svn commit: r359694 - in stable/12: sbin/ipfw sys/netinet/libalias

Eugene Grosbein eugen at FreeBSD.org
Tue Apr 7 16:28:00 UTC 2020 

Author: eugen
Date: Tue Apr  7 16:27:58 2020
New Revision: 359694
URL: https://svnweb.freebsd.org/changeset/base/359694

Log:
  MFC r357092,357787: Add support for RFC 6598/Carrier Grade NAT subnets
  to libalias and ipfw.
  
  In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added.
  This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC 6598 aware.
  Also, we add a new NAT option to ipfw called unreg_cgn, which is like
  unreg_only, but also is RFC 6598-aware.  The reason for the new
  flags/options is to avoid breaking existing networks, especially those
  which rely on RFC 6598 as an external address.
  
  Submitted by:	Neel Chauhan <neel AT neelc DOT org>
  Reviewed by:	melifaro, rgrimes, Lutz Donnerhacke
  Relnotes:	yes
  Differential Revision:	https://reviews.freebsd.org/D22877
  Differential Revision:	https://reviews.freebsd.org/D23448

Modified:
  stable/12/sbin/ipfw/ipfw.8
  stable/12/sbin/ipfw/ipfw2.h
  stable/12/sbin/ipfw/main.c
  stable/12/sbin/ipfw/nat.c
  stable/12/sys/netinet/libalias/alias.c
  stable/12/sys/netinet/libalias/alias.h
  stable/12/sys/netinet/libalias/libalias.3
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sbin/ipfw/ipfw.8
==============================================================================
--- stable/12/sbin/ipfw/ipfw.8	Tue Apr  7 16:15:53 2020	(r359693)
+++ stable/12/sbin/ipfw/ipfw.8	Tue Apr  7 16:27:58 2020	(r359694)
@@ -3233,8 +3233,11 @@ Deny any incoming connection from outside world.
 Try to leave the alias port numbers unchanged from
 the actual local port numbers.
 .It Cm unreg_only
-Traffic on the local network not originating from an
+Traffic on the local network not originating from a RFC 1918
 unregistered address spaces will be ignored.
+.It Cm unreg_cgn
+Like unreg_only, but includes the RFC 6598 (Carrier Grade NAT)
+address range.
 .It Cm reset
 Reset table of the packet aliasing engine on address change.
 .It Cm reverse

Modified: stable/12/sbin/ipfw/ipfw2.h
==============================================================================
--- stable/12/sbin/ipfw/ipfw2.h	Tue Apr  7 16:15:53 2020	(r359693)
+++ stable/12/sbin/ipfw/ipfw2.h	Tue Apr  7 16:27:58 2020	(r359694)
@@ -220,6 +220,7 @@ enum tokens {
 	TOK_DENY_INC,
 	TOK_SAME_PORTS,
 	TOK_UNREG_ONLY,
+	TOK_UNREG_CGN,
 	TOK_SKIP_GLOBAL,
 	TOK_RESET_ADDR,
 	TOK_ALIAS_REV,

Modified: stable/12/sbin/ipfw/main.c
==============================================================================
--- stable/12/sbin/ipfw/main.c	Tue Apr  7 16:15:53 2020	(r359693)
+++ stable/12/sbin/ipfw/main.c	Tue Apr  7 16:27:58 2020	(r359694)
@@ -43,8 +43,8 @@ help(void)
 "add [num] [set N] [prob x] RULE-BODY\n"
 "{pipe|queue} N config PIPE-BODY\n"
 "[pipe|queue] {zero|delete|show} [N{,N}]\n"
-"nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|reset|\n"
-"		reverse|proxy_only|redirect_addr linkspec|\n"
+"nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|unreg_cgn|\n"
+"		reset|reverse|proxy_only|redirect_addr linkspec|\n"
 "		redirect_port linkspec|redirect_proto linkspec}\n"
 "set [disable N... enable N...] | move [rule] X to Y | swap X Y | show\n"
 "set N {show|list|zero|resetlog|delete} [N{,N}] | flush\n"

Modified: stable/12/sbin/ipfw/nat.c
==============================================================================
--- stable/12/sbin/ipfw/nat.c	Tue Apr  7 16:15:53 2020	(r359693)
+++ stable/12/sbin/ipfw/nat.c	Tue Apr  7 16:27:58 2020	(r359694)
@@ -60,6 +60,7 @@ static struct _s_x nat_params[] = {
  	{ "deny_in",		TOK_DENY_INC },
  	{ "same_ports",		TOK_SAME_PORTS },
  	{ "unreg_only",		TOK_UNREG_ONLY },
+ 	{ "unreg_cgn",		TOK_UNREG_CGN },
 	{ "skip_global",	TOK_SKIP_GLOBAL },
  	{ "reset",		TOK_RESET_ADDR },
  	{ "reverse",		TOK_ALIAS_REV },
@@ -663,6 +664,9 @@ nat_show_cfg(struct nat44_cfg_nat *n, void *arg)
 		} else if (n->mode & PKT_ALIAS_UNREGISTERED_ONLY) {
 			printf(" unreg_only");
 			n->mode &= ~PKT_ALIAS_UNREGISTERED_ONLY;
+		} else if (n->mode & PKT_ALIAS_UNREGISTERED_CGN) {
+			printf(" unreg_cgn");
+			n->mode &= ~PKT_ALIAS_UNREGISTERED_CGN;
 		} else if (n->mode & PKT_ALIAS_RESET_ON_ADDR_CHANGE) {
 			printf(" reset");
 			n->mode &= ~PKT_ALIAS_RESET_ON_ADDR_CHANGE;
@@ -789,6 +793,7 @@ ipfw_config_nat(int ac, char **av)
 		case TOK_SAME_PORTS:
 		case TOK_SKIP_GLOBAL:
 		case TOK_UNREG_ONLY:
+		case TOK_UNREG_CGN:
 		case TOK_RESET_ADDR:
 		case TOK_ALIAS_REV:
 		case TOK_PROXY_ONLY:
@@ -882,6 +887,9 @@ ipfw_config_nat(int ac, char **av)
 			break;
 		case TOK_UNREG_ONLY:
 			n->mode |= PKT_ALIAS_UNREGISTERED_ONLY;
+			break;
+		case TOK_UNREG_CGN:
+			n->mode |= PKT_ALIAS_UNREGISTERED_CGN;
 			break;
 		case TOK_SKIP_GLOBAL:
 			n->mode |= PKT_ALIAS_SKIP_GLOBAL;

