-update-12/share/timedef/es_ES.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/es_ES.UTF-8.src projects/netbsd-tests-update-12/share/timedef/es_MX.ISO8859-1.src projects/netbsd-tests-update-12/share/timedef/es_MX.UTF-8.src projects/netbsd-tests-update-12/share/timedef/et_EE.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/eu_ES.UTF-8.src projects/netbsd-tests-update-12/share/timedef/fi_FI.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/fi_FI.UTF-8.src projects/netbsd-tests-update-12/share/timedef/fr_BE.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/fr_BE.UTF-8.src projects/netbsd-tests-update-12/share/timedef/fr_CA.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/fr_CA.UTF-8.src projects/netbsd-tests-update-12/share/timedef/fr_CH.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/fr_CH.UTF-8.src projects/netbsd-tests-update-12/share/timedef/fr_FR.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/fr_FR.UTF-8.src projects/netbsd-tests-update-12/share/timedef/he_IL.UTF-8.src projects/netbsd-tests-update-12/share/timedef/hi_IN.ISCII-DEV.src projects/netbsd-tests-update-12/share/timedef/hi_IN.UTF-8.src projects/netbsd-tests-update-12/share/timedef/hr_HR.ISO8859-2.src projects/netbsd-tests-update-12/share/timedef/hr_HR.UTF-8.src projects/netbsd-tests-update-12/share/timedef/hu_HU.ISO8859-2.src projects/netbsd-tests-update-12/share/timedef/hu_HU.UTF-8.src projects/netbsd-tests-update-12/share/timedef/hy_AM.ARMSCII-8.src projects/netbsd-tests-update-12/share/timedef/hy_AM.UTF-8.src projects/netbsd-tests-update-12/share/timedef/is_IS.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/is_IS.UTF-8.src projects/netbsd-tests-update-12/share/timedef/it_CH.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/it_CH.UTF-8.src projects/netbsd-tests-update-12/share/timedef/it_IT.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/it_IT.UTF-8.src projects/netbsd-tests-update-12/share/timedef/ja_JP.SJIS.src projects/netbsd-tests-update-12/share/timedef/ja_JP.UTF-8.src projects/netbsd-tests-update-12/share/timedef/ja_JP.eucJP.src projects/netbsd-tests-update-12/share/timedef/kk_KZ.UTF-8.src projects/netbsd-tests-update-12/share/timedef/ko_KR.UTF-8.src projects/netbsd-tests-update-12/share/timedef/ko_KR.eucKR.src projects/netbsd-tests-update-12/share/timedef/lt_LT.ISO8859-13.src projects/netbsd-tests-update-12/share/timedef/lt_LT.UTF-8.src projects/netbsd-tests-update-12/share/timedef/lv_LV.ISO8859-13.src projects/netbsd-tests-update-12/share/timedef/lv_LV.UTF-8.src projects/netbsd-tests-update-12/share/timedef/mn_MN.UTF-8.src projects/netbsd-tests-update-12/share/timedef/nb_NO.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/nb_NO.UTF-8.src projects/netbsd-tests-update-12/share/timedef/nl_BE.UTF-8.src projects/netbsd-tests-update-12/share/timedef/nl_NL.UTF-8.src projects/netbsd-tests-update-12/share/timedef/nn_NO.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/nn_NO.UTF-8.src projects/netbsd-tests-update-12/share/timedef/pl_PL.ISO8859-2.src projects/netbsd-tests-update-12/share/timedef/pl_PL.UTF-8.src projects/netbsd-tests-update-12/share/timedef/pt_BR.ISO8859-1.src projects/netbsd-tests-update-12/share/timedef/pt_BR.UTF-8.src projects/netbsd-tests-update-12/share/timedef/pt_PT.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/pt_PT.UTF-8.src projects/netbsd-tests-update-12/share/timedef/ro_RO.ISO8859-2.src projects/netbsd-tests-update-12/share/timedef/ro_RO.UTF-8.src projects/netbsd-tests-update-12/share/timedef/ru_RU.CP1251.src projects/netbsd-tests-update-12/share/timedef/ru_RU.CP866.src projects/netbsd-tests-update-12/share/timedef/ru_RU.ISO8859-5.src projects/netbsd-tests-update-12/share/timedef/ru_RU.KOI8-R.src projects/netbsd-tests-update-12/share/timedef/ru_RU.UTF-8.src projects/netbsd-tests-update-12/share/timedef/se_FI.UTF-8.src projects/netbsd-tests-update-12/share/timedef/se_NO.UTF-8.src projects/netbsd-tests-update-12/share/timedef/sk_SK.ISO8859-2.src projects/netbsd-tests-update-12/share/timedef/sk_SK.UTF-8.src projects/netbsd-tests-update-12/share/timedef/sl_SI.ISO8859-2.src projects/netbsd-tests-update-12/share/timedef/sl_SI.UTF-8.src projects/netbsd-tests-update-12/share/timedef/sr_RS.ISO8859-2.src projects/netbsd-tests-update-12/share/timedef/sr_RS.ISO8859-5.src projects/netbsd-tests-update-12/share/timedef/sr_RS.UTF-8.src projects/netbsd-tests-update-12/share/timedef/sr_RS.UTF-8@latin.src projects/netbsd-tests-update-12/share/timedef/sv_FI.