Details

Reviewers

hrs
bz
ume

Group Reviewers

network
manpages

Commits

rS303012: Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6

Summary

This patch adds ipfw_nptv6(4) module with NPTv6 implementation (RFC 6296) that works together with ipfw.
The module implemented as ipfw's external action module. When it is loaded, it registers as eaction and can be used in rules.
The usage pattern is similar to ipfw_nat(4). All matched by rule traffic goes to the NPT module.
User can create NPT instance with ipfw nptv6 NAME create opts command. Then this instance can be used in ipfw's rules.

# ipfw nptv6 NPT create int_prefix FD01:0203:0405:: ext_prefix 2001:0DB8:0001:: prefixlen 48
# ipfw add allow icmp6 from any to any icmp6types 135,136
# ipfw add nptv6 NPT ip6 from any to any

Test Plan

We will use and test it in near future, but currently I did only basic tests.
I configured IPv6 via tunnelbroker.net:

     [ Internet ]
          ^
          |
   [ tunnelbroker ]
  2001:470:7ad7::/48
2001:470:1f14:7bf::1/64
          ^
          |
2001:470:1f14:7bf::2/64 gif0
     [ NPT Host ]
  fd00:dead:c0de::1/48  em0
          ^
          |
  fd00:dead:c0de::2/48  em0
    [ Client Host ]

NPT configs:

route add -6 default 2001:470:1f15:7bf::1

# ipfw nptv6 all list
nptv6 NPT int_prefix fd00:dead:c0de:: ext_prefix 2001:470:7ad7:: prefixlen 48
# ipfw show
00100     0       0 allow ipv6-icmp from any to any icmp6types 135,136
00200  7097 2965601 nptv6 NPT ip6 from any to any 
65535 29757 7630936 allow ip from any to any

Client configs:

# route add -6 default fd00:dead:c0de::1
# ping6 www.freebsd.org

On the NTP Host:

# tcpdump -ni em0 ip6
15:47:56.904218 IP6 fd00:dead:c0de::2 > 2001:1900:2254:206a::50:0: ICMP6, echo request, seq 0, length 16
15:47:57.117328 IP6 2001:1900:2254:206a::50:0 > fd00:dead:c0de::2: ICMP6, echo reply, seq 0, length 16
15:50:07.032047 IP6 2a02:6b8:0:204::1 > fd00:dead:c0de::2: ICMP6, echo request, seq 0, length 16
15:50:07.032414 IP6 fd00:dead:c0de::2 > 2a02:6b8:0:204::1: ICMP6, echo reply, seq 0, length 16

# tcpdump -ni gif0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 262144 bytes
15:47:56.904259 IP6 2001:470:7ad7:fd44::2 > 2001:1900:2254:206a::50:0: ICMP6, echo request, seq 0, length 16
15:47:57.117312 IP6 2001:1900:2254:206a::50:0 > 2001:470:7ad7:fd44::2: ICMP6, echo reply, seq 0, length 16
15:50:07.032022 IP6 2a02:6b8:0:204::1 > 2001:470:7ad7:fd44::2: ICMP6, echo request, seq 0, length 16
15:50:07.032428 IP6 2001:470:7ad7:fd44::2 > 2a02:6b8:0:204::1: ICMP6, echo reply, seq 0, length 16

From Internet:

# ping6 2001:470:7ad7:fd44::2

Also I tried to open www.freebsd.org, www.google.com, ipv6-test.com from Client. All worked.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

ae updated this revision to Diff 16467.May 17 2016, 11:33 AM

ae retitled this revision from to [RFC/RFT] NPTv6 (network prefix translation for IPv6) module for ipfw.

ae updated this object.

ae edited the test plan for this revision. (Show Details)

Herald added a subscriber: imp. · View Herald TranscriptMay 17 2016, 11:33 AM

ae updated this object.May 17 2016, 2:54 PM

ae edited the test plan for this revision. (Show Details)

ae added reviewers: network, bz, hrs.

Use ipfw_check_object_name() and add patch to man page.

Herald added a reviewer: manpages. · View Herald TranscriptMay 17 2016, 2:57 PM

Restore sys/modules that was lost in the last update.

