svn commit: r304062 - in projects/netbsd-tests-update-12: cddl/contrib/opensolaris/tools/ctf/cvt sbin/ipfw share/timedef sys/conf sys/kern sys/modules sys/modules/ipfw sys/modules/ipfw_nat64 sys/ne...
Garrett Cooper
ngie at FreeBSD.org
Sat Aug 13 22:51:39 UTC 2016
Author: ngie
Date: Sat Aug 13 22:51:36 2016
New Revision: 304062
URL: https://svnweb.freebsd.org/changeset/base/304062
Log:
MFhead @ r304061
Added:
projects/netbsd-tests-update-12/sbin/ipfw/nat64lsn.c
- copied unchanged from r304061, head/sbin/ipfw/nat64lsn.c
projects/netbsd-tests-update-12/sbin/ipfw/nat64stl.c
- copied unchanged from r304061, head/sbin/ipfw/nat64stl.c
projects/netbsd-tests-update-12/sys/modules/ipfw_nat64/
- copied from r304061, head/sys/modules/ipfw_nat64/
projects/netbsd-tests-update-12/sys/netinet6/ip_fw_nat64.h
- copied unchanged from r304061, head/sys/netinet6/ip_fw_nat64.h
projects/netbsd-tests-update-12/sys/netpfil/ipfw/ip_fw_bpf.c
- copied unchanged from r304061, head/sys/netpfil/ipfw/ip_fw_bpf.c
projects/netbsd-tests-update-12/sys/netpfil/ipfw/nat64/
- copied from r304061, head/sys/netpfil/ipfw/nat64/
Modified:
projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/dwarf.c
projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/merge.c
projects/netbsd-tests-update-12/sbin/ipfw/Makefile
projects/netbsd-tests-update-12/sbin/ipfw/ipfw.8
projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.c
projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.h
projects/netbsd-tests-update-12/sbin/ipfw/main.c
projects/netbsd-tests-update-12/sbin/ipfw/nptv6.c
projects/netbsd-tests-update-12/sbin/ipfw/tables.c
projects/netbsd-tests-update-12/share/timedef/af_ZA.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/am_ET.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/ar_JO.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/ar_MA.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/ar_SA.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/be_BY.CP1131.src
projects/netbsd-tests-update-12/share/timedef/be_BY.CP1251.src
projects/netbsd-tests-update-12/share/timedef/be_BY.ISO8859-5.src
projects/netbsd-tests-update-12/share/timedef/be_BY.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/bg_BG.CP1251.src
projects/netbsd-tests-update-12/share/timedef/bg_BG.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/ca_IT.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/ca_IT.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/cs_CZ.ISO8859-2.src
projects/netbsd-tests-update-12/share/timedef/cs_CZ.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/da_DK.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/da_DK.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/de_AT.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/de_AT.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/de_DE.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/de_DE.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/el_GR.ISO8859-7.src
projects/netbsd-tests-update-12/share/timedef/el_GR.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/en_CA.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/en_GB.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/en_IE.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/en_PH.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/en_SG.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/en_US.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/en_ZA.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/es_AR.ISO8859-1.src
projects/netbsd-tests-update-12/share/timedef/es_CR.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/es_ES.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/es_ES.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/es_MX.ISO8859-1.src
projects/netbsd-tests-update-12/share/timedef/es_MX.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/et_EE.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/eu_ES.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/fi_FI.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/fi_FI.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/fr_BE.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/fr_BE.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/fr_CA.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/fr_CA.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/fr_CH.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/fr_CH.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/fr_FR.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/fr_FR.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/he_IL.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/hi_IN.ISCII-DEV.src
projects/netbsd-tests-update-12/share/timedef/hi_IN.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/hr_HR.ISO8859-2.src
projects/netbsd-tests-update-12/share/timedef/hr_HR.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/hu_HU.ISO8859-2.src
projects/netbsd-tests-update-12/share/timedef/hu_HU.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/hy_AM.ARMSCII-8.src
projects/netbsd-tests-update-12/share/timedef/hy_AM.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/is_IS.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/is_IS.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/it_CH.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/it_CH.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/it_IT.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/it_IT.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/ja_JP.SJIS.src
projects/netbsd-tests-update-12/share/timedef/ja_JP.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/ja_JP.eucJP.src
projects/netbsd-tests-update-12/share/timedef/kk_KZ.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/ko_KR.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/ko_KR.eucKR.src
projects/netbsd-tests-update-12/share/timedef/lt_LT.ISO8859-13.src
projects/netbsd-tests-update-12/share/timedef/lt_LT.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/lv_LV.ISO8859-13.src
projects/netbsd-tests-update-12/share/timedef/lv_LV.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/mn_MN.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/nb_NO.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/nb_NO.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/nl_BE.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/nl_NL.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/nn_NO.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/nn_NO.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/pl_PL.ISO8859-2.src