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/sv_SE.ISO8859-15.src projects/netbsd-tests-update-12/share/timedef/sv_SE.UTF-8.src projects/netbsd-tests-update-12/share/timedef/tr_TR.ISO8859-9.src projects/netbsd-tests-update-12/share/timedef/tr_TR.UTF-8.src projects/netbsd-tests-update-12/share/timedef/uk_UA.CP1251.src projects/netbsd-tests-update-12/share/timedef/uk_UA.ISO8859-5.src projects/netbsd-tests-update-12/share/timedef/uk_UA.KOI8-U.src projects/netbsd-tests-update-12/share/timedef/uk_UA.UTF-8.src projects/netbsd-tests-update-12/share/timedef/zh_CN.GB2312.src projects/netbsd-tests-update-12/share/timedef/zh_CN.GBK.src projects/netbsd-tests-update-12/share/timedef/zh_CN.UTF-8.src projects/netbsd-tests-update-12/share/timedef/zh_CN.eucCN.src projects/netbsd-tests-update-12/share/timedef/zh_HK.UTF-8.src projects/netbsd-tests-update-12/share/timedef/zh_TW.Big5.src projects/netbsd-tests-update-12/share/timedef/zh_TW.UTF-8.src projects/netbsd-tests-update-12/sys/conf/NOTES projects/netbsd-tests-update-12/sys/conf/files projects/netbsd-tests-update-12/sys/conf/options projects/netbsd-tests-update-12/sys/kern/kern_exec.c projects/netbsd-tests-update-12/sys/modules/Makefile projects/netbsd-tests-update-12/sys/modules/ipfw/Makefile projects/netbsd-tests-update-12/sys/netinet/ip_fw.h projects/netbsd-tests-update-12/sys/netpfil/ipfw/ip_fw2.c projects/netbsd-tests-update-12/sys/netpfil/ipfw/ip_fw_log.c projects/netbsd-tests-update-12/sys/netpfil/ipfw/ip_fw_private.h projects/netbsd-tests-update-12/sys/netpfil/ipfw/ip_fw_table.c projects/netbsd-tests-update-12/sys/netpfil/ipfw/nptv6/nptv6.c projects/netbsd-tests-update-12/sys/powerpc/aim/locore.S projects/netbsd-tests-update-12/sys/powerpc/booke/locore.S projects/netbsd-tests-update-12/sys/powerpc/booke/pmap.c projects/netbsd-tests-update-12/sys/powerpc/mpc85xx/platform_mpc85xx.c projects/netbsd-tests-update-12/sys/powerpc/powerpc/machdep.c projects/netbsd-tests-update-12/sys/powerpc/powerpc/mmu_if.m projects/netbsd-tests-update-12/sys/powerpc/powerpc/pmap_dispatch.c projects/netbsd-tests-update-12/sys/vm/vm_page.c projects/netbsd-tests-update-12/sys/vm/vm_phys.c projects/netbsd-tests-update-12/tests/sys/acl/00.sh projects/netbsd-tests-update-12/tests/sys/acl/01.sh projects/netbsd-tests-update-12/tests/sys/acl/02.sh projects/netbsd-tests-update-12/tests/sys/acl/03.sh projects/netbsd-tests-update-12/tests/sys/acl/04.sh projects/netbsd-tests-update-12/usr.bin/nfsstat/nfsstat.1 projects/netbsd-tests-update-12/usr.bin/nfsstat/nfsstat.c Directory Properties: projects/netbsd-tests-update-12/ (props changed) projects/netbsd-tests-update-12/cddl/ (props changed) projects/netbsd-tests-update-12/cddl/contrib/opensolaris/ (props changed) Modified: projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/dwarf.c ============================================================================== --- projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/dwarf.c Sat Aug 13 22:14:16 2016 (r304061) +++ projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/dwarf.c Sat Aug 13 22:51:36 2016 (r304062) @@ -816,6 +816,11 @@ die_enum_create(dwarf_t *dw, Dwarf_Die d Dwarf_Unsigned uval; Dwarf_Signed sval; + if (die_isdecl(dw, die)) { + tdp->t_type = FORWARD; + return; + } + debug(3, "die %llu: creating enum\n", off); tdp->t_type = ENUM; Modified: projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/merge.c ============================================================================== --- projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/merge.c Sat Aug 13 22:14:16 2016 (r304061) +++ projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/merge.c Sat Aug 13 22:51:36 2016 (r304062) @@ -338,7 +338,8 @@ fwd_equiv(tdesc_t *ctdp, tdesc_t *mtdp) { tdesc_t *defn = (ctdp->t_type == FORWARD ? mtdp : ctdp); - return (defn->t_type == STRUCT || defn->t_type == UNION); + return (defn->t_type == STRUCT || defn->t_type == UNION || + defn->t_type == ENUM); } static int Modified: projects/netbsd-tests-update-12/sbin/ipfw/Makefile ============================================================================== --- projects/netbsd-tests-update-12/sbin/ipfw/Makefile Sat Aug 13 22:14:16 2016 (r304061) +++ projects/netbsd-tests-update-12/sbin/ipfw/Makefile Sat Aug 13 22:51:36 2016 (r304062) @@ -5,7 +5,7 @@ PACKAGE=ipfw PROG= ipfw SRCS= ipfw2.c dummynet.c ipv6.c main.c nat.c tables.c -SRCS+= nptv6.c +SRCS+= nat64lsn.c nat64stl.c nptv6.c WARNS?