#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
4d846d26 |
|
10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause. Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
|
#
3d0d5b21 |
|
23-Jan-2023 |
Justin Hibbits <jhibbits@FreeBSD.org> |
IfAPI: Explicitly include <net/if_private.h> in netstack Summary: In preparation of making if_t completely opaque outside of the netstack, explicitly include the header. <net/if_var.h> will stop including the header in the future. Sponsored by: Juniper Networks, Inc. Reviewed by: glebius, melifaro Differential Revision: https://reviews.freebsd.org/D38200
|
#
44775b16 |
|
24-Nov-2021 |
Mark Johnston <markj@FreeBSD.org> |
netinet: Remove unneeded mb_unmapped_to_ext() calls in_cksum_skip() now handles unmapped mbufs on platforms where they're permitted. Reviewed by: glebius, jhb MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33097
|
#
da3a09d8 |
|
26-Aug-2021 |
Andrey V. Elsukov <ae@FreeBSD.org> |
ipfw_nat64: fix direct output mode In nat64_find_route[46] handle NHF_GATEWAY flag and use destination address from next hop to do link layer address lookup. PR: 255928 Reviewed by: melifaro Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D31680
|
#
65290859 |
|
21-Apr-2021 |
Mark Johnston <markj@FreeBSD.org> |
Add required checks for unmapped mbufs in ipdivert and ipfw Also add an M_ASSERTMAPPED() macro to verify that all mbufs in the chain are mapped. Use it in ipfw_nat, which operates on a chain returned by m_megapullup(). PR: 255164 Reviewed by: ae, gallatin MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29838
|
#
183502d1 |
|
13-Mar-2021 |
Gordon Bergling <gbe@FreeBSD.org> |
Fix a few typos in comments - trough -> through MFC after: 1 week
|
#
662c1305 |
|
01-Sep-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
net: clean up empty lines in .c and .h files
|
#
aaef76e1 |
|
05-Aug-2020 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Handle delayed checksums if needed in NAT64. Upper level protocols defer checksums calculation in hope we have checksums offloading in a network card. CSUM_DELAY_DATA flag is used to determine that checksum calculation was deferred. And IP output routine checks for this flag before pass mbuf to lower layer. Forwarded packets have not this flag. NAT64 uses checksums adjustment when it translates IP headers. In most cases NAT64 is used for forwarded packets, but in case when it handles locally originated packets we need to finish checksum calculation that was deferred to correctly adjust it. Add check for presence of CSUM_DELAY_DATA flag and finish checksum calculation before adjustment. Reported and tested by: Evgeniy Khramtsov <evgeniy at khramtsov org> MFC after: 1 week
|
#
6ad7446c |
|
02-Jul-2020 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Complete conversions from fib<4|6>_lookup_nh_<basic|ext> to fib<4|6>_lookup(). fib[46]_lookup_nh_ represents pre-epoch generation of fib api, providing less guarantees over pointer validness and requiring on-stack data copying. With no callers remaining, remove fib[46]_lookup_nh_ functions. Submitted by: Neel Chauhan <neel AT neelc DOT org> Differential Revision: https://reviews.freebsd.org/D25445
|
#
28739809 |
|
12-Dec-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Follow RFC 4443 p2.2 and always use own addresses for reflected ICMPv6 datagrams. Previously destination address from original datagram was used. That looked confusing, especially in the traceroute6 output. Also honor IPSTEALTH kernel option and do TTL/HLIM decrementing only when stealth mode is disabled. Reported by: Marco van Tol <marco at tols org> Reviewed by: melifaro MFC after: 2 weeks Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D22631
|
#
002cae78 |
|
18-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add SPDX-License-Identifier and update year in copyright. MFC after: 1 month
|
#
b11efc1e |
|
18-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Modify struct nat64_config. Add second IPv6 prefix to generic config structure and rename another fields to conform to RFC6877. Now it contains two prefixes and length: PLAT is provider-side translator that translates N:1 global IPv6 addresses to global IPv4 addresses. CLAT is customer-side translator (XLAT) that algorithmically translates 1:1 IPv4 addresses to global IPv6 addresses. Use PLAT prefix in stateless (nat64stl) and stateful (nat64lsn) translators. Modify nat64_extract_ip4() and nat64_embed_ip4() functions to accept prefix length and use plat_plen to specify prefix length. Retire net.inet.ip.fw.nat64_allow_private sysctl variable. Add NAT64_ALLOW_PRIVATE flag and use "allow_private" config option to configure this ability separately for each NAT64 instance. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC
|
#
d7622795 |
|
