From owner-freebsd-hackers@FreeBSD.ORG Fri Mar 11 22:20:00 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4707416A4CE for ; Fri, 11 Mar 2005 22:20:00 +0000 (GMT) Received: from mx2.netflix.com (mail2.netflix.com [216.35.131.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id 092F743D31 for ; Fri, 11 Mar 2005 22:20:00 +0000 (GMT) (envelope-from nsayer@kfu.com) Received: from [172.22.8.180] ([172.22.8.180]) by mx2.netflix.com (8.12.8/8.12.8) with ESMTP id j2BMJxKD004550 for ; Fri, 11 Mar 2005 14:19:59 -0800 Message-ID: <4232198F.5030705@kfu.com> Date: Fri, 11 Mar 2005 14:19:59 -0800 From: Nick Sayer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.3) Gecko/20041111 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-hackers@freebsd.org Content-Type: multipart/mixed; boundary="------------000809040101070005010705" Subject: 6to4, stf and shoebox NAT routers X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2005 22:20:00 -0000 This is a multi-part message in MIME format. --------------000809040101070005010705 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit (I sent a version of this e-mail earlier today without the patch, but my return address was not the same as the subscribed one, so I think it got ate. Appologies if this is a dupe) Historically, I've used FreeBSD machines as NAT routers. Call me a traitor if you must, but it's getting harder to justify not simply putting one of those little Linksys/Netgear/SMC/whatever NAT routers in place and having the FreeBSD machine be a server behind the box instead. One of the last considerations remaining is IPv6. Most boxes now have the concept of a "DMZ" host. They will, aparently, perform simple address substitution on the IP header for packets that arrive of an unknown protocol and send them to the DMZ host (living on the inside LAN - thus calling it a DMZ host is a bit of a misnomer, but that's a semantic debate for another occasion). This would be ideal for 6to4 - incoming packets would simply arrive and be processed. The trouble appears to be the outgoing side. The machine's actual IPv4 address is not the same as the *outside* IPv4 address, so one of two things is happening (I'm not sure which): Either the blanket prohibition on RFC-1918 addresses having anything to do with 6to4 is getting in the way, or stf0 having a "foreign" prefix (that is, a prefix that does not relate to a physical interface on the machine) is confusing it. I've come up with the attached patch. It simply allows you to optionally neuter the RFC-1918 checks. The problem is that there are some instances where those checks would still be good to have - specifically, in the code that checks IPv6 prefixes of incoming packets. There's no reason to allow RFC-1918 addresses to appear there. But being able to be selective would mean having to do a bit more rearchitecture than I feel like, at least today. :-) --------------000809040101070005010705 Content-Type: text/plain; name="stf_rfc1918_patch.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="stf_rfc1918_patch.txt" --- net/if_stf.c.orig Thu Jul 15 01:26:06 2004 +++ net/if_stf.c Fri Mar 11 11:54:23 2005 @@ -89,6 +89,7 @@ #include #include #include +#include #include #include @@ -183,6 +184,13 @@ struct if_clone stf_cloner = IFC_CLONE_INITIALIZER(STFNAME, NULL, 0, NULL, stf_clone_match, stf_clone_create, stf_clone_destroy); +SYSCTL_DECL(_net_link); +SYSCTL_NODE(_net_link, IFT_STF, stf, CTLFLAG_RW, 0, "6to4 Interface"); + +static int no_rfc1918check = 0; +SYSCTL_INT(_net_link_stf, OID_AUTO, permit_rfc1918, CTLFLAG_RW, + &no_rfc1918check, 0, "permit RFC-1918 addresses"); + static int stf_clone_match(struct if_clone *ifc, const char *name) { @@ -567,6 +575,9 @@ isrfc1918addr(in) struct in_addr *in; { + if (no_rfc1918check) + return 0; + /* * returns 1 if private address range: * 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 --------------000809040101070005010705--