= 2 .if ${MK_PF} != "no" Modified: projects/netbsd-tests-update-12/sbin/ipfw/ipfw.8 ============================================================================== --- projects/netbsd-tests-update-12/sbin/ipfw/ipfw.8 Sat Aug 13 22:14:16 2016 (r304061) +++ projects/netbsd-tests-update-12/sbin/ipfw/ipfw.8 Sat Aug 13 22:51:36 2016 (r304062) @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 19, 2016 +.Dd August 13, 2016 .Dt IPFW 8 .Os .Sh NAME @@ -113,6 +113,37 @@ in-kernel NAT. .Oc .Oc .Ar pathname +.Ss STATEFUL IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION +.Nm +.Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm create Ar create-options +.Nm +.Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm config Ar config-options +.Nm +.Oo Cm set Ar N Oc Cm nat64lsn +.Brq Ar name | all +.Brq Cm list | show +.Op Cm states +.Nm +.Oo Cm set Ar N Oc Cm nat64lsn +.Brq Ar name | all +.Cm destroy +.Nm +.Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm stats Op Cm reset +.Ss STATELESS IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION +.Nm +.Oo Cm set Ar N Oc Cm nat64stl Ar name Cm create Ar create-options +.Nm +.Oo Cm set Ar N Oc Cm nat64stl Ar name Cm config Ar config-options +.Nm +.Oo Cm set Ar N Oc Cm nat64stl +.Brq Ar name | all +.Brq Cm list | show +.Nm +.Oo Cm set Ar N Oc Cm nat64stl +.Brq Ar name | all +.Cm destroy +.Nm +.Oo Cm set Ar N Oc Cm nat64stl Ar name Cm stats Op Cm reset .Ss IPv6-to-IPv6 NETWORK PREFIX TRANSLATION .Nm .Oo Cm set Ar N Oc Cm nptv6 Ar name Cm create Ar create-options @@ -125,7 +156,7 @@ in-kernel NAT. .Brq Ar name | all .Cm destroy .Nm -.Oo Cm set Ar N Oc Cm nptv6 Ar name Cm stats +.Oo Cm set Ar N Oc Cm nptv6 Ar name Cm stats Op Cm reset .Ss INTERNAL DIAGNOSTICS .Nm .Cm internal iflist @@ -837,6 +868,16 @@ nat instance see the .Sx NETWORK ADDRESS TRANSLATION (NAT) Section for further information. +.It Cm nat64lsn Ar name +Pass packet to a stateful NAT64 instance (for IPv6/IPv4 network address and +protocol translation): see the +.Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION +Section for further information. +.It Cm nat64stl Ar name +Pass packet to a stateless NAT64 instance (for IPv6/IPv4 network address and +protocol translation): see the +.Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION +Section for further information. .It Cm nptv6 Ar name Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation): see the @@ -2927,9 +2968,189 @@ instances. See .Sx SYSCTL VARIABLES for more info. +.Sh IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION +.Nm +supports in-kernel IPv6/IPv4 network address and protocol translation. +Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers +using unicast TCP, UDP or ICMP protocols. +One or more IPv4 addresses assigned to a stateful NAT64 translator are shared +among serveral IPv6-only clients. +When stateful NAT64 is used in conjunction with DNS64, no changes are usually +required in the IPv6 client or the IPv4 server. +The kernel module +.Cm ipfw_nat64 +should be loaded or kernel should have +.Cm options IPFIREWALL_NAT64 +to be able use stateful NAT64 translator. +.Pp +Stateful NAT64 uses a bunch of memory for several types of objects. +When IPv6 client initiates connection, NAT64 translator creates a host entry +in the states table. +Each host entry has a number of ports group entries allocated on demand. +Ports group entries contains connection state entries. +There are several options to control limits and lifetime for these objects. +.Pp +NAT64 translator follows RFC7915 when does ICMPv6/ICMP translation, +unsupported message types will be silently dropped. +IPv6 needs several ICMPv6 message types to be explicitly allowed for correct +operation. +Make sure that ND6 neighbor solicitation (ICMPv6 type 135) and neighbor +advertisement (ICMPv6 type 136) messages will not be handled by translation +rules. +.Pp +After translation NAT64 translator sends packets through corresponding netisr +queue. +Thus translator host should be configured as IPv4 and IPv6 router. +.Pp +Currently both stateful and stateless NAT64 translators use Well-Known IPv6 +Prefix +.Ar 64:ff9b::/96 +to represent IPv4 addresses in the IPv6 address. +Thus DNS64 service and routing should be configured to use Well-Known IPv6 +Prefix. +.Pp +The stateful NAT64 configuration command is the following: +.Bd -ragged -offset indent +.Bk -words +.Cm nat64lsn +.Ar name +.Cm create +.Ar create-options +.Ek +.Ed +.Pp +The following parameters can be configured: +.Bl -tag -width indent +.It Cm prefix4 Ar ipv4_prefix/mask +The IPv4 prefix with mask defines the pool of IPv4 addresses used as +source address after translation. +Stateful