Changeset View
Changeset View
Standalone View
Standalone View
sbin/ipfw/ipfw.8
Show First 20 Lines • Show All 130 Lines • ▼ Show 20 Lines | |||||
.Brq Ar name | all | .Brq Ar name | all | ||||
.Brq Cm list | show | .Brq Cm list | show | ||||
.Nm | .Nm | ||||
.Oo Cm set Ar N Oc Cm nat64stl | .Oo Cm set Ar N Oc Cm nat64stl | ||||
.Brq Ar name | all | .Brq Ar name | all | ||||
.Cm destroy | .Cm destroy | ||||
.Nm | .Nm | ||||
.Oo Cm set Ar N Oc Cm nat64stl Ar name Cm stats Op Cm reset | .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm stats Op Cm reset | ||||
.Ss XLAT464 CLAT IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION | |||||
.Nm | |||||
.Oo Cm set Ar N Oc Cm nat64clat Ar name Cm create Ar create-options | |||||
.Nm | |||||
.Oo Cm set Ar N Oc Cm nat64clat Ar name Cm config Ar config-options | |||||
.Nm | |||||
.Oo Cm set Ar N Oc Cm nat64clat | |||||
.Brq Ar name | all | |||||
.Brq Cm list | show | |||||
.Nm | |||||
.Oo Cm set Ar N Oc Cm nat64clat | |||||
.Brq Ar name | all | |||||
.Cm destroy | |||||
.Nm | |||||
.Oo Cm set Ar N Oc Cm nat64clat Ar name Cm stats Op Cm reset | |||||
.Ss IPv6-to-IPv6 NETWORK PREFIX TRANSLATION | .Ss IPv6-to-IPv6 NETWORK PREFIX TRANSLATION | ||||
.Nm | .Nm | ||||
.Oo Cm set Ar N Oc Cm nptv6 Ar name Cm create Ar create-options | .Oo Cm set Ar N Oc Cm nptv6 Ar name Cm create Ar create-options | ||||
.Nm | .Nm | ||||
.Oo Cm set Ar N Oc Cm nptv6 | .Oo Cm set Ar N Oc Cm nptv6 | ||||
.Brq Ar name | all | .Brq Ar name | all | ||||
.Brq Cm list | show | .Brq Cm list | show | ||||
.Nm | .Nm | ||||
▲ Show 20 Lines • Show All 772 Lines • ▼ Show 20 Lines | |||||
protocol translation): see the | protocol translation): see the | ||||
.Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION | .Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION | ||||
Section for further information. | Section for further information. | ||||
.It Cm nat64stl Ar name | .It Cm nat64stl Ar name | ||||
Pass packet to a stateless NAT64 instance (for IPv6/IPv4 network address and | Pass packet to a stateless NAT64 instance (for IPv6/IPv4 network address and | ||||
protocol translation): see the | protocol translation): see the | ||||
.Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION | .Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION | ||||
Section for further information. | Section for further information. | ||||
.It Cm nat64clat Ar name | |||||
Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address and | |||||
protocol translation): see the | |||||
.Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION | |||||
Section for further information. | |||||
.It Cm nptv6 Ar name | .It Cm nptv6 Ar name | ||||
Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation): | Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation): | ||||
see the | see the | ||||
.Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6) | .Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6) | ||||
Section for further information. | Section for further information. | ||||
.It Cm pipe Ar pipe_nr | .It Cm pipe Ar pipe_nr | ||||
Pass packet to a | Pass packet to a | ||||
.Nm dummynet | .Nm dummynet | ||||
▲ Show 20 Lines • Show All 2,340 Lines • ▼ Show 20 Lines | |||||
All may be changed dynamically, though the hash_table size will only | All may be changed dynamically, though the hash_table size will only | ||||
change for new | change for new | ||||
.Nm nat | .Nm nat | ||||
instances. | instances. | ||||
See | See | ||||
.Sx SYSCTL VARIABLES | .Sx SYSCTL VARIABLES | ||||
for more info. | for more info. | ||||
.Sh IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION | .Sh IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION | ||||
.Ss Stateful translation | |||||
.Nm | .Nm | ||||
supports in-kernel IPv6/IPv4 network address and protocol translation. | supports in-kernel IPv6/IPv4 network address and protocol translation. | ||||
Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers | Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers | ||||
using unicast TCP, UDP or ICMP protocols. | using unicast TCP, UDP or ICMP protocols. | ||||
One or more IPv4 addresses assigned to a stateful NAT64 translator are shared | One or more IPv4 addresses assigned to a stateful NAT64 translator are shared | ||||
among several IPv6-only clients. | among several IPv6-only clients. | ||||
When stateful NAT64 is used in conjunction with DNS64, no changes are usually | When stateful NAT64 is used in conjunction with DNS64, no changes are usually | ||||
