Page MenuHomeFreeBSD

[RFC/RFT] NPTv6 (network prefix translation for IPv6) module for ipfw
ClosedPublic

Authored by ae on May 17 2016, 11:33 AM.

Details

Summary

This patch adds ipfw_nptv6(4) module with NPTv6 implementation (RFC 6296) that works together with ipfw.
The module implemented as ipfw's external action module. When it is loaded, it registers as eaction and can be used in rules.
The usage pattern is similar to ipfw_nat(4). All matched by rule traffic goes to the NPT module.
User can create NPT instance with ipfw nptv6 NAME create opts command. Then this instance can be used in ipfw's rules.

# ipfw nptv6 NPT create int_prefix FD01:0203:0405:: ext_prefix 2001:0DB8:0001:: prefixlen 48
# ipfw add allow icmp6 from any to any icmp6types 135,136
# ipfw add nptv6 NPT ip6 from any to any
Test Plan

We will use and test it in near future, but currently I did only basic tests.
I configured IPv6 via tunnelbroker.net:

     [ Internet ]
          ^
          |
   [ tunnelbroker ]
  2001:470:7ad7::/48
2001:470:1f14:7bf::1/64
          ^
          |
2001:470:1f14:7bf::2/64 gif0
     [ NPT Host ]
  fd00:dead:c0de::1/48  em0
          ^
          |
  fd00:dead:c0de::2/48  em0
    [ Client Host ]

NPT configs:

route add -6 default 2001:470:1f15:7bf::1

# ipfw nptv6 all list
nptv6 NPT int_prefix fd00:dead:c0de:: ext_prefix 2001:470:7ad7:: prefixlen 48
# ipfw show
00100     0       0 allow ipv6-icmp from any to any icmp6types 135,136
00200  7097 2965601 nptv6 NPT ip6 from any to any 
65535 29757 7630936 allow ip from any to any

Client configs:

# route add -6 default fd00:dead:c0de::1
# ping6 www.freebsd.org

On the NTP Host:

# tcpdump -ni em0 ip6
15:47:56.904218 IP6 fd00:dead:c0de::2 > 2001:1900:2254:206a::50:0: ICMP6, echo request, seq 0, length 16
15:47:57.117328 IP6 2001:1900:2254:206a::50:0 > fd00:dead:c0de::2: ICMP6, echo reply, seq 0, length 16
15:50:07.032047 IP6 2a02:6b8:0:204::1 > fd00:dead:c0de::2: ICMP6, echo request, seq 0, length 16
15:50:07.032414 IP6 fd00:dead:c0de::2 > 2a02:6b8:0:204::1: ICMP6, echo reply, seq 0, length 16

# tcpdump -ni gif0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 262144 bytes
15:47:56.904259 IP6 2001:470:7ad7:fd44::2 > 2001:1900:2254:206a::50:0: ICMP6, echo request, seq 0, length 16
15:47:57.117312 IP6 2001:1900:2254:206a::50:0 > 2001:470:7ad7:fd44::2: ICMP6, echo reply, seq 0, length 16
15:50:07.032022 IP6 2a02:6b8:0:204::1 > 2001:470:7ad7:fd44::2: ICMP6, echo request, seq 0, length 16
15:50:07.032428 IP6 2001:470:7ad7:fd44::2 > 2a02:6b8:0:204::1: ICMP6, echo reply, seq 0, length 16

From Internet:

# ping6 2001:470:7ad7:fd44::2

Also I tried to open www.freebsd.org, www.google.com, ipv6-test.com from Client. All worked.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

ae updated this revision to Diff 16467.May 17 2016, 11:33 AM
ae retitled this revision from to [RFC/RFT] NPTv6 (network prefix translation for IPv6) module for ipfw.
ae updated this object.
ae edited the test plan for this revision. (Show Details)
ae updated this object.May 17 2016, 2:54 PM
ae edited the test plan for this revision. (Show Details)
ae added reviewers: network, bz, hrs.
ae updated this revision to Diff 16471.May 17 2016, 2:57 PM

Use ipfw_check_object_name() and add patch to man page.

ae updated this revision to Diff 16472.May 17 2016, 2:58 PM
ae edited edge metadata.