NAT64 module translates IPv6 source address of client to one +IPv4 address from this pool. +Note that incoming IPv4 packets that don't have corresponding state entry +in the states table will be dropped by translator. +Make sure that translation rules handle packets, destined to configured prefix. +.It Cm max_ports Ar number +Maximum number of ports reserved for upper level protocols to one IPv6 client. +All reserved ports are divided into chunks between supported protocols. +The number of connections from one IPv6 client is limited by this option. +Note that closed TCP connections still remain in the list of connections until +.Cm tcp_close_age +interval will not expire. +Default value is +.Ar 2048 . +.It Cm host_del_age Ar seconds +The number of seconds until the host entry for a IPv6 client will be deleted +and all its resources will be released due to inactivity. +Default value is +.Ar 3600 . +.It Cm pg_del_age Ar seconds +The number of seconds until a ports group with unused state entries will +be released. +Default value is +.Ar 900 . +.It Cm tcp_syn_age Ar seconds +The number of seconds while a state entry for TCP connection with only SYN +sent will be kept. +If TCP connection establishing will not be finished, +state entry will be deleted. +Default value is +.Ar 10 . +.It Cm tcp_est_age Ar seconds +The number of seconds while a state entry for established TCP connection +will be kept. +Default value is +.Ar 7200 . +.It Cm tcp_close_age Ar seconds +The number of seconds while a state entry for closed TCP connection +will be kept. +Keeping state entries for closed connections is needed, because IPv4 servers +typically keep closed connections in a TIME_WAIT state for a several minutes. +Since translator's IPv4 addresses are shared among all IPv6 clients, +new connections from the same addresses and ports may be rejected by server, +because these connections are still in a TIME_WAIT state. +Keeping them in translator's state table protects from such rejects. +Default value is +.Ar 180 . +.It Cm udp_age Ar seconds +The number of seconds while translator keeps state entry in a waiting for +reply to the sent UDP datagram. +Default value is +.Ar 120 . +.It Cm icmp_age Ar seconds +The number of seconds while translator keeps state entry in a waiting for +reply to the sent ICMP message. +Default value is +.Ar 60 . +.It Cm log +Turn on logging of all handled packets via BPF through +.Ar ipfwlog0 +interface. +.Ar ipfwlog0 +is a pseudo interface and can be created after a boot manually with +.Cm ifconfig +command. +Note that it has different purpose than +.Ar ipfw0 +interface. +Translators sends to BPF an additional information with each packet. +With +.Cm tcpdump +you are able to see each handled packet before and after translation. +.It Cm -log +Turn off logging of all handled packets via BPF. +.El +.Pp +To inspect a states table of stateful NAT64 the following command can be used: +.Bd -ragged -offset indent +.Bk -words +.Cm nat64lsn +.Ar name +.Cm show Cm states +.Ek +.Ed +.Pp +.Pp +Stateless NAT64 translator doesn't use a states table for translation +and converts IPv4 addresses to IPv6 and vice versa solely based on the +mappings taken from configured lookup tables. +Since a states table doesn't used by stateless translator, +it can be configured to pass IPv4 clients to IPv6-only servers. +.Pp +The stateless NAT64 configuration command is the following: +.Bd -ragged -offset indent +.Bk -words +.Cm nat64stl +.Ar name +.Cm create +.Ar create-options +.Ek +.Ed +.Pp +The following parameters can be configured: +.Bl -tag -width indent +.It Cm table4 Ar table46 +The lookup table +.Ar table46 +contains mapping how IPv4 addresses should be translated to IPv6 addresses. +.It Cm table6 Ar table64 +The lookup table +.Ar table64 +contains mapping how IPv6 addresses should be translated to IPv4 addresses. +.It Cm log +Turn on logging of all handled packets via BPF through +.Ar ipfwlog0 +interface. +.It Cm -log +Turn off logging of all handled packets via BPF. +.El +.Pp +Note that the behavior of stateless translator with respect to not matched +packets differs from stateful translator. +If corresponding addresses was not found in the lookup tables, the packet +will not be dropped and the search continues. .Sh IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6) .Nm -support in-kernel IPv6-to-IPv6 network prefix translation as described +supports in-kernel IPv6-to-IPv6 network prefix translation as described in RFC6296. The kernel module .Cm