[Bug 219803] [patch] PF: implement RFC 4787 REQ 1 and 3 (full cone NAT)

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 06 Sep 2024 12:49:32 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219803

--- Comment #17 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=390dc369efaaeca2802baf168ddbd7a40e3afcc8

commit 390dc369efaaeca2802baf168ddbd7a40e3afcc8
Author:     Tom Jones <thj@FreeBSD.org>
AuthorDate: 2024-09-06 11:59:09 +0000
Commit:     Tom Jones <thj@FreeBSD.org>
CommitDate: 2024-09-06 12:48:04 +0000

    pf: Add support for endpoint independent NAT bindings for UDP

    With Endpoint Independent NAT bindings for UDP flows from a NATed source
    address are always mapped to the same ip:port pair on the NAT router.
    This allows a client to connect to multiple external servers while
    appearing as the same host and enables NAT traversal without requiring
    the client to use a middlebox traversal protocol such as STUN or TURN.

    Introduce the 'endpoint-independent' option to NAT rules to allow
    configuration of endpoint independent without effecting existing
    deployments.

    This change satisfies REQ 1 and 3 of RFC 4787 also known as 'full cone'
    NAT.

    Using Endpoint Independent NAT changes NAT exhaustion behaviour it does
    not introduce any additional security considerations compared to other
    forms of NAT.

    PR:             219803
    Co-authored-by: Damjan Jovanovic <damjan.jov@gmail.com>
    Co-authored-by: Naman Sood <mail@nsood.in>
    Reviewed-by:    kp
    Sponsored-by:   Tailscale
    Sponsored-by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D11137

 sbin/pfctl/parse.y                     |  12 +-
 sbin/pfctl/pfctl_parser.c              |   2 +
 sbin/pfctl/tests/files/pf1021.in (new) |   1 +
 sbin/pfctl/tests/files/pf1021.ok (new) |   1 +
 share/man/man4/pf.4                    |   6 +-
 share/man/man5/pf.conf.5               |  12 +-
 sys/net/pfvar.h                        |  49 ++++++++-
 sys/netpfil/pf/pf.c                    | 195 ++++++++++++++++++++++++++++++++-
 sys/netpfil/pf/pf.h                    |   1 +
 sys/netpfil/pf/pf_lb.c                 | 104 ++++++++++++++----
 tests/sys/netpfil/pf/nat.sh            | 134 ++++++++++++++++++++++
 11 files changed, 489 insertions(+), 28 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.