Date: Tue, 22 Jul 2025 09:38:18 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 288380] ipfw libalias: Implementation of a simple NAT configuration for MAP-E (RFC 7597) Message-ID: <bug-288380-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288380 Bug ID: 288380 Summary: ipfw libalias: Implementation of a simple NAT configuration for MAP-E (RFC 7597) Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: tatsuki_makino@hotmail.com When setting up the Mapping of Address and Port with Encapsulation, it would be better to have additional implementation. It seems that libalias requires an interface for bit masking (by &=) and an interface for manipulating specific bits (by |= or ^=) near _RandomPort function. It seems that ipfw needs something to calculate the values for it, or something to use it directly. As a background, In pf, it can be done with just map-e-portset 4/8/1 , but in ipfw, it becomes as follows. # configuration of a common network interface ifconfig gif0 create ifconfig gif0 inet6 -auto_linklocal # the address of the inet6 tunnel can be observed with ipfw rules like the following 22030, # as packets have already been sent by port scan bot :) ifconfig gif0 inet6 tunnel 2001:db8:1:100:c0:2:100:100 2001:db8:ffff::1 # the inet address can be somewhat inferred from the address used for the tunnel :) # the address set to 127... seems to be a number that is not in use, so there shouldn't be any problems. ifconfig gif0 inet 192.0.2.1 127.0.2.1 netmask 255.255.255.255 alias # it is considered most preferable to set this address on the alwaysconf script of rtsold. ifconfig ${wan_if} inet6 2001:db8:1:100:c0:2:100:100 prefixlen 128 alias # set this interface as the default gateway. route -n add -inet default -iface gif0 # or route -n add -inet default 127.0.2.1 # from here is ipfw rules file instead of command disable one_pass nat 11 config if gif0 log port_range 4112-4127 nat 12 config if gif0 log port_range 8208-8223 nat 13 config if gif0 log port_range 12304-12319 nat 14 config if gif0 log port_range 16400-16415 nat 15 config if gif0 log port_range 20496-20511 nat 16 config if gif0 log port_range 24592-24607 nat 17 config if gif0 log port_range 28688-28703 nat 18 config if gif0 log port_range 32784-32799 nat 19 config if gif0 log port_range 36880-36895 nat 20 config if gif0 log port_range 40976-40991 nat 21 config if gif0 log port_range 45072-45087 nat 22 config if gif0 log port_range 49168-49183 nat 23 config if gif0 log port_range 53264-53279 nat 24 config if gif0 log port_range 57360-57375 nat 25 config if gif0 log port_range 61456-61471 add 22030 count log logamount 0 4 from any to any ipversion 6 // proto 4 == ipencap add 22010 allow log logamount 100 ipencap from me to 2001:db8:ffff::1 out ipversion 6 via ${wan_if} // add 22020 allow log logamount 100 ipencap from 2001:db8:ffff::1 to me in ipversion 6 via ${wan_if} // add 30010 skipto 59011 tcp from any to any established // allow for example add 59011 check-state :map-e add 59012 prob 0.066667 skipto 59019 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./15 add 59012 prob 0.071429 skipto 59025 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./14 add 59012 prob 0.076923 skipto 59031 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./13 add 59012 prob 0.083333 skipto 59037 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./12 add 59012 prob 0.090909 skipto 59043 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./11 add 59012 prob 0.100000 skipto 59049 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./10 add 59012 prob 0.111111 skipto 59055 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./9 add 59012 prob 0.125000 skipto 59061 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./8 add 59012 prob 0.142857 skipto 59067 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./7 add 59012 prob 0.166667 skipto 59073 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./6 add 59012 prob 0.200000 skipto 59079 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./5 add 59012 prob 0.250000 skipto 59085 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./4 add 59012 prob 0.333333 skipto 59091 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./3 add 59012 prob 0.500000 skipto 59097 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./2 add 59012 prob 1.000000 skipto 59103 log logamount 50 ip4 from any to any out xmit gif0 keep-state :map-e // prob 1./1 add 59019 nat 11 log logamount 50 ip4 from any to any out xmit gif0 // add 59020 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59025 nat 12 log logamount 50 ip4 from any to any out xmit gif0 // add 59026 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59031 nat 13 log logamount 50 ip4 from any to any out xmit gif0 // add 59032 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59037 nat 14 log logamount 50 ip4 from any to any out xmit gif0 // add 59038 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59043 nat 15 log logamount 50 ip4 from any to any out xmit gif0 // add 59044 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59049 nat 16 log logamount 50 ip4 from any to any out xmit gif0 // add 59050 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59055 nat 17 log logamount 50 ip4 from any to any out xmit gif0 // add 59056 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59061 nat 18 log logamount 50 ip4 from any to any out xmit gif0 // add 59062 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59067 nat 19 log logamount 50 ip4 from any to any out xmit gif0 // add 59068 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59073 nat 20 log logamount 50 ip4 from any to any out xmit gif0 // add 59074 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59079 nat 21 log logamount 50 ip4 from any to any out xmit gif0 // add 59080 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59085 nat 22 log logamount 50 ip4 from any to any out xmit gif0 // add 59086 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59091 nat 23 log logamount 50 ip4 from any to any out xmit gif0 // add 59092 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59097 nat 24 log logamount 50 ip4 from any to any out xmit gif0 // add 59098 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59103 nat 25 log logamount 50 ip4 from any to any out xmit gif0 // add 59104 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59211 nat 11 log logamount 50 ip4 from any to any in recv gif0 // add 59212 nat 12 log logamount 50 ip4 from any to any in recv gif0 // add 59213 nat 13 log logamount 50 ip4 from any to any in recv gif0 // add 59214 nat 14 log logamount 50 ip4 from any to any in recv gif0 // add 59215 nat 15 log logamount 50 ip4 from any to any in recv gif0 // add 59216 nat 16 log logamount 50 ip4 from any to any in recv gif0 // add 59217 nat 17 log logamount 50 ip4 from any to any in recv gif0 // add 59218 nat 18 log logamount 50 ip4 from any to any in recv gif0 // add 59219 nat 19 log logamount 50 ip4 from any to any in recv gif0 // add 59220 nat 20 log logamount 50 ip4 from any to any in recv gif0 // add 59221 nat 21 log logamount 50 ip4 from any to any in recv gif0 // add 59222 nat 22 log logamount 50 ip4 from any to any in recv gif0 // add 59223 nat 23 log logamount 50 ip4 from any to any in recv gif0 // add 59224 nat 24 log logamount 50 ip4 from any to any in recv gif0 // add 59225 nat 25 log logamount 50 ip4 from any to any in recv gif0 // add 59890 allow ip from any to any // # end In my case, even with just 1 NAT, it can use 16 ports, so it's enough for downloading ports distfile. However, in order to utilize all ports, it is necessary to remember the NAT used first through keep-state. Also, the returned packets must find out which NAT can restore them to their original state. The lookup for that seems to be really slow. Therefore, I want to use all assigned ports with just 1 NAT. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-288380-227>