ipfw_nptv6 Modified: projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.c ============================================================================== --- projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.c Sat Aug 13 22:14:16 2016 (r304061) +++ projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.c Sat Aug 13 22:51:36 2016 (r304062) @@ -235,6 +235,8 @@ static struct _s_x ether_types[] = { }; static struct _s_x rule_eactions[] = { + { "nat64lsn", TOK_NAT64LSN }, + { "nat64stl", TOK_NAT64STL }, { "nptv6", TOK_NPTV6 }, { NULL, 0 } /* terminator */ }; Modified: projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.h ============================================================================== --- projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.h Sat Aug 13 22:14:16 2016 (r304061) +++ projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.h Sat Aug 13 22:51:36 2016 (r304062) @@ -254,7 +254,30 @@ enum tokens { TOK_UNLOCK, TOK_VLIST, TOK_OLIST, + + /* NAT64 tokens */ + TOK_NAT64STL, + TOK_NAT64LSN, TOK_STATS, + TOK_STATES, + TOK_CONFIG, + TOK_TABLE4, + TOK_TABLE6, + TOK_PREFIX4, + TOK_PREFIX6, + TOK_AGG_LEN, + TOK_AGG_COUNT, + TOK_MAX_PORTS, + TOK_JMAXLEN, + TOK_PORT_RANGE, + TOK_HOST_DEL_AGE, + TOK_PG_DEL_AGE, + TOK_TCP_SYN_AGE, + TOK_TCP_CLOSE_AGE, + TOK_TCP_EST_AGE, + TOK_UDP_AGE, + TOK_ICMP_AGE, + TOK_LOGOFF, /* NPTv6 tokens */ TOK_NPTV6, @@ -347,6 +370,8 @@ void ipfw_flush(int force); void ipfw_zero(int ac, char *av[], int optname); void ipfw_list(int ac, char *av[], int show_counters); void ipfw_internal_handler(int ac, char *av[]); +void ipfw_nat64lsn_handler(int ac, char *av[]); +void ipfw_nat64stl_handler(int ac, char *av[]); void ipfw_nptv6_handler(int ac, char *av[]); int ipfw_check_object_name(const char *name); @@ -384,7 +409,10 @@ void bp_flush(struct buf_pr *b); /* tables.c */ struct _ipfw_obj_ctlv; +struct _ipfw_obj_ntlv; int table_check_name(const char *tablename); void ipfw_list_ta(int ac, char *av[]); void ipfw_list_values(int ac, char *av[]); +void table_fill_ntlv(struct _ipfw_obj_ntlv *ntlv, const char *name, + uint8_t set, uint16_t uidx); Modified: projects/netbsd-tests-update-12/sbin/ipfw/main.c ============================================================================== --- projects/netbsd-tests-update-12/sbin/ipfw/main.c Sat Aug 13 22:14:16 2016 (r304061) +++ projects/netbsd-tests-update-12/sbin/ipfw/main.c Sat Aug 13 22:51:36 2016 (r304062) @@ -425,6 +425,10 @@ ipfw_main(int oldac, char **oldav) if (co.use_set || try_next) { if (_substrcmp(*av, "delete") == 0) ipfw_delete(av); + else if (!strncmp(*av, "nat64stl", strlen(*av))) + ipfw_nat64stl_handler(ac, av); + else if (!strncmp(*av, "nat64lsn", strlen(*av))) + ipfw_nat64lsn_handler(ac, av); else if (!strncmp(*av, "nptv6", strlen(*av))) ipfw_nptv6_handler(ac, av); else if (_substrcmp(*av, "flush") == 0) Copied: projects/netbsd-tests-update-12/sbin/ipfw/nat64lsn.c (from r304061, head/sbin/ipfw/nat64lsn.c) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/netbsd-tests-update-12/sbin/ipfw/nat64lsn.c Sat Aug 13 22:51:36 2016 (r304062, copy of r304061, head/sbin/ipfw/nat64lsn.c) @@ -0,0 +1,854 @@ +/*- + * Copyright (c) 2015-2016 Yandex LLC + * Copyright (c) 2015-2016 Alexander V. Chernikov <melifaro@FreeBSD.org> + * Copyright (c) 2015-2016 Andrey V. Elsukov <ae@FreeBSD.org> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/types.h> +#include <sys/socket.h> + +#include "ipfw2.h" + +#include <ctype.h> +#include <err.h> +#include <errno.h> +#include <netdb.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sysexits.h> + +#include <net/if.h> +#include <netinet/in.h> +#include <netinet/ip_fw.h> +#include <netinet6/ip_fw_nat64.h> +#include <arpa/inet.h> + +static void nat64lsn_fill_ntlv(ipfw_obj_ntlv *ntlv, const char *name, + uint8_t set); +typedef int (nat64lsn_cb_t)(ipfw_nat64lsn_cfg *cfg, const char *name, + uint8_t set); +static int nat64lsn_foreach(nat64lsn_cb_t *f, const char *name, uint8_t set, + int sort); + +static void nat64lsn_create(const char *name, uint8_t set, int ac, char **av); +static void nat64lsn_config(const char *name, uint8_t set, int ac, char **av); +static void nat64lsn_destroy(const char *name, uint8_t set); +static void nat64lsn_stats(const char *name, uint8_t set); +static void nat64lsn_reset_stats(const char *name, uint8_t set); +static int nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *name, + uint8_t set); +static int nat64lsn_destroy_cb(ipfw_nat64lsn_cfg *cfg, const char *name, + uint8_t set); +static