https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288380
Bug ID: 288380
Summary: ipfw libalias: Implementation of a simple NAT
configuration for MAP-E (RFC 7597)
Product: Base System
Version: Unspecified
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
When setting up the Mapping of Address and Port with Encapsulation, it would be
better to have additional implementation.
It seems that libalias requires an interface for bit masking (by &=) and an
interface for manipulating specific bits (by |= or ^=) near _RandomPort
function.
It seems that ipfw needs something to calculate the values for it, or something
to use it directly.
As a background,
In pf, it can be done with just map-e-portset 4/8/1 , but in ipfw, it becomes
as follows.
# configuration of a common network interface
ifconfig gif0 create
ifconfig gif0 inet6 -auto_linklocal
# the address of the inet6 tunnel can be observed with ipfw rules like the
following 22030,
# as packets have already been sent by port scan bot :)
ifconfig gif0 inet6 tunnel 2001:db8:1:100:c0:2:100:100 2001:db8:ffff::1
# the inet address can be somewhat inferred from the address used for the
tunnel :)
# the address set to 127... seems to be a number that is not in use, so there
shouldn't be any problems.
ifconfig gif0 inet 192.0.2.1 127.0.2.1 netmask 255.255.255.255 alias
# it is considered most preferable to set this address on the alwaysconf script
of rtsold.
ifconfig ${wan_if} inet6 2001:db8:1:100:c0:2:100:100 prefixlen 128 alias
# set this interface as the default gateway.
route -n add -inet default -iface gif0
# or route -n add -inet default 127.0.2.1
# from here is ipfw rules file instead of command
disable one_pass
nat 11 config if gif0 log port_range 4112-4127
nat 12 config if gif0 log port_range 8208-8223
nat 13 config if gif0 log port_range 12304-12319
nat 14 config if gif0 log port_range 16400-16415
nat 15 config if gif0 log port_range 20496-20511
nat 16 config if gif0 log port_range 24592-24607
nat 17 config if gif0 log port_range 28688-28703
nat 18 config if gif0 log port_range 32784-32799
nat 19 config if gif0 log port_range 36880-36895
nat 20 config if gif0 log port_range 40976-40991
nat 21 config if gif0 log port_range 45072-45087
nat 22 config if gif0 log port_range 49168-49183
nat 23 config if gif0 log port_range 53264-53279
nat 24 config if gif0 log port_range 57360-57375
nat 25 config if gif0 log port_range 61456-61471
add 22030 count log logamount 0 4 from any to any ipversion 6 // proto 4 ==
ipencap
add 22010 allow log logamount 100 ipencap from me to 2001:db8:ffff::1 out
ipversion 6 via ${wan_if} //
add 22020 allow log logamount 100 ipencap from 2001:db8:ffff::1 to me in
ipversion 6 via ${wan_if} //
add 30010 skipto 59011 tcp from any to any established // allow for example
add 59011 check-state :map-e
add 59012 prob 0.066667 skipto 59019 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./15
add 59012 prob 0.071429 skipto 59025 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./14
add 59012 prob 0.076923 skipto 59031 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./13
add 59012 prob 0.083333 skipto 59037 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./12
add 59012 prob 0.090909 skipto 59043 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./11
add 59012 prob 0.100000 skipto 59049 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./10
add 59012 prob 0.111111 skipto 59055 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./9
add 59012 prob 0.125000 skipto 59061 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./8
add 59012 prob 0.142857 skipto 59067 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./7
add 59012 prob 0.166667 skipto 59073 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./6
add 59012 prob 0.200000 skipto 59079 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./5
add 59012 prob 0.250000 skipto 59085 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./4
add 59012 prob 0.333333 skipto 59091 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./3
add 59012 prob 0.500000 skipto 59097 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./2
add 59012 prob 1.000000 skipto 59103 log logamount 50 ip4 from any to any out
xmit gif0 keep-state :map-e // prob 1./1
add 59019 nat 11 log logamount 50 ip4 from any to any out xmit gif0 //
add 59020 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59025 nat 12 log logamount 50 ip4 from any to any out xmit gif0 //
add 59026 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59031 nat 13 log logamount 50 ip4 from any to any out xmit gif0 //
add 59032 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59037 nat 14 log logamount 50 ip4 from any to any out xmit gif0 //
add 59038 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59043 nat 15 log logamount 50 ip4 from any to any out xmit gif0 //
add 59044 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59049 nat 16 log logamount 50 ip4 from any to any out xmit gif0 //
add 59050 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59055 nat 17 log logamount 50 ip4 from any to any out xmit gif0 //
add 59056 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59061 nat 18 log logamount 50 ip4 from any to any out xmit gif0 //
add 59062 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59067 nat 19 log logamount 50 ip4 from any to any out xmit gif0 //
add 59068 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59073 nat 20 log logamount 50 ip4 from any to any out xmit gif0 //
add 59074 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59079 nat 21 log logamount 50 ip4 from any to any out xmit gif0 //
add 59080 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59085 nat 22 log logamount 50 ip4 from any to any out xmit gif0 //
add 59086 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59091 nat 23 log logamount 50 ip4 from any to any out xmit gif0 //
add 59092 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59097 nat 24 log logamount 50 ip4 from any to any out xmit gif0 //
add 59098 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59103 nat 25 log logamount 50 ip4 from any to any out xmit gif0 //
add 59104 skipto 59110 log logamount 50 ip4 from any to any out xmit gif0 //
add 59211 nat 11 log logamount 50 ip4 from any to any in recv gif0 //
add 59212 nat 12 log logamount 50 ip4 from any to any in recv gif0 //
add 59213 nat 13 log logamount 50 ip4 from any to any in recv gif0 //
add 59214 nat 14 log logamount 50 ip4 from any to any in recv gif0 //
add 59215 nat 15 log logamount 50 ip4 from any to any in recv gif0 //
add 59216 nat 16 log logamount 50 ip4 from any to any in recv gif0 //
add 59217 nat 17 log logamount 50 ip4 from any to any in recv gif0 //
add 59218 nat 18 log logamount 50 ip4 from any to any in recv gif0 //
add 59219 nat 19 log logamount 50 ip4 from any to any in recv gif0 //
add 59220 nat 20 log logamount 50 ip4 from any to any in recv gif0 //
add 59221 nat 21 log logamount 50 ip4 from any to any in recv gif0 //
add 59222 nat 22 log logamount 50 ip4 from any to any in recv gif0 //
add 59223 nat 23 log logamount 50 ip4 from any to any in recv gif0 //
add 59224 nat 24 log logamount 50 ip4 from any to any in recv gif0 //
add 59225 nat 25 log logamount 50 ip4 from any to any in recv gif0 //
add 59890 allow ip from any to any //
# end
In my case, even with just 1 NAT, it can use 16 ports, so it's enough for
downloading ports distfile.
However, in order to utilize all ports, it is necessary to remember the NAT
used first through keep-state.
Also, the returned packets must find out which NAT can restore them to their
original state.
The lookup for that seems to be really slow.
Therefore, I want to use all assigned ports with just 1 NAT.
--
You are receiving this mail because:
You are the assignee for the bug.