11-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add NULL pointer check to nat64_output(). It is possible, that a processed packet was originated by local host, in this case m->m_pkthdr.rcvif is NULL. Check and set it to V_loif to avoid NULL pointer dereference in IP input code, since it is expected that packet has valid receiving interface when netisr processes it. Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC
|
#
aa271561 |
|
21-Oct-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Retire IPFIREWALL_NAT64_DIRECT_OUTPUT kernel option. And add ability to switch the output method in run-time. Also document some sysctl variables that can by changed for NAT64 module. NAT64 had compile time option IPFIREWALL_NAT64_DIRECT_OUTPUT to use if_output directly from nat64 module. By default is used netisr based output method. Now both methods can be used, but they require different handling by rules. Obtained from: Yandex LLC MFC after: 3 weeks Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D16647
|
#
782360de |
|
09-May-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Bring in some last changes in NAT64 implementation: o Modify ipfw(8) to be able set any prefix6 not just Well-Known, and also show configured prefix6; o relocate some definitions and macros into proper place; o convert nat64_debug and nat64_allow_private variables to be VNET-compatible; o add struct nat64_config that keeps generic configuration needed to NAT64 code; o add nat64_check_prefix6() function to check validness of specified by user IPv6 prefix according to RFC6052; o use nat64_check_private_ip4() and nat64_embed_ip4() functions instead of nat64_get_ip4() and nat64_set_ip4() macros. This allows to use any configured IPv6 prefixes that are allowed by RFC6052; o introduce NAT64_WKPFX flag, that is set when IPv6 prefix is Well-Known IPv6 prefix. It is used to reduce overhead to check this; o modify nat64lsn_cfg and nat64stl_cfg structures to use nat64_config structure. And respectivelly modify the rest of code; o remove now unused ro argument from nat64_output() function; o remove __FreeBSD_version ifdef, NAT64 was not merged to older versions; o add commented -DIPFIREWALL_NAT64_DIRECT_OUTPUT flag to module's Makefile as example. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC
|
#
c570565f |
|
12-Apr-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Migrate NAT64 to FIB KPI. Obtained from: Yandex LLC MFC after: 1 week
|
#
785c0d4d |
|
29-Jun-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix IPv6 extension header parsing. The length field doesn't include the first 8 octets. Obtained from: Yandex LLC MFC after: 3 days
|
#
c5f2dbb6 |
|
26-Nov-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix ICMPv6 Time Exceeded error message translation. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
db68f783 |
|
18-Aug-2016 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Try to fix gcc compilation errors (which are right). nat64_getlasthdr() returns an int, which can be -1 in case of error, storing the result in an uint8_t and then comparing to < 0 is not helpful. Do what is done in the rest of the code and make proto an int here as well.
|
#
c402a01b |
|
13-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Replace __noinline with special debug macro NAT64NOINLINE.
|
#
d8caf56e |
|
13-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_nat64 module that implements stateless and stateful NAT64. The module works together with ipfw(4) and implemented as its external action module. Stateless NAT64 registers external action with name nat64stl. This keyword should be used to create NAT64 instance and to address this instance in rules. Stateless NAT64 uses two lookup tables with mapped IPv4->IPv6 and IPv6->IPv4 addresses to perform translation. A configuration of instance should looks like this: 1. Create lookup tables: # ipfw table T46 create type addr valtype ipv6 # ipfw table T64 create type addr valtype ipv4 2. Fill T46 and T64 tables. 3. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 4. Create NAT64 instance: # ipfw nat64stl NAT create table4 T46 table6 T64 5. Add rules that matches the traffic: # ipfw add nat64stl NAT ip from any to table(T46) # ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96 6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Stateful NAT64 registers external action with name nat64lsn. The only one option required to create nat64lsn instance - prefix4. It defines the pool of IPv4 addresses used for translation. A configuration of instance should looks like this: 1. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 2. Create NAT64 instance: # ipfw nat64lsn NAT create prefix4 A.B.C.D/28 3. Add rules that matches the traffic: # ipfw add nat64lsn NAT ip from any to A.B.C.D/28 # ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96 4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6434
|