required in the IPv6 client or the IPv4 server. | required in the IPv6 client or the IPv4 server. | ||||
The kernel module | The kernel module | ||||
.Cm ipfw_nat64 | .Cm ipfw_nat64 | ||||
should be loaded or kernel should have | should be loaded or kernel should have | ||||
.Cm options IPFIREWALL_NAT64 | .Cm options IPFIREWALL_NAT64 | ||||
to be able use stateful NAT64 translator. | to be able use stateful NAT64 translator. | ||||
.Pp | .Pp | ||||
Stateful NAT64 uses a bunch of memory for several types of objects. | Stateful NAT64 uses a bunch of memory for several types of objects. | ||||
When IPv6 client initiates connection, NAT64 translator creates a host entry | When IPv6 client initiates connection, NAT64 translator creates a host entry | ||||
in the states table. | with the states table. | ||||
Each host entry has a number of ports group entries allocated on demand. | Each host entry uses preallocated IPv4 alias entry. | ||||
Each alias entry has a number of ports group entries allocated on demand. | |||||
Ports group entries contains connection state entries. | Ports group entries contains connection state entries. | ||||
There are several options to control limits and lifetime for these objects. | There are several options to control limits and lifetime for these objects. | ||||
.Pp | .Pp | ||||
NAT64 translator follows RFC7915 when does ICMPv6/ICMP translation, | NAT64 translator follows RFC7915 when does ICMPv6/ICMP translation, | ||||
unsupported message types will be silently dropped. | unsupported message types will be silently dropped. | ||||
IPv6 needs several ICMPv6 message types to be explicitly allowed for correct | IPv6 needs several ICMPv6 message types to be explicitly allowed for correct | ||||
operation. | operation. | ||||
Make sure that ND6 neighbor solicitation (ICMPv6 type 135) and neighbor | Make sure that ND6 neighbor solicitation (ICMPv6 type 135) and neighbor | ||||
advertisement (ICMPv6 type 136) messages will not be handled by translation | advertisement (ICMPv6 type 136) messages will not be handled by translation | ||||
rules. | rules. | ||||
.Pp | .Pp | ||||
After translation NAT64 translator by default sends packets through | After translation NAT64 translator by default sends packets through | ||||
corresponding netisr queue. | corresponding netisr queue. | ||||
Thus translator host should be configured as IPv4 and IPv6 router. | Thus translator host should be configured as IPv4 and IPv6 router. | ||||
Also this means, that a packet is handled by firewall twice. | Also this means, that a packet is handled by firewall twice. | ||||
First time an original packet is handled and consumed by translator, | First time an original packet is handled and consumed by translator, | ||||
and then it is handled again as translated packet. | and then it is handled again as translated packet. | ||||
This behavior can be changed by sysctl variable | This behavior can be changed by sysctl variable | ||||
.Va net.inet.ip.fw.nat64_direct_output . | .Va net.inet.ip.fw.nat64_direct_output . | ||||
Also translated packet can be tagged using | |||||
.Cm tag | |||||
rule action, and then matched by | |||||
.Cm tagged | |||||
opcode to avoid loops and extra overhead. | |||||
.Pp | .Pp | ||||
The stateful NAT64 configuration command is the following: | The stateful NAT64 configuration command is the following: | ||||
.Bd -ragged -offset indent | .Bd -ragged -offset indent | ||||
.Bk -words | .Bk -words | ||||
.Cm nat64lsn | .Cm nat64lsn | ||||
.Ar name | .Ar name | ||||
.Cm create | .Cm create | ||||
.Ar create-options | .Ar create-options | ||||
Show All 11 Lines | |||||
in the states table will be dropped by translator. | in the states table will be dropped by translator. | ||||
Make sure that translation rules handle packets, destined to configured prefix. | Make sure that translation rules handle packets, destined to configured prefix. | ||||
.It Cm prefix6 Ar ipv6_prefix/length | .It Cm prefix6 Ar ipv6_prefix/length | ||||
The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator | The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator | ||||
to represent IPv4 addresses. This IPv6 prefix should be configured in DNS64. | to represent IPv4 addresses. This IPv6 prefix should be configured in DNS64. | ||||
The translator implementation follows RFC6052, that restricts the length of | The translator implementation follows RFC6052, that restricts the length of | ||||