Restore sys/modules that was lost in the last update.

hrs edited edge metadata.May 17 2016, 11:57 PM

Excellent! Thank you for your work. I will review and test it.

hrs added a reviewer: ume.May 19 2016, 12:38 PM
hrs added a comment.Jun 9 2016, 7:13 PM

I am still reviewing this and your NAT64 patch and probably I will be able to get back on Monday.

hrs added inline comments.Jun 9 2016, 8:01 PM
sbin/ipfw/ipfw.8
2937 ↗(On Diff #16472)

I like to add the following:

"Note that the prefix translation rules are silently ignored when IPv6 packet forwarding is disabled. To enable the packet forwarding, set the sysctl variable net.inet6.ip6.forwarding to 1."

sbin/ipfw/nptv6.c
214 ↗(On Diff #16472)

prefixlen handling looks a bit confusing for me, and it seems that p is not initialized. Does a prefixlen modifier with no /nn specification really work?

I tried to fix it by using this patch: https://people.allbsd.org/~hrs/FreeBSD/nptv6.c.20160610-1.diff I think using the longest prefix in the three possible ways to configure is most consistent.

sys/netpfil/ipfw/nptv6/nptv6.c
811 ↗(On Diff #16472)

This assert may cause a panic upon kldunload because the callback function comes after ipfw_del_eaction(). Although generally speaking it is not safe to destroy a named object without a write-lock, I think we can drop this here if this is called only after ipfw_del_eaction().

hrs added inline comments.Jun 9 2016, 8:04 PM
sbin/ipfw/ipfw.8
116 ↗(On Diff #16472)

A trailing whitespace :)

ae added inline comments.Jun 10 2016, 9:03 AM
sys/netpfil/ipfw/nptv6/nptv6.c
811 ↗(On Diff #16472)

I think this can be fixed if we just take IPFW_UH_WLOCK() in nptv6_uninit() while calling callback to protect from configuration change.

ae updated this revision to Diff 17596.Jun 15 2016, 12:28 PM

Update NPTv6 implementation to resolve found issues

o Add a note about net.inet6.ip6.forwarding
o Fix locking issue in nptv6_uninit().
o Fix prefixes handling in ipfw(8).
o Move macro definitions to the top of file.
o Make V_nptv6_eid static and move it into nptv6.c.

ae marked 5 inline comments as done.Jun 15 2016, 12:29 PM
ae edited the test plan for this revision. (Show Details)Jun 15 2016, 12:54 PM
ae edited edge metadata.
ae edited the test plan for this revision. (Show Details)Jun 15 2016, 1:05 PM
bz edited edge metadata.Jun 15 2016, 1:33 PM

I haven;t looked at the code; my only comment currently is: why does it have to be ipfw specific; could this be "library code" that could be an independent pfil module, be used from pf as well?

ae added a comment.Jun 15 2016, 1:40 PM
In D6420#143812, @bz wrote:

I haven;t looked at the code; my only comment currently is: why does it have to be ipfw specific; could this be "library code" that could be an independent pfil module, be used from pf as well?

It is because we use ipfw(4) :)
The code that does translation is small - just several small functions. So it can be moved to some library. Probably we will adopt it to use with netmap/DPDK in some near future.

ae updated this object.Jun 15 2016, 1:50 PM
ae edited the test plan for this revision. (Show Details)
ae edited edge metadata.
ae added a comment.Jul 14 2016, 3:55 PM

So, are there any objections on this?

hrs accepted this revision.Jul 15 2016, 5:20 PM
hrs edited edge metadata.

No objection from me. Thank you for your good work!

This revision is now accepted and ready to land.Jul 15 2016, 5:20 PM
This revision was automatically updated to reflect the committed changes.