Page MenuHomeFreeBSD
Files F159468313

D22631.id65119.diff
No OneTemporary
Actions

D22631.id65119.diff
View Options

Index: sys/modules/ipfw_nat64/Makefile
===================================================================
--- sys/modules/ipfw_nat64/Makefile
+++ sys/modules/ipfw_nat64/Makefile
@@ -7,6 +7,7 @@
SRCS+= nat64clat.c nat64clat_control.c
SRCS+= nat64lsn.c nat64lsn_control.c
SRCS+= nat64stl.c nat64stl_control.c
+SRCS+= opt_ipstealth.h
CFLAGS+= -I${SRCTOP}/sys/contrib/ck/include
Index: sys/netpfil/ipfw/nat64/nat64_translate.c
===================================================================
--- sys/netpfil/ipfw/nat64/nat64_translate.c
+++ sys/netpfil/ipfw/nat64/nat64_translate.c
@@ -29,6 +29,8 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_ipstealth.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/counter.h>
@@ -92,14 +94,21 @@
struct nat64_methods {
nat64_output_t output;
nat64_output_one_t output_one;
+ const bool stealth;
};
static const struct nat64_methods nat64_netisr = {
.output = nat64_output,
- .output_one = nat64_output_one
+ .output_one = nat64_output_one,
+ .stealth = true, /* forwarding code will decrement TTL/HLIM */
};
static const struct nat64_methods nat64_direct = {
.output = nat64_direct_output,
- .output_one = nat64_direct_output_one
+ .output_one = nat64_direct_output_one,
+#ifdef IPSTEALTH
+ .stealth = true,
+#else
+ .stealth = false,
+#endif /* IPSTEALTH */
};
VNET_DEFINE_STATIC(const struct nat64_methods *, nat64out) = &nat64_netisr;
#define V_nat64out VNET(nat64out)
@@ -486,8 +495,7 @@
ip->ip_tos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
ip->ip_len = htons(sizeof(*ip) + plen);
ip->ip_ttl = ip6->ip6_hlim;
- /* Forwarding code will decrement TTL for netisr based output. */
- if (V_nat64out == &nat64_direct)
+ if (V_nat64out->stealth == false)
ip->ip_ttl -= IPV6_HLIMDEC;
ip->ip_sum = 0;
ip->ip_p = (proto == IPPROTO_ICMPV6) ? IPPROTO_ICMP: proto;
@@ -646,6 +654,21 @@
"ICMPv6 errors");
goto freeit;
}
+ /*
+ * If there are extra headers between IPv6 and ICMPv6,
+ * strip off that header.
+ */
+ if (len > sizeof(struct ip6_hdr)) {
+ /*
+ * NOTE: ipfw_chk already did m_pullup() and it is
+ * expected that data is contigious from the start
+ * of IPv6 header up to the end of ICMPv6 header.
+ */
+ bcopy(mtod(m, caddr_t),
+ mtodo(m, len - sizeof(struct ip6_hdr)),
+ sizeof(struct ip6_hdr));
+ m_adj(m, len - sizeof(struct ip6_hdr));
+ }
}
/*
if (icmp6_ratelimit(&ip6->ip6_src, type, code))
@@ -687,7 +710,16 @@
n->m_len = n->m_pkthdr.len = sizeof(struct ip6_hdr) + plen;
oip6 = mtod(n, struct ip6_hdr *);
- oip6->ip6_src = ip6->ip6_dst;
+ /*
+ * Make IPv6 source address selection for reflected datagram.
+ * nat64_check_ip6() doesn't allow scoped addresses, therefore
+ * we use zero scopeid.
+ */
+ if (in6_selectsrc_addr(M_GETFIB(n), &ip6->ip6_src, 0,
+ n->m_pkthdr.rcvif, &oip6->ip6_src, NULL) != 0) {
+ /* Use original destination address as fallback */
+ oip6->ip6_src = ip6->ip6_dst;
+ }
oip6->ip6_dst = ip6->ip6_src;
oip6->ip6_nxt = IPPROTO_ICMPV6;
oip6->ip6_flow = 0;
@@ -1182,7 +1214,7 @@
ip = mtod(m, struct ip*);
- if (ip->ip_ttl <= IPTTLDEC) {
+ if (V_nat64out->stealth == false && ip->ip_ttl <= IPTTLDEC) {
nat64_icmp_reflect(m, ICMP_TIMXCEED,
ICMP_TIMXCEED_INTRANS, 0, &cfg->stats, logdata);
return (NAT64RETURN);
@@ -1229,8 +1261,7 @@
ip6.ip6_flow = htonl(ip->ip_tos << 20);
ip6.ip6_vfc |= IPV6_VERSION;
ip6.ip6_hlim = ip->ip_ttl;
- /* Forwarding code will decrement TTL for netisr based output. */
- if (V_nat64out == &nat64_direct)
+ if (V_nat64out->stealth == false)
ip6.ip6_hlim -= IPTTLDEC;
ip6.ip6_plen = htons(plen);
ip6.ip6_nxt = (proto == IPPROTO_ICMP) ? IPPROTO_ICMPV6: proto;
@@ -1533,7 +1564,7 @@
return (NAT64MFREE);
}
- if (ip6->ip6_hlim <= IPV6_HLIMDEC) {
+ if (nat64out->stealth == false && ip6->ip6_hlim <= IPV6_HLIMDEC) {
nat64_icmp6_reflect(m, ICMP6_TIME_EXCEEDED,
ICMP6_TIME_EXCEED_TRANSIT, 0, &cfg->stats, logdata);
return (NAT64RETURN);

File Metadata

Mime Type
text/plain
Expires
Mon, Jun 15, 1:15 PM (11 h, 16 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
33969645
Default Alt Text
D22631.id65119.diff (3 KB)

Event Timeline