Modified: stable/12/sys/netinet/libalias/alias.c
==============================================================================
--- stable/12/sys/netinet/libalias/alias.c	Tue Apr  7 16:15:53 2020	(r359693)
+++ stable/12/sys/netinet/libalias/alias.c	Tue Apr  7 16:27:58 2020	(r359694)
@@ -1413,6 +1413,10 @@ getout:
 #define UNREG_ADDR_C_LOWER 0xc0a80000
 #define UNREG_ADDR_C_UPPER 0xc0a8ffff
 
+/* 100.64.0.0  -> 100.127.255.255 (RFC 6598 - Carrier Grade NAT) */
+#define UNREG_ADDR_CGN_LOWER 0x64400000
+#define UNREG_ADDR_CGN_UPPER 0x647fffff
+
 int
 LibAliasOut(struct libalias *la, char *ptr, int maxpacketsize)
 {
@@ -1464,7 +1468,8 @@ LibAliasOutLocked(struct libalias *la, char *ptr,	/* v
 	}
 
 	addr_save = GetDefaultAliasAddress(la);
-	if (la->packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY) {
+	if (la->packetAliasMode & PKT_ALIAS_UNREGISTERED_ONLY ||
+	    la->packetAliasMode & PKT_ALIAS_UNREGISTERED_CGN) {
 		u_long addr;
 		int iclass;
 
@@ -1476,6 +1481,9 @@ LibAliasOutLocked(struct libalias *la, char *ptr,	/* v
 			iclass = 2;
 		else if (addr >= UNREG_ADDR_A_LOWER && addr <= UNREG_ADDR_A_UPPER)
 			iclass = 1;
+		else if (addr >= UNREG_ADDR_CGN_LOWER && addr <= UNREG_ADDR_CGN_UPPER &&
+		    la->packetAliasMode & PKT_ALIAS_UNREGISTERED_CGN)
+			iclass = 4;
 
 		if (iclass == 0) {
 			SetDefaultAliasAddress(la, pip->ip_src);

Modified: stable/12/sys/netinet/libalias/alias.h
==============================================================================
--- stable/12/sys/netinet/libalias/alias.h	Tue Apr  7 16:15:53 2020	(r359693)
+++ stable/12/sys/netinet/libalias/alias.h	Tue Apr  7 16:27:58 2020	(r359694)
@@ -228,6 +228,14 @@ struct mbuf    *m_megapullup(struct mbuf *, int);
  */
 #define	PKT_ALIAS_SKIP_GLOBAL		0x200
 
+/*
+ * Like PKT_ALIAS_UNREGISTERED_ONLY, but includes the RFC 6598
+ * (Carrier Grade NAT) address range as follows:
+ *
+ *		100.64.0.0   ->   100.127.255.255
+ */
+#define	PKT_ALIAS_UNREGISTERED_CGN	0x400
+
 /* Function return codes. */
 #define	PKT_ALIAS_ERROR			-1
 #define	PKT_ALIAS_OK			1

Modified: stable/12/sys/netinet/libalias/libalias.3
==============================================================================
--- stable/12/sys/netinet/libalias/libalias.3	Tue Apr  7 16:15:53 2020	(r359693)
+++ stable/12/sys/netinet/libalias/libalias.3	Tue Apr  7 16:27:58 2020	(r359694)
@@ -212,6 +212,11 @@ This option is useful in the case that the packet alia
 registered and unregistered subnets on different interfaces.
 The registered subnet is fully accessible to the outside world, so traffic
 from it does not need to be passed through the packet aliasing engine.
+.It Dv PKT_ALIAS_UNREGISTERED_CGN
+Like PKT_ALIAS_UNREGISTERED_ONLY, but includes the RFC 6598 (Carrier Grade
+NAT) subnet as follows:
+.Pp
+100.64.0.0   ->  100.127.255.255  (RFC 6598 subnet)
 .It Dv PKT_ALIAS_RESET_ON_ADDR_CHANGE
 When this mode bit is set and
 .Fn LibAliasSetAddress

More information about the svn-src-stable-12 mailing list