Page MenuHomeFreeBSD

NAT64 update
AbandonedPublic

Authored by ae on Mar 12 2019, 1:18 PM.
Tags
None
Referenced Files
F101887549: D19561.id.diff
Tue, Nov 5, 5:29 AM
Unknown Object (File)
Fri, Nov 1, 12:19 AM
Unknown Object (File)
Sat, Oct 19, 7:51 PM
Unknown Object (File)
Wed, Oct 9, 2:47 PM
Unknown Object (File)
Wed, Oct 9, 2:46 PM
Unknown Object (File)
Wed, Oct 9, 2:46 PM
Unknown Object (File)
Wed, Oct 9, 2:45 PM
Unknown Object (File)
Wed, Oct 9, 2:45 PM
Subscribers

Details

Reviewers
melifaro
hrs
kp
Group Reviewers
manpages
Summary

This patch adds to ipfw_nat64 module NAT64 CLAT implementation as defined in RFC6877.
CLAT is customer-side translator that algorithmically translates 1:1 private IPv4 addresses to global IPv6 addresses, and vice versa. It can be used to provide access for IPv4 clients to IPv6 network. Together with PLAT translator (nat64lsn can be used for this purpose) CLAT can provide access for IPv4 host to IPv4 Internet via IPv6-only network.
464XLAT Overview at juniper

The another part of patch modifies existing NAT64LSN. This module is changed to be able support large number of states. Also, it moved to use CK and epoch(9).

Details:

  • sysctl net.inet.ip.fw.nat64_allow_private was removed. Now this option can be tuned for each NAT64 instance using allow_private option.
  • NAT64 CLAT translator should be used in the same way, as stateless NAT64. First of nat64clat instance should be created, then it can be used in rules. nat64clat create command accepts two IPv6 prefixes, clat_prefix and plat_prefix, if plat_prefix is omitted IPv6 well-known prefix will be used.
  • most of data structures of NAT64LSN and their relations were changed. Now ports groups are related to IPv4 alias addresses. Each supported protocol now has its own chain of ports groups. This allows use full ports range for each protocol for each alias address. Introduced states chunks for portgroups. States chunks allow use single alias address and port to keep several states. Chunks are chosen using hash from remote IPv4 address. Thus when single IPv6 host connects to several different host, single alias+port can be used to keep these states.
  • CK and epoch(9) are used to make lockless lookup for existing states. Introduced several new bitmasks to speedup search.

Diff Detail

Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 23036
Build 22107: arc lint + arc unit

Event Timeline

ae retitled this revision from NAT64 update to NAT64 update.

Add missing TOK_STATES_CHUNKS token

Fix misused ENOENT in some places.

Remove object files. Sorry.