Herald edited edge metadata. · View Herald TranscriptMay 17 2016, 2:58 PM

Excellent! Thank you for your work. I will review and test it.

hrs added a reviewer: ume.May 19 2016, 12:38 PM

I am still reviewing this and your NAT64 patch and probably I will be able to get back on Monday.

hrs added inline comments.Jun 9 2016, 8:01 PM

sbin/ipfw/ipfw.8
2937 ↗	(On Diff #16472)	I like to add the following: "Note that the prefix translation rules are silently ignored when IPv6 packet forwarding is disabled. To enable the packet forwarding, set the sysctl variable net.inet6.ip6.forwarding to 1."
sbin/ipfw/nptv6.c
214 ↗	(On Diff #16472)	prefixlen handling looks a bit confusing for me, and it seems that p is not initialized. Does a prefixlen modifier with no /nn specification really work? I tried to fix it by using this patch: https://people.allbsd.org/~hrs/FreeBSD/nptv6.c.20160610-1.diff I think using the longest prefix in the three possible ways to configure is most consistent.
sys/netpfil/ipfw/nptv6/nptv6.c
811 ↗	(On Diff #16472)	This assert may cause a panic upon kldunload because the callback function comes after ipfw_del_eaction(). Although generally speaking it is not safe to destroy a named object without a write-lock, I think we can drop this here if this is called only after ipfw_del_eaction().

hrs added inline comments.Jun 9 2016, 8:04 PM

sbin/ipfw/ipfw.8
116 ↗	(On Diff #16472)	A trailing whitespace :)

ae added inline comments.Jun 10 2016, 9:03 AM

sys/netpfil/ipfw/nptv6/nptv6.c
811 ↗	(On Diff #16472)	I think this can be fixed if we just take IPFW_UH_WLOCK() in nptv6_uninit() while calling callback to protect from configuration change.

Update NPTv6 implementation to resolve found issues

o Add a note about net.inet6.ip6.forwarding
o Fix locking issue in nptv6_uninit().
o Fix prefixes handling in ipfw(8).
o Move macro definitions to the top of file.
o Make V_nptv6_eid static and move it into nptv6.c.

Herald edited edge metadata. · View Herald TranscriptJun 15 2016, 12:28 PM

ae marked 5 inline comments as done.Jun 15 2016, 12:29 PM

ae edited the test plan for this revision. (Show Details)Jun 15 2016, 12:54 PM

ae edited edge metadata.

ae edited the test plan for this revision. (Show Details)Jun 15 2016, 1:05 PM

I haven;t looked at the code; my only comment currently is: why does it have to be ipfw specific; could this be "library code" that could be an independent pfil module, be used from pf as well?

In D6420#143812, @bz wrote:

I haven;t looked at the code; my only comment currently is: why does it have to be ipfw specific; could this be "library code" that could be an independent pfil module, be used from pf as well?

It is because we use ipfw(4) :)
The code that does translation is small - just several small functions. So it can be moved to some library. Probably we will adopt it to use with netmap/DPDK in some near future.

ae updated this object.Jun 15 2016, 1:50 PM

ae edited the test plan for this revision. (Show Details)

ae edited edge metadata.

So, are there any objections on this?

No objection from me. Thank you for your good work!

This revision is now accepted and ready to land.Jul 15 2016, 5:20 PM

Closed by commit rS303012: Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6 (authored by ae). · Explain WhyJul 18 2016, 7:46 PM

This revision was automatically updated to reflect the committed changes.

[RFC/RFT] NPTv6 (network prefix translation for IPv6) module for ipfw
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 18520

head/sbin/ipfw/Makefile

head/sbin/ipfw/ipfw.8

head/sbin/ipfw/ipfw2.h

head/sbin/ipfw/ipfw2.c

head/sbin/ipfw/main.c

head/sbin/ipfw/nptv6.c

head/sys/conf/NOTES

head/sys/conf/files

head/sys/conf/options

head/sys/modules/Makefile

head/sys/modules/ipfw_nptv6/Makefile

head/sys/netinet/ip_fw.h

head/sys/netinet6/ip_fw_nptv6.h

head/sys/netpfil/ipfw/nptv6/ip_fw_nptv6.c

head/sys/netpfil/ipfw/nptv6/nptv6.h

head/sys/netpfil/ipfw/nptv6/nptv6.c

[RFC/RFT] NPTv6 (network prefix translation for IPv6) module for ipfwClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 18520

head/sbin/ipfw/Makefile

head/sbin/ipfw/ipfw.8

head/sbin/ipfw/ipfw2.h

head/sbin/ipfw/ipfw2.c

head/sbin/ipfw/main.c

head/sbin/ipfw/nptv6.c

head/sys/conf/NOTES

head/sys/conf/files

head/sys/conf/options

head/sys/modules/Makefile

head/sys/modules/ipfw_nptv6/Makefile

head/sys/netinet/ip_fw.h

head/sys/netinet6/ip_fw_nptv6.h

head/sys/netpfil/ipfw/nptv6/ip_fw_nptv6.c

head/sys/netpfil/ipfw/nptv6/nptv6.h

head/sys/netpfil/ipfw/nptv6/nptv6.c

[RFC/RFT] NPTv6 (network prefix translation for IPv6) module for ipfw
ClosedPublic
Actions

Revision Contents
Changeset List