I've tested this patch on a setup where this feature is usefull: Using Mediation (NAT hole punching) feature of Strongswan for connecting 2 sites with IPSec, each site behind a NAT box (https://bsdrp.net/documentation/examples/strongswan_ipsec_mediation_feature).
Previously I had to use nat keyword "static-port" into pf line configuration for "helping" pf to keept original UDP source port, then allowing this feature to work.
With this patch, a standard pf nat (without any option) allow to create NAT hole: I don't think it's a "security downgrade" problem, because NAT was never desing for security.

For concluding: I like the feature brings by this patch :-)

Any news about pushing this change to head ?

In D11137#297170, @olivier wrote:

Any news about pushing this change to head ?

I'm afraid not. I've not had the time or energy to review the patch, or examine the implications in sufficient detail. Considering all of the other issues I'm also struggling to find the time for I really can't promise anything.

TWIMC some users, some of whom seem willingly to invest time & work into this, are discussing this in the FreeBSD Forum; i.e. the pros & cons & whether it's worth it at all. Please chime in if you have some valuable arguments.

Tailscale has a good blog on NAT traversal that explains the value of allowing NAT hole punching https://tailscale.com/blog/how-nat-traversal-works/

In D11137#937457, @emaste wrote:

Tailscale has a good blog on NAT traversal that explains the value of allowing NAT hole punching https://tailscale.com/blog/how-nat-traversal-works/

Is the assertion that this currently does not work with pf and will work with this patch?

I've been following discussions here and on the forums for literally years and I have yet to hear an explanation of why this is needed. Frankly, it's more than a little frustrating at this point.

My ask remains the same: explain why this is needed (and at this point: rebase the patch, add test cases and commit to supporting any fallout from it).

IMO RFC 4787 and the Tailscale blog provide reasonable justification for preferring endpoint-independent mapping. I guess one challenge in making the case is that functionality and failure modes fall on a spectrum, and applications implement fallbacks to work around the inability to transit NATs, to varying levels of success. One example is the inability of Nintendo Switch peer-to-peer communication to work between various "NAT types." (It doesn't help that Nintendo doesn't document what the "NAT Types" actually mean.) Various guides for Switch online gaming include suggestions like giving the Switch a static internal IP and forwarding ports 1-65535 to it to work around "NAT problems". Or, another example is Tailscale trying to use probabilistic port guessing to establish a connection or falling back to a TCP connection to a relay server if nothing else works.

I think it's uncontroversial that there are cases where EIM NAT provides a better user experience. Some applications can make use of UPnP, some users can research and configure port forwarding, but you're still left with cases where applications "just work" with "easy" NATs and do not with "hard" NATs. Look at the number of reddit posts, blogs etc. written about getting a Nintendo Switch to work with FreeBSD or pfSense, compared to the relative lack of issues with common consumer CPE.

All of that is separate from discussions of NAT security properties, opt-in/opt-out controls and default behaviors, tests, and the specific details of this patch. Those are all things that indeed need to be addressed as part of an effort to bring it in.

I spent some time coming up with concrete use-cases to demonstrate this patch's usefulness:

1. Here is a demonstration showing a 3x performance uplift in a file transfer over the Tailscale VPN from applying this patch on a router, enabling a peer-to-peer connection rather than using their relay servers: https://gist.github.com/tendstofortytwo/5bc7b158239b1216e338c45b56e6b9b1

2. When I try to play Mario Kart 7 online on my Nintendo 2DS behind a FreeBSD router running pf NAT, I get error code 006-0612: https://files.catbox.moe/zt067x.jpg. While I can't test applying this patch to that router (I don't have admin privileges over that router), Nintendo's support page indicates that a less restrictive NAT type would solve this issue: https://en-americas-support.nintendo.com/app/answers/detail/a_id/25881/~/error-code%3A-006-0612

This is just the first pass, I need to take a closer look at the core changes, but that won't be today.

It also looks like there are bits of the patch missing. I get this build error (which I've not investigated further):

/usr/src/sys/netpfil/pf/pf_lb.c:239:4: error: use of undeclared identifier 'udp_mapping'
  239 |                 *udp_mapping = pf_udp_mapping_find(&udp_source);
      |                  ^
/usr/src/sys/netpfil/pf/pf_lb.c:240:8: error: use of undeclared identifier 'udp_mapping'
  240 |                 if (*udp_mapping) {
      |                      ^
/usr/src/sys/netpfil/pf/pf_lb.c:241:22: error: use of undeclared identifier 'udp_mapping'
  241 |                         PF_ACPY(naddr, &(*udp_mapping)->endpoints[1].addr, af);
      |                                           ^
/usr/src/sys/netpfil/pf/pf_lb.c:242:15: error: use of undeclared identifier 'udp_mapping'
  242 |                         *nport = (*udp_mapping)->endpoints[1].port;
      |                                    ^
/usr/src/sys/netpfil/pf/pf_lb.c:249:5: error: use of undeclared identifier 'udp_mapping'
  249 |                         *udp_mapping = pf_udp_mapping_create(af, saddr, sport, &init_addr, 0);
      |                          ^
/usr/src/sys/netpfil/pf/pf_lb.c:250:9: error: use of undeclared identifier 'udp_mapping'
  250 |                         if (*udp_mapping == NULL)
      |                              ^
/usr/src/sys/netpfil/pf/pf_lb.c:312:8: error: use of undeclared identifier 'udp_mapping'
  312 |                                         (*udp_mapping)->endpoints[1].port = htons(low);
      |                                           ^
/usr/src/sys/netpfil/pf/pf_lb.c:313:33: error: use of undeclared identifier 'udp_mapping'
  313 |                                         if (pf_udp_mapping_insert(*udp_mapping) == 0) {
      |                                                                    ^
/usr/src/sys/netpfil/pf/pf_lb.c:337:8: error: use of undeclared identifier 'udp_mapping'
  337 |                                         (*udp_mapping)->endpoints[1].port = htons(tmp);
      |                                           ^
/usr/src/sys/netpfil/pf/pf_lb.c:338:33: error: use of undeclared identifier 'udp_mapping'
  338 |                                         if (pf_udp_mapping_insert(*udp_mapping) == 0) {
      |                                                                    ^
/usr/src/sys/netpfil/pf/pf_lb.c:354:8: error: use of undeclared identifier 'udp_mapping'
  354 |                                         (*udp_mapping)->endpoints[1].port = htons(tmp);
      |                                           ^
/usr/src/sys/netpfil/pf/pf_lb.c:355:33: error: use of undeclared identifier 'udp_mapping'
  355 |                                         if (pf_udp_mapping_insert(*udp_mapping) == 0) {
      |                                                                    ^
12 errors generated.
Building /usr/obj/usr/src/amd64.amd64/sys/GENERIC/modules/usr/src/sys/modules/plip/plip.ko.full
*** [pf_lb.o] Error code 1

Also, the test case fails for me with failed: server1 did not receive connection from client.

The test case still fails for me, once we get that and some silly whitespace remarks fixed I think this will be ready.

In the commit message, there is no info about MFC. Are there any plans to MFC this to stable/14?