projects/netbsd-tests-update-12/share/timedef/pl_PL.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/pt_BR.ISO8859-1.src
projects/netbsd-tests-update-12/share/timedef/pt_BR.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/pt_PT.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/pt_PT.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/ro_RO.ISO8859-2.src
projects/netbsd-tests-update-12/share/timedef/ro_RO.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/ru_RU.CP1251.src
projects/netbsd-tests-update-12/share/timedef/ru_RU.CP866.src
projects/netbsd-tests-update-12/share/timedef/ru_RU.ISO8859-5.src
projects/netbsd-tests-update-12/share/timedef/ru_RU.KOI8-R.src
projects/netbsd-tests-update-12/share/timedef/ru_RU.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/se_FI.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/se_NO.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/sk_SK.ISO8859-2.src
projects/netbsd-tests-update-12/share/timedef/sk_SK.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/sl_SI.ISO8859-2.src
projects/netbsd-tests-update-12/share/timedef/sl_SI.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/sr_RS.ISO8859-2.src
projects/netbsd-tests-update-12/share/timedef/sr_RS.ISO8859-5.src
projects/netbsd-tests-update-12/share/timedef/sr_RS.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/sr_RS.UTF-8 at latin.src
projects/netbsd-tests-update-12/share/timedef/sv_FI.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/sv_SE.ISO8859-15.src
projects/netbsd-tests-update-12/share/timedef/sv_SE.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/tr_TR.ISO8859-9.src
projects/netbsd-tests-update-12/share/timedef/tr_TR.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/uk_UA.CP1251.src
projects/netbsd-tests-update-12/share/timedef/uk_UA.ISO8859-5.src
projects/netbsd-tests-update-12/share/timedef/uk_UA.KOI8-U.src
projects/netbsd-tests-update-12/share/timedef/uk_UA.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/zh_CN.GB2312.src
projects/netbsd-tests-update-12/share/timedef/zh_CN.GBK.src
projects/netbsd-tests-update-12/share/timedef/zh_CN.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/zh_CN.eucCN.src
projects/netbsd-tests-update-12/share/timedef/zh_HK.UTF-8.src
projects/netbsd-tests-update-12/share/timedef/zh_TW.Big5.src
projects/netbsd-tests-update-12/share/timedef/zh_TW.UTF-8.src
projects/netbsd-tests-update-12/sys/conf/NOTES
projects/netbsd-tests-update-12/sys/conf/files
projects/netbsd-tests-update-12/sys/conf/options
projects/netbsd-tests-update-12/sys/kern/kern_exec.c
projects/netbsd-tests-update-12/sys/modules/Makefile
projects/netbsd-tests-update-12/sys/modules/ipfw/Makefile
projects/netbsd-tests-update-12/sys/netinet/ip_fw.h
projects/netbsd-tests-update-12/sys/netpfil/ipfw/ip_fw2.c
projects/netbsd-tests-update-12/sys/netpfil/ipfw/ip_fw_log.c
projects/netbsd-tests-update-12/sys/netpfil/ipfw/ip_fw_private.h
projects/netbsd-tests-update-12/sys/netpfil/ipfw/ip_fw_table.c
projects/netbsd-tests-update-12/sys/netpfil/ipfw/nptv6/nptv6.c
projects/netbsd-tests-update-12/sys/powerpc/aim/locore.S
projects/netbsd-tests-update-12/sys/powerpc/booke/locore.S
projects/netbsd-tests-update-12/sys/powerpc/booke/pmap.c
projects/netbsd-tests-update-12/sys/powerpc/mpc85xx/platform_mpc85xx.c
projects/netbsd-tests-update-12/sys/powerpc/powerpc/machdep.c
projects/netbsd-tests-update-12/sys/powerpc/powerpc/mmu_if.m
projects/netbsd-tests-update-12/sys/powerpc/powerpc/pmap_dispatch.c
projects/netbsd-tests-update-12/sys/vm/vm_page.c
projects/netbsd-tests-update-12/sys/vm/vm_phys.c
projects/netbsd-tests-update-12/tests/sys/acl/00.sh
projects/netbsd-tests-update-12/tests/sys/acl/01.sh
projects/netbsd-tests-update-12/tests/sys/acl/02.sh
projects/netbsd-tests-update-12/tests/sys/acl/03.sh
projects/netbsd-tests-update-12/tests/sys/acl/04.sh
projects/netbsd-tests-update-12/usr.bin/nfsstat/nfsstat.1
projects/netbsd-tests-update-12/usr.bin/nfsstat/nfsstat.c
Directory Properties:
projects/netbsd-tests-update-12/ (props changed)
projects/netbsd-tests-update-12/cddl/ (props changed)
projects/netbsd-tests-update-12/cddl/contrib/opensolaris/ (props changed)
Modified: projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/dwarf.c
==============================================================================
--- projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/dwarf.c Sat Aug 13 22:14:16 2016 (r304061)
+++ projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/dwarf.c Sat Aug 13 22:51:36 2016 (r304062)
@@ -816,6 +816,11 @@ die_enum_create(dwarf_t *dw, Dwarf_Die d
Dwarf_Unsigned uval;
Dwarf_Signed sval;
+ if (die_isdecl(dw, die)) {
+ tdp->t_type = FORWARD;
+ return;
+ }
+
debug(3, "die %llu: creating enum\n", off);
tdp->t_type = ENUM;
Modified: projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/merge.c
==============================================================================
--- projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/merge.c Sat Aug 13 22:14:16 2016 (r304061)
+++ projects/netbsd-tests-update-12/cddl/contrib/opensolaris/tools/ctf/cvt/merge.c Sat Aug 13 22:51:36 2016 (r304062)
@@ -338,7 +338,8 @@ fwd_equiv(tdesc_t *ctdp, tdesc_t *mtdp)
{
tdesc_t *defn = (ctdp->t_type == FORWARD ? mtdp : ctdp);
- return (defn->t_type == STRUCT || defn->t_type == UNION);
+ return (defn->t_type == STRUCT || defn->t_type == UNION ||
+ defn->t_type == ENUM);
}
static int
Modified: projects/netbsd-tests-update-12/sbin/ipfw/Makefile
==============================================================================
--- projects/netbsd-tests-update-12/sbin/ipfw/Makefile Sat Aug 13 22:14:16 2016 (r304061)
+++ projects/netbsd-tests-update-12/sbin/ipfw/Makefile Sat Aug 13 22:51:36 2016 (r304062)
@@ -5,7 +5,7 @@
PACKAGE=ipfw
PROG= ipfw
SRCS= ipfw2.c dummynet.c ipv6.c main.c nat.c tables.c
-SRCS+= nptv6.c
+SRCS+= nat64lsn.c nat64stl.c nptv6.c
WARNS?= 2
.if ${MK_PF} != "no"
Modified: projects/netbsd-tests-update-12/sbin/ipfw/ipfw.8
==============================================================================
--- projects/netbsd-tests-update-12/sbin/ipfw/ipfw.8 Sat Aug 13 22:14:16 2016 (r304061)
+++ projects/netbsd-tests-update-12/sbin/ipfw/ipfw.8 Sat Aug 13 22:51:36 2016 (r304062)
@@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd July 19, 2016
+.Dd August 13, 2016
.Dt IPFW 8
.Os
.Sh NAME
@@ -113,6 +113,37 @@ in-kernel NAT.
