Bug 219918 - LibAlias: implement RFC 4787 REQ 1 and 3 (full cone NAT)
Summary: LibAlias: implement RFC 4787 REQ 1 and 3 (full cone NAT)
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-net (Nobody)
URL: https://www.rfc-editor.org/rfc/rfc4787
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-11 07:34 UTC by Damjan Jovanovic
Modified: 2023-10-01 16:08 UTC (History)
3 users (show)

See Also:

Attachments
LibAlias RFC 4787 req 1 and 3 implementation (7.91 KB, patch)
2017-06-11 07:34 UTC, Damjan Jovanovic 		no flags Details | Diff
Version 2 (8.29 KB, patch)
2017-06-13 19:34 UTC, Damjan Jovanovic 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Damjan Jovanovic 2017-06-11 07:34:04 UTC 
Created attachment 183392 [details]
LibAlias RFC 4787 req 1 and 3 implementation

Implement NAT hole punching for UDP, as per RFC 4787 requirements 1 and 3, creating an endpoint-independent mapping NAT also known as an (address- and port-restricted) cone NAT.

Outgoing links are now hashed only on source IP/port, so they can be searched using only those, allowing us to find and reuse the alias address/port already in use by the packet's source address/port. When new links are allocated, we also search for an alias address/port that is not used by any link.

Also updated the man page to reflect this.

Please also see the related bug 219803, which implements the same feature in PF.
Comment 1 Eugene Grosbein freebsd_committer freebsd_triage 2017-06-11 11:35:58 UTC 
(In reply to Damjan Jovanovic from comment #0)

Your patch makes significant change unconditionnaly and the change may present regression for other use cases:

- it can degrade performance of libalias hash function that is not perfect already;
- it decreases port variance of translated traffic that can degrade performance of L3 channel load distribution.

Note that libalias already has a flag PKT_ALIAS_SAME_PORTS (natd -same_ports or ipfw nat config same_ports) to somehow change port translation rules. Please make your change conditional using new flag for new translation mode.
Comment 2 Kurt Jaeger freebsd_committer freebsd_triage 2017-06-11 11:53:59 UTC 
As a (small) natd user, I'd like to comment:
having the better/correcter behaviour is more important than performance,
if performance and side effects are documented in the man page and
if there's a way to change the default for performance and no side-effects.
Comment 3 Damjan Jovanovic 2017-06-11 12:04:50 UTC 
Thank you. I do want good performance, and am thinking of better solutions. Maybe a new hash table, that's only on alias address:port, instead of changing the existing one to that. Or a bitfield of 65536 bits for ports in use, that could provide guaranteed O(1) lookups. I do need to understand that code better first though.
Comment 4 Damjan Jovanovic 2017-06-13 19:34:02 UTC 
Created attachment 183455 [details]
Version 2

New version of the patch. Existing hash tables and hash functions aren't changed, instead a new one is added for searching on source IP:port alone. Thus performance of existing operations is unaffected.
Comment 5 Eugene Grosbein freebsd_committer freebsd_triage 2017-06-14 03:18:36 UTC 
(In reply to Damjan Jovanovic from comment #4)

Your new patch it much better but it still decreases translated port variance unconditionally, if it is needed for an installation or not. Please create new libalias translation mode and make it possible for libalias consumer (natd or ipfw nat) to enable/disable it.
Comment 6 Eugene Grosbein freebsd_committer freebsd_triage 2017-06-14 03:19:45 UTC 
(In reply to Damjan Jovanovic from comment #4)

For example, this may be particulary bad for DNS UDP traffic.