[Bug 219803] [patch] PF: implement RFC 4787 REQ 1 and 3 (full cone NAT)

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Jun 5 17:48:30 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219803

            Bug ID: 219803
           Summary: [patch] PF: implement RFC 4787 REQ 1 and 3 (full cone
                    NAT)
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: damjan.jov at gmail.com
          Keywords: patch

Created attachment 183243
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=183243&action=edit
pf RFC 4787 req 1 and 3 implementation

This patch implements RFC 4787 requirements 1 and 3, changing PF's allocation
of NAT mappings for UDP from the current "symmetric" NAT to a
"endpoint-independent mapping" NAT, a.k.a "full cone" NAT. All UDP packets from
the internal IP:port X:x go through the same external Y:y no matter the Z:z,
and nothing but X:x uses Y:y.

Internal             External
X:x  -----> NAT Y:y ----> Z:z

The implementation is relatively straightforward. pf_state for UDP connections
now reference a pf_udp_mapping, which is reference counted, and kept alive as
long as at least 1 pf_state is referencing it. Every new NAT mapping that gets
created tries to find a pf_udp_mapping by its source X:x endpoint and reuses
its external Y:y, failing which, it creates a new one through an unused Y:y.
Only allocation of NAT mappings is changed. Each X:x <-> Z:z still has its own
distinct connection state (struct pf_state) and behaves the same as before.

Currently, only if a Z:z was previously transmitted to by X:x, can it transmit
back to X:x through Y:y, i.e it behaves as a "port-restricted cone" NAT (or
endpoint-independent mapping NAT with address- and port-dependent filtering, as
per RFC 4787), but I am working on that too.

This should fix STUN and vastly improve UDP applications using PF's NATing such
as gaming, VoIP, WebRTC, peer to peer applications, etc.

Are the NAT implementations in our other firewalls also "symmetric" NATs?

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list