.Oc
.Oc
.Ar pathname
+.Ss STATEFUL IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION
+.Nm
+.Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm create Ar create-options
+.Nm
+.Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm config Ar config-options
+.Nm
+.Oo Cm set Ar N Oc Cm nat64lsn
+.Brq Ar name | all
+.Brq Cm list | show
+.Op Cm states
+.Nm
+.Oo Cm set Ar N Oc Cm nat64lsn
+.Brq Ar name | all
+.Cm destroy
+.Nm
+.Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm stats Op Cm reset
+.Ss STATELESS IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION
+.Nm
+.Oo Cm set Ar N Oc Cm nat64stl Ar name Cm create Ar create-options
+.Nm
+.Oo Cm set Ar N Oc Cm nat64stl Ar name Cm config Ar config-options
+.Nm
+.Oo Cm set Ar N Oc Cm nat64stl
+.Brq Ar name | all
+.Brq Cm list | show
+.Nm
+.Oo Cm set Ar N Oc Cm nat64stl
+.Brq Ar name | all
+.Cm destroy
+.Nm
+.Oo Cm set Ar N Oc Cm nat64stl Ar name Cm stats Op Cm reset
.Ss IPv6-to-IPv6 NETWORK PREFIX TRANSLATION
.Nm
.Oo Cm set Ar N Oc Cm nptv6 Ar name Cm create Ar create-options
@@ -125,7 +156,7 @@ in-kernel NAT.
.Brq Ar name | all
.Cm destroy
.Nm
-.Oo Cm set Ar N Oc Cm nptv6 Ar name Cm stats
+.Oo Cm set Ar N Oc Cm nptv6 Ar name Cm stats Op Cm reset
.Ss INTERNAL DIAGNOSTICS
.Nm
.Cm internal iflist
@@ -837,6 +868,16 @@ nat instance
see the
.Sx NETWORK ADDRESS TRANSLATION (NAT)
Section for further information.
+.It Cm nat64lsn Ar name
+Pass packet to a stateful NAT64 instance (for IPv6/IPv4 network address and
+protocol translation): see the
+.Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION
+Section for further information.
+.It Cm nat64stl Ar name
+Pass packet to a stateless NAT64 instance (for IPv6/IPv4 network address and
+protocol translation): see the
+.Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION
+Section for further information.
.It Cm nptv6 Ar name
Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation):
see the
@@ -2927,9 +2968,189 @@ instances.
See
.Sx SYSCTL VARIABLES
for more info.
+.Sh IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION
+.Nm
+supports in-kernel IPv6/IPv4 network address and protocol translation.
+Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers
+using unicast TCP, UDP or ICMP protocols.
+One or more IPv4 addresses assigned to a stateful NAT64 translator are shared
+among serveral IPv6-only clients.
+When stateful NAT64 is used in conjunction with DNS64, no changes are usually
+required in the IPv6 client or the IPv4 server.
+The kernel module
+.Cm ipfw_nat64
+should be loaded or kernel should have
+.Cm options IPFIREWALL_NAT64
+to be able use stateful NAT64 translator.
+.Pp
+Stateful NAT64 uses a bunch of memory for several types of objects.
+When IPv6 client initiates connection, NAT64 translator creates a host entry
+in the states table.
+Each host entry has a number of ports group entries allocated on demand.
+Ports group entries contains connection state entries.
+There are several options to control limits and lifetime for these objects.
+.Pp
+NAT64 translator follows RFC7915 when does ICMPv6/ICMP translation,
+unsupported message types will be silently dropped.
+IPv6 needs several ICMPv6 message types to be explicitly allowed for correct
+operation.
+Make sure that ND6 neighbor solicitation (ICMPv6 type 135) and neighbor
+advertisement (ICMPv6 type 136) messages will not be handled by translation
+rules.
+.Pp
+After translation NAT64 translator sends packets through corresponding netisr
+queue.
+Thus translator host should be configured as IPv4 and IPv6 router.
+.Pp
+Currently both stateful and stateless NAT64 translators use Well-Known IPv6
+Prefix
+.Ar 64:ff9b::/96
+to represent IPv4 addresses in the IPv6 address.
+Thus DNS64 service and routing should be configured to use Well-Known IPv6
+Prefix.
+.Pp
+The stateful NAT64 configuration command is the following:
+.Bd -ragged -offset indent
+.Bk -words
+.Cm nat64lsn
+.Ar name
+.Cm create
+.Ar create-options
+.Ek
+.Ed
+.Pp
+The following parameters can be configured:
+.Bl -tag -width indent
+.It Cm prefix4 Ar ipv4_prefix/mask
+The IPv4 prefix with mask defines the pool of IPv4 addresses used as
+source address after translation.
+Stateful NAT64 module translates IPv6 source address of client to one
+IPv4 address from this pool.
+Note that incoming IPv4 packets that don't have corresponding state entry
+in the states table will be dropped by translator.
+Make sure that translation rules handle packets, destined to configured prefix.
+.It Cm max_ports Ar number
+Maximum number of ports reserved for upper level protocols to one IPv6 client.
+All reserved ports are divided into chunks between supported protocols.
+The number of connections from one IPv6 client is limited by this option.
+Note that closed TCP connections still remain in the list of connections until
+.Cm tcp_close_age
+interval will not expire.
+Default value is
+.Ar 2048 .
+.It Cm host_del_age Ar seconds
+The number of seconds until the host entry for a IPv6 client will be deleted
+and all its resources will be released due to inactivity.
+Default value is
+.Ar 3600 .
+.It Cm pg_del_age Ar seconds
+The number of seconds until a ports group with unused state entries will
+be released.
