Date: Fri, 11 Mar 2005 14:19:59 -0800 From: Nick Sayer <nsayer@kfu.com> To: freebsd-hackers@freebsd.org Subject: 6to4, stf and shoebox NAT routers Message-ID: <4232198F.5030705@kfu.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------000809040101070005010705
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
(I sent a version of this e-mail earlier today without the patch, but my
return address was not the same as the subscribed one, so I think it got
ate. Appologies if this is a dupe)
Historically, I've used FreeBSD machines as NAT routers.
Call me a traitor if you must, but it's getting harder to justify not
simply putting one of those little Linksys/Netgear/SMC/whatever NAT
routers in place and having the FreeBSD machine be a server behind the
box instead.
One of the last considerations remaining is IPv6.
Most boxes now have the concept of a "DMZ" host. They will, aparently,
perform simple address substitution on the IP header for packets that
arrive of an unknown protocol and send them to the DMZ host (living on
the inside LAN - thus calling it a DMZ host is a bit of a misnomer, but
that's a semantic debate for another occasion). This would be ideal for
6to4 - incoming packets would simply arrive and be processed. The
trouble appears to be the outgoing side. The machine's actual IPv4
address is not the same as the *outside* IPv4 address, so one of two
things is happening (I'm not sure which): Either the blanket prohibition
on RFC-1918 addresses having anything to do with 6to4 is getting in the
way, or stf0 having a "foreign" prefix (that is, a prefix that does not
relate to a physical interface on the machine) is confusing it.
I've come up with the attached patch. It simply allows you to optionally
neuter the RFC-1918 checks. The problem is that there are some instances
where those checks would still be good to have - specifically, in the
code that checks IPv6 prefixes of incoming packets. There's no reason to
allow RFC-1918 addresses to appear there. But being able to be selective
would mean having to do a bit more rearchitecture than I feel like, at
least today. :-)
--------------000809040101070005010705
Content-Type: text/plain;
name="stf_rfc1918_patch.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="stf_rfc1918_patch.txt"
--- net/if_stf.c.orig Thu Jul 15 01:26:06 2004
+++ net/if_stf.c Fri Mar 11 11:54:23 2005
@@ -89,6 +89,7 @@
#include <sys/module.h>
#include <sys/protosw.h>
#include <sys/queue.h>
+#include <sys/sysctl.h>
#include <machine/cpu.h>
#include <sys/malloc.h>
@@ -183,6 +184,13 @@
struct if_clone stf_cloner = IFC_CLONE_INITIALIZER(STFNAME, NULL, 0,
NULL, stf_clone_match, stf_clone_create, stf_clone_destroy);
+SYSCTL_DECL(_net_link);
+SYSCTL_NODE(_net_link, IFT_STF, stf, CTLFLAG_RW, 0, "6to4 Interface");
+
+static int no_rfc1918check = 0;
+SYSCTL_INT(_net_link_stf, OID_AUTO, permit_rfc1918, CTLFLAG_RW,
+ &no_rfc1918check, 0, "permit RFC-1918 addresses");
+
static int
stf_clone_match(struct if_clone *ifc, const char *name)
{
@@ -567,6 +575,9 @@
isrfc1918addr(in)
struct in_addr *in;
{
+ if (no_rfc1918check)
+ return 0;
+
/*
* returns 1 if private address range:
* 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
--------------000809040101070005010705--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4232198F.5030705>