This patch adds to ipfw_nat64 module NAT64 CLAT implementation as defined in RFC6877.
CLAT is customer-side translator that algorithmically translates 1:1 private IPv4 addresses to global IPv6 addresses, and vice versa. It can be used to provide access for IPv4 clients to IPv6 network. Together with PLAT translator (nat64lsn can be used for this purpose) CLAT can provide access for IPv4 host to IPv4 Internet via IPv6-only network.
464XLAT Overview at juniper
The another part of patch modifies existing NAT64LSN. This module is changed to be able support large number of states. Also, it moved to use CK and epoch(9).
Details:
- sysctl net.inet.ip.fw.nat64_allow_private was removed. Now this option can be tuned for each NAT64 instance using allow_private option.
- NAT64 CLAT translator should be used in the same way, as stateless NAT64. First of nat64clat instance should be created, then it can be used in rules. nat64clat create command accepts two IPv6 prefixes, clat_prefix and plat_prefix, if plat_prefix is omitted IPv6 well-known prefix will be used.
- most of data structures of NAT64LSN and their relations were changed. Now ports groups are related to IPv4 alias addresses. Each supported protocol now has its own chain of ports groups. This allows use full ports range for each protocol for each alias address. Introduced states chunks for portgroups. States chunks allow use single alias address and port to keep several states. Chunks are chosen using hash from remote IPv4 address. Thus when single IPv6 host connects to several different host, single alias+port can be used to keep these states.
- CK and epoch(9) are used to make lockless lookup for existing states. Introduced several new bitmasks to speedup search.