+Default value is
+.Ar 900 .
+.It Cm tcp_syn_age Ar seconds
+The number of seconds while a state entry for TCP connection with only SYN
+sent will be kept.
+If TCP connection establishing will not be finished,
+state entry will be deleted.
+Default value is
+.Ar 10 .
+.It Cm tcp_est_age Ar seconds
+The number of seconds while a state entry for established TCP connection
+will be kept.
+Default value is
+.Ar 7200 .
+.It Cm tcp_close_age Ar seconds
+The number of seconds while a state entry for closed TCP connection
+will be kept.
+Keeping state entries for closed connections is needed, because IPv4 servers
+typically keep closed connections in a TIME_WAIT state for a several minutes.
+Since translator's IPv4 addresses are shared among all IPv6 clients,
+new connections from the same addresses and ports may be rejected by server,
+because these connections are still in a TIME_WAIT state.
+Keeping them in translator's state table protects from such rejects.
+Default value is
+.Ar 180 .
+.It Cm udp_age Ar seconds
+The number of seconds while translator keeps state entry in a waiting for
+reply to the sent UDP datagram.
+Default value is
+.Ar 120 .
+.It Cm icmp_age Ar seconds
+The number of seconds while translator keeps state entry in a waiting for
+reply to the sent ICMP message.
+Default value is
+.Ar 60 .
+.It Cm log
+Turn on logging of all handled packets via BPF through
+.Ar ipfwlog0
+interface.
+.Ar ipfwlog0
+is a pseudo interface and can be created after a boot manually with
+.Cm ifconfig
+command.
+Note that it has different purpose than
+.Ar ipfw0
+interface.
+Translators sends to BPF an additional information with each packet.
+With
+.Cm tcpdump
+you are able to see each handled packet before and after translation.
+.It Cm -log
+Turn off logging of all handled packets via BPF.
+.El
+.Pp
+To inspect a states table of stateful NAT64 the following command can be used:
+.Bd -ragged -offset indent
+.Bk -words
+.Cm nat64lsn
+.Ar name
+.Cm show Cm states
+.Ek
+.Ed
+.Pp
+.Pp
+Stateless NAT64 translator doesn't use a states table for translation
+and converts IPv4 addresses to IPv6 and vice versa solely based on the
+mappings taken from configured lookup tables.
+Since a states table doesn't used by stateless translator,
+it can be configured to pass IPv4 clients to IPv6-only servers.
+.Pp
+The stateless NAT64 configuration command is the following:
+.Bd -ragged -offset indent
+.Bk -words
+.Cm nat64stl
+.Ar name
+.Cm create
+.Ar create-options
+.Ek
+.Ed
+.Pp
+The following parameters can be configured:
+.Bl -tag -width indent
+.It Cm table4 Ar table46
+The lookup table
+.Ar table46
+contains mapping how IPv4 addresses should be translated to IPv6 addresses.
+.It Cm table6 Ar table64
+The lookup table
+.Ar table64
+contains mapping how IPv6 addresses should be translated to IPv4 addresses.
+.It Cm log
+Turn on logging of all handled packets via BPF through
+.Ar ipfwlog0
+interface.
+.It Cm -log
+Turn off logging of all handled packets via BPF.
+.El
+.Pp
+Note that the behavior of stateless translator with respect to not matched
+packets differs from stateful translator.
+If corresponding addresses was not found in the lookup tables, the packet
+will not be dropped and the search continues.
.Sh IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
.Nm
-support in-kernel IPv6-to-IPv6 network prefix translation as described
+supports in-kernel IPv6-to-IPv6 network prefix translation as described
in RFC6296.
The kernel module
.Cm ipfw_nptv6
Modified: projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.c
==============================================================================
--- projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.c Sat Aug 13 22:14:16 2016 (r304061)
+++ projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.c Sat Aug 13 22:51:36 2016 (r304062)
@@ -235,6 +235,8 @@ static struct _s_x ether_types[] = {
};
static struct _s_x rule_eactions[] = {
+ { "nat64lsn", TOK_NAT64LSN },
+ { "nat64stl", TOK_NAT64STL },
{ "nptv6", TOK_NPTV6 },
{ NULL, 0 } /* terminator */
};
Modified: projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.h
==============================================================================
--- projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.h Sat Aug 13 22:14:16 2016 (r304061)