prefixes to one of following: 32, 40, 48, 56, 64, or 96. | prefixes to one of following: 32, 40, 48, 56, 64, or 96. | ||||
The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long. | The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long. | ||||
.It Cm max_ports Ar number | The special | ||||
Maximum number of ports reserved for upper level protocols to one IPv6 client. | .Ar ::/length | ||||
All reserved ports are divided into chunks between supported protocols. | prefix can be used to handle several IPv6 prefixes with one NAT64 instance. | ||||
The number of connections from one IPv6 client is limited by this option. | The NAT64 instance will determine a destination IPv4 address from prefix | ||||
Note that closed TCP connections still remain in the list of connections until | .Ar length . | ||||
.Cm tcp_close_age | .It Cm states_chunks Ar number | ||||
interval will not expire. | The number of states chunks in single ports group. | ||||
Default value is | Each ports group by default can keep 64 state entries in single chunk. | ||||
.Ar 2048 . | The above value affects the maximum number of states that can be associated with single IPv4 alias address and port. | ||||
The value must be power of 2, and up to 128. | |||||
.It Cm host_del_age Ar seconds | .It Cm host_del_age Ar seconds | ||||
The number of seconds until the host entry for a IPv6 client will be deleted | The number of seconds until the host entry for a IPv6 client will be deleted | ||||
and all its resources will be released due to inactivity. | and all its resources will be released due to inactivity. | ||||
Default value is | Default value is | ||||
.Ar 3600 . | .Ar 3600 . | ||||
.It Cm pg_del_age Ar seconds | .It Cm pg_del_age Ar seconds | ||||
The number of seconds until a ports group with unused state entries will | The number of seconds until a ports group with unused state entries will | ||||
be released. | be released. | ||||
▲ Show 20 Lines • Show All 44 Lines • ▼ Show 20 Lines | |||||
.Ar ipfw0 | .Ar ipfw0 | ||||
interface. | interface. | ||||
Translators sends to BPF an additional information with each packet. | Translators sends to BPF an additional information with each packet. | ||||
With | With | ||||
.Cm tcpdump | .Cm tcpdump | ||||
you are able to see each handled packet before and after translation. | you are able to see each handled packet before and after translation. | ||||
.It Cm -log | .It Cm -log | ||||
Turn off logging of all handled packets via BPF. | Turn off logging of all handled packets via BPF. | ||||
.It Cm allow_private | |||||
Turn on processing private IPv4 addresses. By default IPv6 packets with | |||||
destinations mapped to private address ranges defined by RFC1918 are not | |||||
processed. | |||||
.It Cm -allow_private | |||||
Turn off private address handling in | |||||
.Nm nat64 | |||||
instance. | |||||
.El | .El | ||||
.El | |||||
.Pp | .Pp | ||||
To inspect a states table of stateful NAT64 the following command can be used: | To inspect a states table of stateful NAT64 the following command can be used: | ||||
.Bd -ragged -offset indent | .Bd -ragged -offset indent | ||||
.Bk -words | .Bk -words | ||||
.Cm nat64lsn | .Cm nat64lsn | ||||
.Ar name | .Ar name | ||||
.Cm show Cm states | .Cm show Cm states | ||||
.Ek | .Ek | ||||
Show All 30 Lines | |||||
.Ar table64 | .Ar table64 | ||||
contains mapping how IPv6 addresses should be translated to IPv4 addresses. | contains mapping how IPv6 addresses should be translated to IPv4 addresses. | ||||
.It Cm log | .It Cm log | ||||
Turn on logging of all handled packets via BPF through | Turn on logging of all handled packets via BPF through | ||||
.Ar ipfwlog0 | .Ar ipfwlog0 | ||||
interface. | interface. | ||||
.It Cm -log | .It Cm -log | ||||
Turn off logging of all handled packets via BPF. | Turn off logging of all handled packets via BPF. | ||||
.It Cm allow_private | |||||
Turn on processing private IPv4 addresses. By default IPv6 packets with | |||||
destinations mapped to private address ranges defined by RFC1918 are not | |||||
processed. | |||||
.It Cm -allow_private | |||||
Turn off private address handling in | |||||
.Nm nat64 | |||||
instance. | |||||
.El | .El | ||||
.Pp | .Pp | ||||
Note that the behavior of stateless translator with respect to not matched | Note that the behavior of stateless translator with respect to not matched | ||||
packets differs from stateful translator. | packets differs from stateful translator. | ||||