int nat64lsn_states_cb(ipfw_nat64lsn_cfg *cfg, const char *name, + uint8_t set); + +static struct _s_x nat64cmds[] = { + { "create", TOK_CREATE }, + { "config", TOK_CONFIG }, + { "destroy", TOK_DESTROY }, + { "list", TOK_LIST }, + { "show", TOK_LIST }, + { "stats", TOK_STATS }, + { NULL, 0 } +}; + +static uint64_t +nat64lsn_print_states(void *buf) +{ + char s[INET6_ADDRSTRLEN], a[INET_ADDRSTRLEN], f[INET_ADDRSTRLEN]; + char sflags[4], *sf, *proto; + ipfw_obj_header *oh; + ipfw_obj_data *od; + ipfw_nat64lsn_stg *stg; + ipfw_nat64lsn_state *ste; + uint64_t next_idx; + int i, sz; + + oh = (ipfw_obj_header *)buf; + od = (ipfw_obj_data *)(oh + 1); + stg = (ipfw_nat64lsn_stg *)(od + 1); + sz = od->head.length - sizeof(*od); + next_idx = 0; + while (sz > 0 && next_idx != 0xFF) { + next_idx = stg->next_idx; + sz -= sizeof(*stg); + if (stg->count == 0) { + stg++; + continue; + } + switch (stg->proto) { + case IPPROTO_TCP: + proto = "TCP"; + break; + case IPPROTO_UDP: + proto = "UDP"; + break; + case IPPROTO_ICMPV6: + proto = "ICMPv6"; + break; + } + inet_ntop(AF_INET6, &stg->host6, s, sizeof(s)); + inet_ntop(AF_INET, &stg->alias4, a, sizeof(a)); + ste = (ipfw_nat64lsn_state *)(stg + 1); + for (i = 0; i < stg->count && sz > 0; i++) { + sf = sflags; + inet_ntop(AF_INET, &ste->daddr, f, sizeof(f)); + if (stg->proto == IPPROTO_TCP) { + if (ste->flags & 0x02) + *sf++ = 'S'; + if (ste->flags & 0x04) + *sf++ = 'E'; + if (ste->flags & 0x01) + *sf++ = 'F'; + } + *sf = '\0'; + switch (stg->proto) { + case IPPROTO_TCP: + case IPPROTO_UDP: + printf("%s:%d\t%s:%d\t%s\t%s\t%d\t%s:%d\n", + s, ste->sport, a, ste->aport, proto, + sflags, ste->idle, f, ste->dport); + break; + case IPPROTO_ICMPV6: + printf("%s\t%s\t%s\t\t%d\t%s\n", + s, a, proto, ste->idle, f); + break; + default: + printf("%s\t%s\t%d\t\t%d\t%s\n", + s, a, stg->proto, ste->idle, f); + } + ste++; + sz -= sizeof(*ste); + } + stg = (ipfw_nat64lsn_stg *)ste; + } + return (next_idx); +} + +static int +nat64lsn_states_cb(ipfw_nat64lsn_cfg *cfg, const char *name, uint8_t set) +{ + ipfw_obj_header *oh; + ipfw_obj_data *od; + void *buf; + uint64_t next_idx; + size_t sz; + + if (name != NULL && strcmp(cfg->name, name) != 0) + return (ESRCH); + + if (set != 0 && cfg->set != set) + return (ESRCH); + + next_idx = 0; + sz = 4096; + if ((buf = calloc(1, sz)) == NULL) + err(EX_OSERR, NULL); + do { + oh = (ipfw_obj_header *)buf; + od = (ipfw_obj_data *)(oh + 1); + nat64lsn_fill_ntlv(&oh->ntlv, cfg->name, set); + od->head.type = IPFW_TLV_OBJDATA; + od->head.length = sizeof(*od) + sizeof(next_idx); + *((uint64_t *)(od + 1)) = next_idx; + if (do_get3(IP_FW_NAT64LSN_LIST_STATES, &oh->opheader, &sz)) + err(EX_OSERR, "Error reading nat64lsn states"); + next_idx = nat64lsn_print_states(buf); + sz = 4096; + memset(buf, 0, sz); + } while (next_idx != 0xFF); + + free(buf); + return (0); +} + +static struct _s_x nat64statscmds[] = { + { "reset", TOK_RESET }, + { NULL, 0 } +}; + +static void +ipfw_nat64lsn_stats_handler(const char *name, uint8_t set, int ac, char *av[]) +{ + int tcmd; + + if (ac == 0) { + nat64lsn_stats(name, set); + return; + } + NEED1("nat64lsn stats needs command"); + tcmd = get_token(nat64statscmds, *av, "nat64lsn stats command"); + switch (tcmd) { + case TOK_RESET: + nat64lsn_reset_stats(name, set); + } +} + +static struct _s_x nat64listcmds[] = { + { "states", TOK_STATES }, + { "config", TOK_CONFIG }, + { NULL, 0 } +}; + +static void +ipfw_nat64lsn_list_handler(const char *name, uint8_t set, int ac, char *av[]) +{ + int tcmd; + + if (ac == 0) { + nat64lsn_foreach(nat64lsn_show_cb, name, set, 1); + return; + } + NEED1("nat64lsn list needs command"); + tcmd = get_token(nat64listcmds, *av, "nat64lsn list command"); + switch (tcmd) { + case TOK_STATES: + nat64lsn_foreach(nat64lsn_states_cb, name, set, 1); + break; + case TOK_CONFIG: + nat64lsn_foreach(nat64lsn_show_cb, name, set, 1); + } +} + +/* + * This one handles all nat64lsn-related commands + * ipfw [set N] nat64lsn NAME {create | config} ... + * ipfw [set N] nat64lsn NAME stats + * ipfw [set N] nat64lsn {NAME | all} destroy + * ipfw [set N] nat64lsn {NAME | all} {list | show} [config | states] + */ +#define nat64lsn_check_name table_check_name +void +ipfw_nat64lsn_handler(int ac, char *av[]) +{ + const char *name; + int tcmd; + uint8_t set; + + if (co.use_set != 0) + set = co.use_set - 1; + else + set = 0; + ac--; av++; + + NEED1("nat64lsn needs instance name"); + name = *av; + if (nat64lsn_check_name(name) != 0) { + if (strcmp(name, "all") == 0) + name = NULL; + else + errx(EX_USAGE, "nat64lsn instance name %s is invalid", + name); + } + ac--; av++; + NEED1("nat64lsn needs command"); + + tcmd = get_token(nat64cmds, *av, "nat64lsn command"); + if (name == NULL && tcmd != TOK_DESTROY && tcmd != TOK_LIST) + errx(EX_USAGE, "nat64lsn instance name required"); + switch (tcmd) { + case TOK_CREATE: + ac--; av++; + nat64lsn_create(name, set, ac, av); + break; + case TOK_CONFIG: + ac--; av++; + nat64lsn_config(name, set, ac, av); + break; + case TOK_LIST: + ac--; av++; + ipfw_nat64lsn_list_handler(name, set, ac, av); + break; + case TOK_DESTROY: + if (name == NULL) + nat64lsn_foreach(nat64lsn_destroy_cb, NULL, set, 0); + else + nat64lsn_destroy(name, set); + break; + case TOK_STATS: + ac--; av++; + ipfw_nat64lsn_stats_handler(name, set, ac, av); + } +} + +static void +nat64lsn_fill_ntlv(ipfw_obj_ntlv *ntlv, const char *name, uint8_t set) +{ + + ntlv->head.type = IPFW_TLV_EACTION_NAME(1); /* it doesn't matter */ + ntlv->head.length = sizeof(ipfw_obj_ntlv); + ntlv->idx = 1; + ntlv->set = set; + strlcpy(ntlv->name, name, sizeof(ntlv->name)); +} + +static void +nat64lsn_apply_mask(int af, void *prefix, uint16_t plen) +{ + struct in6_addr mask6, *p6; + struct in_addr mask4, *p4; + + if (af == AF_INET) { + p4 = (struct in_addr *)prefix; + mask4.s_addr = htonl(~((1 << (32 - plen)) - 1)); + p4->s_addr &= mask4.s_addr; + } else if (af == AF_INET6) { + p6 = (struct in6_addr *)prefix; + n2mask(&mask6, plen); + APPLY_MASK(p6, &mask6); + } +} + +static void +nat64lsn_parse_prefix(const char *arg, int af, void *prefix, uint16_t *plen) +{ + char *p, *l; + + p = strdup(arg); + if (p == NULL) + err(EX_OSERR, NULL); + if ((l = strchr(p, '/')) != NULL) + *l++ = '\0'; + if (l == NULL) + errx(EX_USAGE, "Prefix length required"); + if (inet_pton(af, p, prefix) != 1) + errx(EX_USAGE, "Bad prefix: %s", p); + *plen = (uint16_t)strtol(l, &l, 10); + if (*l != '\0' || *plen == 0 || (af == AF_INET && *plen > 32) || + (af == AF_INET6 && *plen > 96)) + errx(EX_USAGE, "Bad prefix length: %s", arg); + nat64lsn_apply_mask(af, prefix, *plen); + free(p); +} + +static uint32_t +nat64lsn_parse_int(const char *arg, const char *desc) +{ + char *p; + uint32_t val; + + val = (uint32_t)strtol(arg, &p, 10); + if (*p != '\0') + errx(EX_USAGE, "Invalid %s value: %s\n", desc, arg); + return (val); +} + +static struct _s_x nat64newcmds[] = { + { "prefix6", TOK_PREFIX6 }, + { "agg_len", TOK_AGG_LEN }, /* not yet */ + { "agg_count", TOK_AGG_COUNT }, /* not yet */ + { "port_range", TOK_PORT_RANGE }, /* not yet */ + { "jmaxlen", TOK_JMAXLEN }, + { "prefix4", TOK_PREFIX4 }, + { "max_ports", TOK_MAX_PORTS }, + { "host_del_age", TOK_HOST_DEL_AGE }, + { "pg_del_age", TOK_PG_DEL_AGE }, + { "tcp_syn_age", TOK_TCP_SYN_AGE }, + { "tcp_close_age",TOK_TCP_CLOSE_AGE }, + { "tcp_est_age", TOK_TCP_EST_AGE }, + { "udp_age", TOK_UDP_AGE }, + { "icmp_age", TOK_ICMP_AGE }, + { "log", TOK_LOG }, + { "-log", TOK_LOGOFF }, + { NULL, 0 } +}; + +/* + * Creates new nat64lsn instance + * ipfw nat64lsn <NAME> create + * [ max_ports <N> ] + * Request: [ ipfw_obj_lheader ipfw_nat64lsn_cfg ] + */ +#define NAT64LSN_HAS_PREFIX4 0x01 +#define NAT64LSN_HAS_PREFIX6 0x02 +static void +nat64lsn_create(const char *name, uint8_t set, int ac, char **av) +{ + char buf[sizeof(ipfw_obj_lheader) + sizeof(ipfw_nat64lsn_cfg)]; + ipfw_nat64lsn_cfg *cfg; + ipfw_obj_lheader *olh; + int tcmd, flags; + char *opt; + + memset(&buf, 0, sizeof(buf)); + olh = (ipfw_obj_lheader *)buf; + cfg = (ipfw_nat64lsn_cfg *)(olh + 1); + + /* Some reasonable defaults */ + inet_pton(AF_INET6, "64:ff9b::", &cfg->prefix6); + cfg->plen6 = 96; + cfg->set = set; + cfg->max_ports = NAT64LSN_MAX_PORTS; + cfg->jmaxlen = NAT64LSN_JMAXLEN; + cfg->nh_delete_delay = NAT64LSN_HOST_AGE; + cfg->pg_delete_delay = NAT64LSN_PG_AGE; + cfg->st_syn_ttl = NAT64LSN_TCP_SYN_AGE; + cfg->st_estab_ttl = NAT64LSN_TCP_EST_AGE; + cfg->st_close_ttl = NAT64LSN_TCP_FIN_AGE; + cfg->st_udp_ttl = NAT64LSN_UDP_AGE; + cfg->st_icmp_ttl = NAT64LSN_ICMP_AGE; + flags = NAT64LSN_HAS_PREFIX6; + while (ac > 0) { + tcmd = get_token(nat64newcmds, *av, "option"); + opt = *av; + ac--; av++; + + switch (tcmd) { + case TOK_PREFIX4: + NEED1("IPv4 prefix required"); + nat64lsn_parse_prefix(*av, AF_INET, &cfg->prefix4, + &cfg->plen4); + flags |= NAT64LSN_HAS_PREFIX4; + ac--; av++; + break; +#if 0 + case TOK_PREFIX6: + NEED1("IPv6 prefix required"); + nat64lsn_parse_prefix(*av, AF_INET6, &cfg->prefix6, + &cfg->plen6); + ac--; av++; + break; + case TOK_AGG_LEN: + NEED1("Aggregation