From nobody Tue Jul 22 09:38:18 2025 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bmXJB0lFrz62npP for ; Tue, 22 Jul 2025 09:38:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bmXJ96bHQz46gC for ; Tue, 22 Jul 2025 09:38:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1753177097; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Ki8MWCR97NYRH92J9hlLbocqdHah6hWqJ/iyvJQ3ElQ=; b=tBMH+bBAppI12rDEjncl/uLJW1Ct7aTyhFHaRGfmitQDIH0Qxt2t9zcObPEHXGNx9vB8db DRKLn8MC4XDPbBlA2YDBL97j9DnBIs4psX3lQ/1JPffLGPoAW7rwzMM0NLm6QTUo4t/vhc VkNl5kNRXgWAPXW3Bx6Xzieq/dtAwstcsUT9SITKuXFENQVRErwPRaCrolPAcBdqaaSl4W RD8lzUo+IRgrDTNFkPbMO4MEOHlmj/vq2YvQzEIkWAOosgcwnD6xHKXzx/aSkTwXsrKUyE FtsRjMQSuRRJbSYcVuDA+KYuusJ68LAYH9b85uT4zvrLG+VvUuZdDSK2fvzUQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1753177097; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Ki8MWCR97NYRH92J9hlLbocqdHah6hWqJ/iyvJQ3ElQ=; b=f/kE5DssxBMBAlqDacwALsV28VjsqKhqeMjDqSueHBt82PRyj/EDm4ZReI4id6JpoxpwQO dJXe4GOYAcSB3BF/+D3SMD0eiMwr+rIKBajat+Udvvpi3PJeTUPdyBCiKsLAV9bsuoKiwT gQzoURxPqCFWBA5GcgkfugD9ZJgOnLvSC5ZWHtxuyeCCLvu/66YRXeu5ZhMMIBVigkEHOi oLslsV2Dvd5iZpnbFGQSWBBz4ugOwldioR10ZqwQFaRZ44rX53AHvbvGGitjH8ICDl/Tj1 ZY1UD9gDYgU3pUtAIIQIJNU5xJnj+fdpGOV0Or7e0ScxFGZZF+aS8UgDv3/D6Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1753177097; a=rsa-sha256; cv=none; b=qmtdLhHCWNYd3czO9op4EMPfbmFm+ylILpRKBXf67L3zYzQT0qwOru+YLaxXKtbre9Dtyb yB2dULX8ZobHVdkhSpQgxWTl4Tfl6z31sy2TYr8iqohfSvYwQ9lHn/uvDJYIBsBFBm4ka/ McRJNA43xMfdxPs9qq60hOwTgGUHNIYsxr057/co0nrWlDc9Wwr2+1k3qR6dlNT3obxOCe AfhmOEwhS/CcOvO2d9x7V1XVCIJ5Cu9ULwexzwd5K1Fjnv627Iu7iy0a2o/ZHS5TsyCNU3 084iDKEJjf/E/1t8e0e7yAmWOX/UFAr3mNKRWEciZKP+pOX/ZwqVH0yfl5HW2g== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bmXJ96CBJz5y8 for ; Tue, 22 Jul 2025 09:38:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 56M9cH6B016145 for ; Tue, 22 Jul 2025 09:38:17 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 56M9cHxq016144 for bugs@FreeBSD.org; Tue, 22 Jul 2025 09:38:17 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 288380] ipfw libalias: Implementation of a simple NAT configuration for MAP-E (RFC 7597) Date: Tue, 22 Jul 2025 09:38:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: tatsuki_makino@hotmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D288380 Bug ID: 288380 Summary: ipfw libalias: Implementation of a simple NAT configuration for MAP-E (RFC 7597) Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: tatsuki_makino@hotmail.com When setting up the Mapping of Address and Port with Encapsulation, it woul= d be better to have additional implementation. It seems that libalias requires an interface for bit masking (by &=3D) and = an interface for manipulating specific bits (by |=3D or ^=3D) near _RandomPort function. It seems that ipfw needs something to calculate the values for it, or somet= hing to use it directly. As a background, In pf, it can be done with just map-e-portset 4/8/1 , but in ipfw, it becom= es as follows. # configuration of a common network interface ifconfig gif0 create ifconfig gif0 inet6 -auto_linklocal # the address of the inet6 tunnel can be observed with ipfw rules like the following 22030, # as packets have already been sent by port scan bot :) ifconfig gif0 inet6 tunnel 2001:db8:1:100:c0:2:100:100 2001:db8:ffff::1 # the inet address can be somewhat inferred from the address used for the tunnel :) # the address set to 127... seems to be a number that is not in use, so the= re shouldn't be any problems. ifconfig gif0 inet 192.0.2.1 127.0.2.1 netmask 255.255.255.255 alias # it is considered most preferable to set this address on the alwaysconf sc= ript of rtsold. ifconfig ${wan_if} inet6 2001:db8:1:100:c0:2:100:100 prefixlen 128 alias # set this interface as the default gateway. route -n add -inet default -iface gif0 # or route -n add -inet default 127.0.2.1 # from here is ipfw rules file instead of command disable one_pass nat 11 config if gif0 log port_range 4112-4127 nat 12 config if gif0 log port_range 8208-8223 nat 13 config if gif0 log port_range 12304-12319 nat 14 config if gif0 log port_range 16400-16415 nat 15 config if gif0 log port_range 20496-20511 nat 16 config if gif0 log port_range 24592-24607 nat 17 config if gif0 log port_range 28688-28703 nat 18 config if gif0 log port_range 32784-32799 nat 19 config if gif0 log port_range 36880-36895 nat 20 config if gif0 log port_range 40976-40991 nat 21 config if gif0 log port_range 45072-45087 nat 22 config if gif0 log port_range 49168-49183 nat 23 config if gif0 log port_range 53264-53279 nat 24 config if gif0 log port_range 57360-57375 nat 25 config if gif0 log port_range 61456-61471 add 22030 count log logamount 0 4 from any to any ipversion 6 // proto 4 = =3D=3D ipencap add 22010 allow log logamount 100 ipencap from me to 2001:db8:ffff::1 out ipversion 6 via ${wan_if} // add 22020 allow log logamount 100 ipencap from 2001:db8:ffff::1 to me in ipversion 6 via ${wan_if} // add 30010 skipto 59011 tcp from any to any established // allow for example add 59011 check-state :map-e add 59012 prob 0.066667 skipto 59019 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./15 add 59012 prob 0.071429 skipto 59025 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./14 add 59012 prob 0.076923 skipto 59031 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./13 add 59012 prob 0.083333 skipto 59037 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./12 add 59012 prob 0.090909 skipto 59043 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./11 add 59012 prob 0.100000 skipto 59049 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./10 add 59012 prob 0.111111 skipto 59055 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./9 add 59012 prob 0.125000 skipto 59061 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./8 add 59012 prob 0.142857 skipto 59067 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./7 add 59012 prob 0.166667 skipto 59073 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./6 add 59012 prob 0.200000 skipto 59079 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./5 add 59012 prob 0.250000 skipto 59085 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./4 add 59012 prob 0.333333 skipto 59091 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./3 add 59012 prob 0.500000 skipto 59097 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./2 add 59012 prob 1.000000 skipto 59103 log logamount 50 ip4 from any to any o= ut xmit gif0 keep-state :map-e // prob 1./1 add 59019 nat 11 log logamount 50 ip4 from any to any out xmit gif0 // add 59020 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59025 nat 12 log logamount 50 ip4 from any to any out xmit gif0 // add 59026 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59031 nat 13 log logamount 50 ip4 from any to any out xmit gif0 // add 59032 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59037 nat 14 log logamount 50 ip4 from any to any out xmit gif0 // add 59038 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59043 nat 15 log logamount 50 ip4 from any to any out xmit gif0 // add 59044 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59049 nat 16 log logamount 50 ip4 from any to any out xmit gif0 // add 59050 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59055 nat 17 log logamount 50 ip4 from any to any out xmit gif0 // add 59056 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59061 nat 18 log logamount 50 ip4 from any to any out xmit gif0 // add 59062 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59067 nat 19 log logamount 50 ip4 from any to any out xmit gif0 // add 59068 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59073 nat 20 log logamount 50 ip4 from any to any out xmit gif0 // add 59074 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59079 nat 21 log logamount 50 ip4 from any to any out xmit gif0 // add 59080 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59085 nat 22 log logamount 50 ip4 from any to any out xmit gif0 // add 59086 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59091 nat 23 log logamount 50 ip4 from any to any out xmit gif0 // add 59092 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59097 nat 24 log logamount 50 ip4 from any to any out xmit gif0 // add 59098 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59103 nat 25 log logamount 50 ip4 from any to any out xmit gif0 // add 59104 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 // add 59211 nat 11 log logamount 50 ip4 from any to any in recv gif0 // add 59212 nat 12 log logamount 50 ip4 from any to any in recv gif0 // add 59213 nat 13 log logamount 50 ip4 from any to any in recv gif0 // add 59214 nat 14 log logamount 50 ip4 from any to any in recv gif0 // add 59215 nat 15 log logamount 50 ip4 from any to any in recv gif0 // add 59216 nat 16 log logamount 50 ip4 from any to any in recv gif0 // add 59217 nat 17 log logamount 50 ip4 from any to any in recv gif0 // add 59218 nat 18 log logamount 50 ip4 from any to any in recv gif0 // add 59219 nat 19 log logamount 50 ip4 from any to any in recv gif0 // add 59220 nat 20 log logamount 50 ip4 from any to any in recv gif0 // add 59221 nat 21 log logamount 50 ip4 from any to any in recv gif0 // add 59222 nat 22 log logamount 50 ip4 from any to any in recv gif0 // add 59223 nat 23 log logamount 50 ip4 from any to any in recv gif0 // add 59224 nat 24 log logamount 50 ip4 from any to any in recv gif0 // add 59225 nat 25 log logamount 50 ip4 from any to any in recv gif0 // add 59890 allow ip from any to any // # end In my case, even with just 1 NAT, it can use 16 ports, so it's enough for downloading ports distfile. However, in order to utilize all ports, it is necessary to remember the NAT used first through keep-state. Also, the returned packets must find out which NAT can restore them to their original state. The lookup for that seems to be really slow. Therefore, I want to use all assigned ports with just 1 NAT. --=20 You are receiving this mail because: You are the assignee for the bug.=