+++ projects/netbsd-tests-update-12/sbin/ipfw/ipfw2.h Sat Aug 13 22:51:36 2016 (r304062)
@@ -254,7 +254,30 @@ enum tokens {
TOK_UNLOCK,
TOK_VLIST,
TOK_OLIST,
+
+ /* NAT64 tokens */
+ TOK_NAT64STL,
+ TOK_NAT64LSN,
TOK_STATS,
+ TOK_STATES,
+ TOK_CONFIG,
+ TOK_TABLE4,
+ TOK_TABLE6,
+ TOK_PREFIX4,
+ TOK_PREFIX6,
+ TOK_AGG_LEN,
+ TOK_AGG_COUNT,
+ TOK_MAX_PORTS,
+ TOK_JMAXLEN,
+ TOK_PORT_RANGE,
+ TOK_HOST_DEL_AGE,
+ TOK_PG_DEL_AGE,
+ TOK_TCP_SYN_AGE,
+ TOK_TCP_CLOSE_AGE,
+ TOK_TCP_EST_AGE,
+ TOK_UDP_AGE,
+ TOK_ICMP_AGE,
+ TOK_LOGOFF,
/* NPTv6 tokens */
TOK_NPTV6,
@@ -347,6 +370,8 @@ void ipfw_flush(int force);
void ipfw_zero(int ac, char *av[], int optname);
void ipfw_list(int ac, char *av[], int show_counters);
void ipfw_internal_handler(int ac, char *av[]);
+void ipfw_nat64lsn_handler(int ac, char *av[]);
+void ipfw_nat64stl_handler(int ac, char *av[]);
void ipfw_nptv6_handler(int ac, char *av[]);
int ipfw_check_object_name(const char *name);
@@ -384,7 +409,10 @@ void bp_flush(struct buf_pr *b);
/* tables.c */
struct _ipfw_obj_ctlv;
+struct _ipfw_obj_ntlv;
int table_check_name(const char *tablename);
void ipfw_list_ta(int ac, char *av[]);
void ipfw_list_values(int ac, char *av[]);
+void table_fill_ntlv(struct _ipfw_obj_ntlv *ntlv, const char *name,
+ uint8_t set, uint16_t uidx);
Modified: projects/netbsd-tests-update-12/sbin/ipfw/main.c
==============================================================================
--- projects/netbsd-tests-update-12/sbin/ipfw/main.c Sat Aug 13 22:14:16 2016 (r304061)
+++ projects/netbsd-tests-update-12/sbin/ipfw/main.c Sat Aug 13 22:51:36 2016 (r304062)
@@ -425,6 +425,10 @@ ipfw_main(int oldac, char **oldav)
if (co.use_set || try_next) {
if (_substrcmp(*av, "delete") == 0)
ipfw_delete(av);
+ else if (!strncmp(*av, "nat64stl", strlen(*av)))
+ ipfw_nat64stl_handler(ac, av);
+ else if (!strncmp(*av, "nat64lsn", strlen(*av)))
+ ipfw_nat64lsn_handler(ac, av);
else if (!strncmp(*av, "nptv6", strlen(*av)))
ipfw_nptv6_handler(ac, av);
else if (_substrcmp(*av, "flush") == 0)
Copied: projects/netbsd-tests-update-12/sbin/ipfw/nat64lsn.c (from r304061, head/sbin/ipfw/nat64lsn.c)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ projects/netbsd-tests-update-12/sbin/ipfw/nat64lsn.c Sat Aug 13 22:51:36 2016 (r304062, copy of r304061, head/sbin/ipfw/nat64lsn.c)
@@ -0,0 +1,854 @@
+/*-
+ * Copyright (c) 2015-2016 Yandex LLC
+ * Copyright (c) 2015-2016 Alexander V. Chernikov <melifaro at FreeBSD.org>
+ * Copyright (c) 2015-2016 Andrey V. Elsukov <ae at FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include "ipfw2.h"
+
+#include <ctype.h>
+#include <err.h>
+#include <errno.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sysexits.h>
+
+#include <net/if.h>
+#include <netinet/in.h>
+#include <netinet/ip_fw.h>
+#include <netinet6/ip_fw_nat64.h>
+#include <arpa/inet.h>
+
+static void nat64lsn_fill_ntlv(ipfw_obj_ntlv *ntlv, const char *name,
+ uint8_t set);
+typedef int (nat64lsn_cb_t)(ipfw_nat64lsn_cfg *cfg, const char *name,
+ uint8_t set);
+static int nat64lsn_foreach(nat64lsn_cb_t *f, const char *name, uint8_t set,
+ int sort);
+
+static void nat64lsn_create(const char *name, uint8_t set, int ac, char **av);
+static void nat64lsn_config(const char *name, uint8_t set, int ac, char **av);
+static void nat64lsn_destroy(const char *name, uint8_t set);
+static void nat64lsn_stats(const char *name, uint8_t set);
+static void nat64lsn_reset_stats(const char *name, uint8_t set);
+static int nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *name,
+ uint8_t set);
+static int nat64lsn_destroy_cb(ipfw_nat64lsn_cfg *cfg, const char *name,
+ uint8_t set);
+static int nat64lsn_states_cb(ipfw_nat64lsn_cfg *cfg, const char *name,
+ uint8_t set);
+
+static struct _s_x nat64cmds[] = {
+ { "create", TOK_CREATE },
+ { "config", TOK_CONFIG },
+ { "destroy", TOK_DESTROY },
+ { "list", TOK_LIST },
+ { "show", TOK_LIST },
+ { "stats", TOK_STATS },
+ { NULL, 0 }
+};
+
+static uint64_t
+nat64lsn_print_states(void *buf)
+{
+ char s[INET6_ADDRSTRLEN], a[INET_ADDRSTRLEN], f[INET_ADDRSTRLEN];
+ char sflags[4], *sf, *proto;
+ ipfw_obj_header *oh;
+ ipfw_obj_data *od;
+ ipfw_nat64lsn_stg *stg;
+ ipfw_nat64lsn_state *ste;
+ uint64_t next_idx;
+ int i, sz;
+
+ oh = (ipfw_obj_header *)buf;
+ od = (ipfw_obj_data *)(oh + 1);