prefix len required"); + cfg->agg_prefix_len = nat64lsn_parse_int(*av, opt); + ac--; av++; + break; + case TOK_AGG_COUNT: + NEED1("Max per-prefix count required"); + cfg->agg_prefix_max = nat64lsn_parse_int(*av, opt); + ac--; av++; + break; + case TOK_PORT_RANGE: + NEED1("port range x[:y] required"); + if ((p = strchr(*av, ':')) == NULL) + cfg->min_port = (uint16_t)nat64lsn_parse_int( + *av, opt); + else { + *p++ = '\0'; + cfg->min_port = (uint16_t)nat64lsn_parse_int( + *av, opt); + cfg->max_port = (uint16_t)nat64lsn_parse_int( + p, opt); + } + ac--; av++; + break; + case TOK_JMAXLEN: + NEED1("job queue length required"); + cfg->jmaxlen = nat64lsn_parse_int(*av, opt); + ac--; av++; + break; +#endif + case TOK_MAX_PORTS: + NEED1("Max per-user ports required"); + cfg->max_ports = nat64lsn_parse_int(*av, opt); + ac--; av++; + break; + case TOK_HOST_DEL_AGE: + NEED1("host delete delay required"); + cfg->nh_delete_delay = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; + break; + case TOK_PG_DEL_AGE: + NEED1("portgroup delete delay required"); + cfg->pg_delete_delay = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; + break; + case TOK_TCP_SYN_AGE: + NEED1("tcp syn age required"); + cfg->st_syn_ttl = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; + break; + case TOK_TCP_CLOSE_AGE: + NEED1("tcp close age required"); + cfg->st_close_ttl = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; + break; + case TOK_TCP_EST_AGE: + NEED1("tcp est age required"); + cfg->st_estab_ttl = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; + break; + case TOK_UDP_AGE: + NEED1("udp age required"); + cfg->st_udp_ttl = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; + break; + case TOK_ICMP_AGE: + NEED1("icmp age required"); + cfg->st_icmp_ttl = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; + break; + case TOK_LOG: + cfg->flags |= NAT64_LOG; + break; + case TOK_LOGOFF: + cfg->flags &= ~NAT64_LOG; + break; + } + } + + /* Check validness */ + if ((flags & NAT64LSN_HAS_PREFIX4) != NAT64LSN_HAS_PREFIX4) + errx(EX_USAGE, "prefix4 required"); + + olh->count = 1; + olh->objsize = sizeof(*cfg); + olh->size = sizeof(buf); + strlcpy(cfg->name, name, sizeof(cfg->name)); + if (do_set3(IP_FW_NAT64LSN_CREATE, &olh->opheader, sizeof(buf)) != 0) + err(EX_OSERR, "nat64lsn instance creation failed"); +} + +/* + * Configures existing nat64lsn instance + * ipfw nat64lsn <NAME> config <options> + * Request: [ ipfw_obj_header ipfw_nat64lsn_cfg ] + */ +static void +nat64lsn_config(const char *name, uint8_t set, int ac, char **av) +{ + char buf[sizeof(ipfw_obj_header) + sizeof(ipfw_nat64lsn_cfg)]; + ipfw_nat64lsn_cfg *cfg; + ipfw_obj_header *oh; + size_t sz; + char *opt; + int tcmd; + + if (ac == 0) + errx(EX_USAGE, "config options required"); + memset(&buf, 0, sizeof(buf)); + oh = (ipfw_obj_header *)buf; + cfg = (ipfw_nat64lsn_cfg *)(oh + 1); + sz = sizeof(buf); + + nat64lsn_fill_ntlv(&oh->ntlv, name, set); + if (do_get3(IP_FW_NAT64LSN_CONFIG, &oh->opheader, &sz) != 0) + err(EX_OSERR, "failed to get config for instance %s", name); + + while (ac > 0) { + tcmd = get_token(nat64newcmds, *av, "option"); + opt = *av; + ac--; av++; + + switch (tcmd) { + case TOK_MAX_PORTS: + NEED1("Max per-user ports required"); + cfg->max_ports = nat64lsn_parse_int(*av, opt); + ac--; av++; + break; + case TOK_JMAXLEN: + NEED1("job queue length required"); + cfg->jmaxlen = nat64lsn_parse_int(*av, opt); + ac--; av++; + break; + case TOK_HOST_DEL_AGE: + NEED1("host delete delay required"); + cfg->nh_delete_delay = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; + break; + case TOK_PG_DEL_AGE: + NEED1("portgroup delete delay required"); + cfg->pg_delete_delay = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; + break; + case TOK_TCP_SYN_AGE: + NEED1("tcp syn age required"); + cfg->st_syn_ttl = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; + break; + case TOK_TCP_CLOSE_AGE: + NEED1("tcp close age required"); + cfg->st_close_ttl = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; + break; + case TOK_TCP_EST_AGE: + NEED1("tcp est age required"); + cfg->st_estab_ttl = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; + break; + case TOK_UDP_AGE: + NEED1("udp age required"); + cfg->st_udp_ttl = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; + break; + case TOK_ICMP_AGE: + NEED1("icmp age required"); + cfg->st_icmp_ttl = (uint16_t)nat64lsn_parse_int( + *av, opt); + ac--; av++; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201608132251.u7DMpboZ093082>