If corresponding addresses was not found in the lookup tables, the packet | If corresponding addresses was not found in the lookup tables, the packet | ||||
will not be dropped and the search continues. | will not be dropped and the search continues. | ||||
.Pp | |||||
.Pp | |||||
.Ss XLAT464 CLAT translation | |||||
XLAT464 CLAT NAT64 translator implements client-side stateless translation as | |||||
defined in RFC6877 and is very similar to statless NAT64 translator | |||||
explained above. Instead of lookup tables it uses one-to-one mapping | |||||
between IPv4 and IPv6 addresses using configured prefixes. | |||||
This mode can be used as a replacement of DNS64 service for applications | |||||
that are not using it (e.g. VoIP) allowing them to access IPv4-only Internet | |||||
over IPv6-only networks with help of remote NAT64 translator. | |||||
.Pp | |||||
The CLAT NAT64 configuration command is the following: | |||||
.Bd -ragged -offset indent | |||||
.Bk -words | |||||
.Cm nat64clat | |||||
.Ar name | |||||
.Cm create | |||||
.Ar create-options | |||||
.Ek | |||||
.Ed | |||||
.Pp | |||||
The following parameters can be configured: | |||||
.Bl -tag -width indent | |||||
.It Cm clat_prefix Ar ipv6_prefix/length | |||||
The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator | |||||
to represent source IPv4 addresses. | |||||
.It Cm plat_prefix Ar ipv6_prefix/length | |||||
The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator | |||||
to represent destination IPv4 addresses. This IPv6 prefix should be configured | |||||
on a remote NAT64 translator. | |||||
.It Cm log | |||||
Turn on logging of all handled packets via BPF through | |||||
.Ar ipfwlog0 | |||||
interface. | |||||
.It Cm -log | |||||
Turn off logging of all handled packets via BPF. | |||||
.It Cm allow_private | |||||
Turn on processing private IPv4 addresses. By default | |||||
.Nm nat64clat | |||||
instance will not process IPv4 packets with destination address from private | |||||
ranges as defined in RFC1918. | |||||
.It Cm -allow_private | |||||
Turn off private address handling in | |||||
.Nm nat64clat | |||||
instance. | |||||
.El | |||||
.Pp | |||||
Note that the behavior of CLAT translator with respect to not matched | |||||
packets differs from stateful translator. | |||||
If corresponding addresses were not matched against prefixes configured, the packet | |||||
will not be dropped and the search continues. | |||||
.Sh IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6) | .Sh IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6) | ||||
.Nm | .Nm | ||||
supports in-kernel IPv6-to-IPv6 network prefix translation as described | supports in-kernel IPv6-to-IPv6 network prefix translation as described | ||||
in RFC6296. | in RFC6296. | ||||
The kernel module | The kernel module | ||||
.Cm ipfw_nptv6 | .Cm ipfw_nptv6 | ||||
should be loaded or kernel should has | should be loaded or kernel should has | ||||
.Cm options IPFIREWALL_NPTV6 | .Cm options IPFIREWALL_NPTV6 | ||||
▲ Show 20 Lines • Show All 466 Lines • ▼ Show 20 Lines | |||||
.It Va net.link.ether.ipfw : No 0 | .It Va net.link.ether.ipfw : No 0 | ||||
Controls whether layer-2 packets are passed to | Controls whether layer-2 packets are passed to | ||||
.Nm . | .Nm . | ||||
Default is no. | Default is no. | ||||
.It Va net.link.bridge.ipfw : No 0 | .It Va net.link.bridge.ipfw : No 0 | ||||
Controls whether bridged packets are passed to | Controls whether bridged packets are passed to | ||||
.Nm . | .Nm . | ||||
Default is no. | Default is no. | ||||
.It Va net.inet.ip.fw.nat64_allow_private : No 0 | |||||
Defines how | |||||
.Nm nat64 | |||||
handles private IPv4 addresses: | |||||
.Bl -tag -width indent | |||||
.It Cm 0 | |||||
Packets with private IPv4 will not be handled by translator | |||||
.It Cm 1 | |||||
Translator will accept and process packets with private IPv4 addresses. | |||||
.El | |||||
.It Va net.inet.ip.fw.nat64_debug : No 0 | .It Va net.inet.ip.fw.nat64_debug : No 0 | ||||
Controls debugging messages produced by | Controls debugging messages produced by | ||||
.Nm ipfw_nat64 | .Nm ipfw_nat64 | ||||
module. | module. | ||||
.It Va net.inet.ip.fw.nat64_direct_output : No 0 | .It Va net.inet.ip.fw.nat64_direct_output : No 0 | ||||
Controls the output method used by | Controls the output method used by | ||||
.Nm ipfw_nat64 | .Nm ipfw_nat64 | ||||
module: | module: | ||||
▲ Show 20 Lines • Show All 750 Lines • Show Last 20 Lines |