+ stg = (ipfw_nat64lsn_stg *)(od + 1);
+ sz = od->head.length - sizeof(*od);
+ next_idx = 0;
+ while (sz > 0 && next_idx != 0xFF) {
+ next_idx = stg->next_idx;
+ sz -= sizeof(*stg);
+ if (stg->count == 0) {
+ stg++;
+ continue;
+ }
+ switch (stg->proto) {
+ case IPPROTO_TCP:
+ proto = "TCP";
+ break;
+ case IPPROTO_UDP:
+ proto = "UDP";
+ break;
+ case IPPROTO_ICMPV6:
+ proto = "ICMPv6";
+ break;
+ }
+ inet_ntop(AF_INET6, &stg->host6, s, sizeof(s));
+ inet_ntop(AF_INET, &stg->alias4, a, sizeof(a));
+ ste = (ipfw_nat64lsn_state *)(stg + 1);
+ for (i = 0; i < stg->count && sz > 0; i++) {
+ sf = sflags;
+ inet_ntop(AF_INET, &ste->daddr, f, sizeof(f));
+ if (stg->proto == IPPROTO_TCP) {
+ if (ste->flags & 0x02)
+ *sf++ = 'S';
+ if (ste->flags & 0x04)
+ *sf++ = 'E';
+ if (ste->flags & 0x01)
+ *sf++ = 'F';
+ }
+ *sf = '\0';
+ switch (stg->proto) {
+ case IPPROTO_TCP:
+ case IPPROTO_UDP:
+ printf("%s:%d\t%s:%d\t%s\t%s\t%d\t%s:%d\n",
+ s, ste->sport, a, ste->aport, proto,
+ sflags, ste->idle, f, ste->dport);
+ break;
+ case IPPROTO_ICMPV6:
+ printf("%s\t%s\t%s\t\t%d\t%s\n",
+ s, a, proto, ste->idle, f);
+ break;
+ default:
+ printf("%s\t%s\t%d\t\t%d\t%s\n",
+ s, a, stg->proto, ste->idle, f);
+ }
+ ste++;
+ sz -= sizeof(*ste);
+ }
+ stg = (ipfw_nat64lsn_stg *)ste;
+ }
+ return (next_idx);
+}
+
+static int
+nat64lsn_states_cb(ipfw_nat64lsn_cfg *cfg, const char *name, uint8_t set)
+{
+ ipfw_obj_header *oh;
+ ipfw_obj_data *od;
+ void *buf;
+ uint64_t next_idx;
+ size_t sz;
+
+ if (name != NULL && strcmp(cfg->name, name) != 0)
+ return (ESRCH);
+
+ if (set != 0 && cfg->set != set)
+ return (ESRCH);
+
+ next_idx = 0;
+ sz = 4096;
+ if ((buf = calloc(1, sz)) == NULL)
+ err(EX_OSERR, NULL);
+ do {
+ oh = (ipfw_obj_header *)buf;
+ od = (ipfw_obj_data *)(oh + 1);
+ nat64lsn_fill_ntlv(&oh->ntlv, cfg->name, set);
+ od->head.type = IPFW_TLV_OBJDATA;
+ od->head.length = sizeof(*od) + sizeof(next_idx);
+ *((uint64_t *)(od + 1)) = next_idx;
+ if (do_get3(IP_FW_NAT64LSN_LIST_STATES, &oh->opheader, &sz))
+ err(EX_OSERR, "Error reading nat64lsn states");
+ next_idx = nat64lsn_print_states(buf);
+ sz = 4096;
+ memset(buf, 0, sz);
+ } while (next_idx != 0xFF);
+
+ free(buf);
+ return (0);
+}
+
+static struct _s_x nat64statscmds[] = {
+ { "reset", TOK_RESET },
+ { NULL, 0 }
+};
+
+static void
+ipfw_nat64lsn_stats_handler(const char *name, uint8_t set, int ac, char *av[])
+{
+ int tcmd;
+
+ if (ac == 0) {
+ nat64lsn_stats(name, set);
+ return;
+ }
+ NEED1("nat64lsn stats needs command");
+ tcmd = get_token(nat64statscmds, *av, "nat64lsn stats command");
+ switch (tcmd) {
+ case TOK_RESET:
+ nat64lsn_reset_stats(name, set);
+ }
+}
+
+static struct _s_x nat64listcmds[] = {
+ { "states", TOK_STATES },
+ { "config", TOK_CONFIG },
+ { NULL, 0 }
+};
+
+static void
+ipfw_nat64lsn_list_handler(const char *name, uint8_t set, int ac, char *av[])
+{
+ int tcmd;
+
+ if (ac == 0) {
+ nat64lsn_foreach(nat64lsn_show_cb, name, set, 1);
+ return;
+ }
+ NEED1("nat64lsn list needs command");
+ tcmd = get_token(nat64listcmds, *av, "nat64lsn list command");
+ switch (tcmd) {
+ case TOK_STATES:
+ nat64lsn_foreach(nat64lsn_states_cb, name, set, 1);
+ break;
+ case TOK_CONFIG:
+ nat64lsn_foreach(nat64lsn_show_cb, name, set, 1);
+ }
+}
+
+/*
+ * This one handles all nat64lsn-related commands
+ * ipfw [set N] nat64lsn NAME {create | config} ...
+ * ipfw [set N] nat64lsn NAME stats
+ * ipfw [set N] nat64lsn {NAME | all} destroy
+ * ipfw [set N] nat64lsn {NAME | all} {list | show} [config | states]
+ */
+#define nat64lsn_check_name table_check_name
+void
+ipfw_nat64lsn_handler(int ac, char *av[])
+{
+ const char *name;
+ int tcmd;
+ uint8_t set;
+
+ if (co.use_set != 0)
+ set = co.use_set - 1;
+ else
+ set = 0;
+ ac--; av++;
+
+ NEED1("nat64lsn needs instance name");
+ name = *av;
+ if (nat64lsn_check_name(name) != 0) {
+ if (strcmp(name, "all") == 0)
+ name = NULL;
+ else
+ errx(EX_USAGE, "nat64lsn instance name %s is invalid",
+ name);
+ }
+ ac--; av++;
+ NEED1("nat64lsn needs command");
+
+ tcmd = get_token(nat64cmds, *av, "nat64lsn command");
+ if (name == NULL && tcmd != TOK_DESTROY && tcmd != TOK_LIST)
+ errx(EX_USAGE, "nat64lsn instance name required");
+ switch (tcmd) {
+ case TOK_CREATE:
+ ac--; av++;
+ nat64lsn_create(name, set, ac, av);
+ break;
+ case TOK_CONFIG:
+ ac--; av++;
+ nat64lsn_config(name, set, ac, av);
+ break;
+ case TOK_LIST:
+ ac--; av++;
+ ipfw_nat64lsn_list_handler(name, set, ac, av);
+ break;
+ case TOK_DESTROY:
+ if (name == NULL)
+ nat64lsn_foreach(nat64lsn_destroy_cb, NULL, set, 0);
+ else
+ nat64lsn_destroy(name, set);
+ break;
+ case TOK_STATS:
+ ac--; av++;
+ ipfw_nat64lsn_stats_handler(name, set, ac, av);
+ }
+}
+
+static void
+nat64lsn_fill_ntlv(ipfw_obj_ntlv *ntlv, const char *name, uint8_t set)
+{
+
+ ntlv->head.type = IPFW_TLV_EACTION_NAME(1); /* it doesn't matter */
+ ntlv->head.length = sizeof(ipfw_obj_ntlv);
+ ntlv->idx = 1;
+ ntlv->set = set;
+ strlcpy(ntlv->name, name, sizeof(ntlv->name));
+}
+
+static void
+nat64lsn_apply_mask(int af, void *prefix, uint16_t plen)
+{
+ struct in6_addr mask6, *p6;
+ struct in_addr mask4, *p4;
+
+ if (af == AF_INET) {
+ p4 = (struct in_addr *)prefix;
+ mask4.s_addr = htonl(~((1 << (32 - plen)) - 1));
+ p4->s_addr &= mask4.s_addr;
+ } else if (af == AF_INET6) {
+ p6 = (struct in6_addr *)prefix;
+ n2mask(&mask6, plen);
+ APPLY_MASK(p6, &mask6);
+ }
+}
+
+static void
+nat64lsn_parse_prefix(const char *arg, int af, void *prefix, uint16_t *plen)
+{
+ char *p, *l;
+
+ p = strdup(arg);
+ if (p == NULL)
+ err(EX_OSERR, NULL);
+ if ((l = strchr(p, '/')) != NULL)
+ *l++ = '\0';
+ if (l == NULL)
+ errx(EX_USAGE, "Prefix length required");
+ if (inet_pton(af, p, prefix) != 1)
+ errx(EX_USAGE, "Bad prefix: %s", p);
+ *plen = (uint16_t)strtol(l, &l, 10);
+ if (*l != '\0' || *plen == 0 || (af == AF_INET && *plen > 32) ||
+ (af == AF_INET6 && *plen > 96))
+ errx(EX_USAGE, "Bad prefix length: %s", arg);
+ nat64lsn_apply_mask(af, prefix, *plen);
+ free(p);
+}
+
+static uint32_t
+nat64lsn_parse_int(const char *arg, const char *desc)
+{
+ char *p;
+ uint32_t val;
+
+ val = (uint32_t)strtol(arg, &p, 10);
+ if (*p != '\0')
+ errx(EX_USAGE, "Invalid %s value: %s\n", desc, arg);
+ return (val);
+}
+
+static struct _s_x nat64newcmds[] = {
+ { "prefix6", TOK_PREFIX6 },
+ { "agg_len", TOK_AGG_LEN }, /* not yet */
+ { "agg_count", TOK_AGG_COUNT }, /* not yet */
+ { "port_range", TOK_PORT_RANGE }, /* not yet */
+ { "jmaxlen", TOK_JMAXLEN },
+ { "prefix4", TOK_PREFIX4 },
+ { "max_ports", TOK_MAX_PORTS },
+ { "host_del_age", TOK_HOST_DEL_AGE },
+ { "pg_del_age", TOK_PG_DEL_AGE },
+ { "tcp_syn_age", TOK_TCP_SYN_AGE },
+ { "tcp_close_age",TOK_TCP_CLOSE_AGE },
+ { "tcp_est_age", TOK_TCP_EST_AGE },
+ { "udp_age", TOK_UDP_AGE },
+ { "icmp_age", TOK_ICMP_AGE },
+ { "log", TOK_LOG },
+ { "-log", TOK_LOGOFF },
+ { NULL, 0 }
+};
+
+/*
+ * Creates new nat64lsn instance
+ * ipfw nat64lsn <NAME> create
+ * [ max_ports <N> ]
+ * Request: [ ipfw_obj_lheader ipfw_nat64lsn_cfg ]
+ */
+#define NAT64LSN_HAS_PREFIX4 0x01
+#define NAT64LSN_HAS_PREFIX6 0x02
+static void
+nat64lsn_create(const char *name, uint8_t set, int ac, char **av)
+{
+ char buf[sizeof(ipfw_obj_lheader) + sizeof(ipfw_nat64lsn_cfg)];
+ ipfw_nat64lsn_cfg *cfg;
+ ipfw_obj_lheader *olh;
+ int tcmd, flags;
+ char *opt;
+
+ memset(&buf, 0, sizeof(buf));
+ olh = (ipfw_obj_lheader *)buf;
+ cfg = (ipfw_nat64lsn_cfg *)(olh + 1);
+
+ /* Some reasonable defaults */
+ inet_pton(AF_INET6, "64:ff9b::", &cfg->prefix6);
+ cfg->plen6 = 96;
+ cfg->set = set;
+ cfg->max_ports = NAT64LSN_MAX_PORTS;
+ cfg->jmaxlen = NAT64LSN_JMAXLEN;
+ cfg->nh_delete_delay = NAT64LSN_HOST_AGE;
+ cfg->pg_delete_delay = NAT64LSN_PG_AGE;
+ cfg->st_syn_ttl = NAT64LSN_TCP_SYN_AGE;
+ cfg->st_estab_ttl = NAT64LSN_TCP_EST_AGE;
+ cfg->st_close_ttl = NAT64LSN_TCP_FIN_AGE;
+ cfg->st_udp_ttl = NAT64LSN_UDP_AGE;
+ cfg->st_icmp_ttl = NAT64LSN_ICMP_AGE;
+ flags = NAT64LSN_HAS_PREFIX6;
+ while (ac > 0) {
+ tcmd = get_token(nat64newcmds, *av, "option");
+ opt = *av;
+ ac--; av++;
+
+ switch (tcmd) {
+ case TOK_PREFIX4:
+ NEED1("IPv4 prefix required");
+ nat64lsn_parse_prefix(*av, AF_INET, &cfg->prefix4,
+ &cfg->plen4);
+ flags |= NAT64LSN_HAS_PREFIX4;
+ ac--; av++;
+ break;
+#if 0
+ case TOK_PREFIX6:
+ NEED1("IPv6 prefix required");
+ nat64lsn_parse_prefix(*av, AF_INET6, &cfg->prefix6,
+ &cfg->plen6);
+ ac--; av++;
+ break;
+ case TOK_AGG_LEN:
+ NEED1("Aggregation prefix len required");
+ cfg->agg_prefix_len = nat64lsn_parse_int(*av, opt);
+ ac--; av++;
+ break;
+ case TOK_AGG_COUNT:
+ NEED1("Max per-prefix count required");
+ cfg->agg_prefix_max = nat64lsn_parse_int(*av, opt);
+ ac--; av++;
+ break;
+ case TOK_PORT_RANGE:
+ NEED1("port range x[:y] required");
+ if ((p = strchr(*av, ':')) == NULL)
+ cfg->min_port = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ else {
+ *p++ = '\0';
+ cfg->min_port = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ cfg->max_port = (uint16_t)nat64lsn_parse_int(
+ p, opt);
+ }
+ ac--; av++;
+ break;
+ case TOK_JMAXLEN:
+ NEED1("job queue length required");
+ cfg->jmaxlen = nat64lsn_parse_int(*av, opt);
+ ac--; av++;
+ break;
+#endif
+ case TOK_MAX_PORTS:
+ NEED1("Max per-user ports required");
+ cfg->max_ports = nat64lsn_parse_int(*av, opt);
+ ac--; av++;
+ break;
+ case TOK_HOST_DEL_AGE:
+ NEED1("host delete delay required");
+ cfg->nh_delete_delay = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
+ break;
+ case TOK_PG_DEL_AGE:
+ NEED1("portgroup delete delay required");
+ cfg->pg_delete_delay = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
+ break;
+ case TOK_TCP_SYN_AGE:
+ NEED1("tcp syn age required");
+ cfg->st_syn_ttl = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
+ break;
+ case TOK_TCP_CLOSE_AGE:
+ NEED1("tcp close age required");
+ cfg->st_close_ttl = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
+ break;
+ case TOK_TCP_EST_AGE:
+ NEED1("tcp est age required");
+ cfg->st_estab_ttl = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
+ break;
+ case TOK_UDP_AGE:
+ NEED1("udp age required");
+ cfg->st_udp_ttl = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
+ break;
+ case TOK_ICMP_AGE:
+ NEED1("icmp age required");
+ cfg->st_icmp_ttl = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
+ break;
+ case TOK_LOG:
+ cfg->flags |= NAT64_LOG;
+ break;
+ case TOK_LOGOFF:
+ cfg->flags &= ~NAT64_LOG;
+ break;
+ }
+ }
+
+ /* Check validness */
+ if ((flags & NAT64LSN_HAS_PREFIX4) != NAT64LSN_HAS_PREFIX4)
+ errx(EX_USAGE, "prefix4 required");
+
+ olh->count = 1;
+ olh->objsize = sizeof(*cfg);
+ olh->size = sizeof(buf);
+ strlcpy(cfg->name, name, sizeof(cfg->name));
+ if (do_set3(IP_FW_NAT64LSN_CREATE, &olh->opheader, sizeof(buf)) != 0)
+ err(EX_OSERR, "nat64lsn instance creation failed");
+}
+
+/*
+ * Configures existing nat64lsn instance
+ * ipfw nat64lsn <NAME> config <options>
+ * Request: [ ipfw_obj_header ipfw_nat64lsn_cfg ]
+ */
+static void
+nat64lsn_config(const char *name, uint8_t set, int ac, char **av)
+{
+ char buf[sizeof(ipfw_obj_header) + sizeof(ipfw_nat64lsn_cfg)];
+ ipfw_nat64lsn_cfg *cfg;
+ ipfw_obj_header *oh;
+ size_t sz;
+ char *opt;
+ int tcmd;
+
+ if (ac == 0)
+ errx(EX_USAGE, "config options required");
+ memset(&buf, 0, sizeof(buf));
+ oh = (ipfw_obj_header *)buf;
+ cfg = (ipfw_nat64lsn_cfg *)(oh + 1);
+ sz = sizeof(buf);
+
+ nat64lsn_fill_ntlv(&oh->ntlv, name, set);
+ if (do_get3(IP_FW_NAT64LSN_CONFIG, &oh->opheader, &sz) != 0)
+ err(EX_OSERR, "failed to get config for instance %s", name);
+
+ while (ac > 0) {
+ tcmd = get_token(nat64newcmds, *av, "option");
+ opt = *av;
+ ac--; av++;
+
+ switch (tcmd) {
+ case TOK_MAX_PORTS:
+ NEED1("Max per-user ports required");
+ cfg->max_ports = nat64lsn_parse_int(*av, opt);
+ ac--; av++;
+ break;
+ case TOK_JMAXLEN:
+ NEED1("job queue length required");
+ cfg->jmaxlen = nat64lsn_parse_int(*av, opt);
+ ac--; av++;
+ break;
+ case TOK_HOST_DEL_AGE:
+ NEED1("host delete delay required");
+ cfg->nh_delete_delay = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
+ break;
+ case TOK_PG_DEL_AGE:
+ NEED1("portgroup delete delay required");
+ cfg->pg_delete_delay = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
+ break;
+ case TOK_TCP_SYN_AGE:
+ NEED1("tcp syn age required");
+ cfg->st_syn_ttl = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
+ break;
+ case TOK_TCP_CLOSE_AGE:
+ NEED1("tcp close age required");
+ cfg->st_close_ttl = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
+ break;
+ case TOK_TCP_EST_AGE:
+ NEED1("tcp est age required");
+ cfg->st_estab_ttl = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
+ break;
+ case TOK_UDP_AGE:
+ NEED1("udp age required");
+ cfg->st_udp_ttl = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
+ break;
+ case TOK_ICMP_AGE:
+ NEED1("icmp age required");
+ cfg->st_icmp_ttl = (uint16_t)nat64lsn_parse_int(
+ *av, opt);
+ ac--; av++;
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-projects
mailing list