Created attachment 223606 [details] Implementation of MAP-E NAT port number selection MAP-E (RFC 7597) requires special care for selecting source ports in NAT operation on the Customer Edge because a part of bits of the port numbers are used by the Border Relay to distinguish another side of the IPv4-over-IPv6 tunnel. The attached patch introduces the "map-e-portset" port specification for nat rules in pf.conf and corresponding kernel-side port number selection. The patch is made against 12-STABLE but can be applied for -current so far.
I need to read up on MAP-E before I can say much sensible, but on first glance this looks like a pretty solid patch. It appears to date from before the split-up of pf_pool / pf_kpool, but that's a minor issue. A somewhat bigger issue is that it changes the definition of pf_pool, which means that it breaks the userspace API. That's pretty much inevitable when adding new functionality, but it's still problematic. I'm currently working on introducing nvlist based alternatives, which would fix that problem. Right now only DIOCADDRULE/DIOCGETRULE, but that's most of what's needed here. I'll try to push that work somewhere when it's closer to being usable. Hopefully in a week or two. In the mean time it'd also be nice to have a test or two for this. Even if all it does is configure the functionality and run a few packets through it. (More is better, of course). There are a number of example tests in /usr/src/tests/sys/netpfil/pf.
(In reply to Kristof Provost from comment #1) Thanks for taking a look at the patch! I forgot to note that it was made against 12-STABLE. I'll port it to -current. The patch is indeed not good in the aspect of breaking the ABI. I'm glad to hear that you are going to add the new pf ioctl. I'll rewrite the code using the feature when your work comes into current. Also, I'll add the test of map-e-portset. It seems that sys/netpfil/pf/nat.sh is suitable for the starting point.
I had two minor remarks. Phabricator is easier for code review than bugzilla, so I posted the patch there: https://reviews.freebsd.org/D29468 If you have (or create) an account you should be able to commandeer the patch and update it when appropriate.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=2aa21096c7349390f22aa5d06b373a575baed1b4 commit 2aa21096c7349390f22aa5d06b373a575baed1b4 Author: Kurosawa Takahiro <takahiro.kurosawa@gmail.com> AuthorDate: 2021-04-13 08:50:00 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-04-13 08:53:18 +0000 pf: Implement the NAT source port selection of MAP-E Customer Edge MAP-E (RFC 7597) requires special care for selecting source ports in NAT operation on the Customer Edge because a part of bits of the port numbers are used by the Border Relay to distinguish another side of the IPv4-over-IPv6 tunnel. PR: 254577 Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D29468 lib/libpfctl/libpfctl.c | 24 ++++++++++ lib/libpfctl/libpfctl.h | 1 + sbin/pfctl/parse.y | 57 ++++++++++++++++++++++- sbin/pfctl/pfctl_parser.c | 3 ++ share/man/man5/pf.conf.5 | 24 +++++++++- sys/net/pfvar.h | 1 + sys/netpfil/pf/pf.h | 6 +++ sys/netpfil/pf/pf_ioctl.c | 40 ++++++++++++++++ sys/netpfil/pf/pf_lb.c | 65 ++++++++++++++++++++++---- tests/sys/netpfil/pf/Makefile | 1 + tests/sys/netpfil/pf/map_e.sh (new) | 91 +++++++++++++++++++++++++++++++++++++ 11 files changed, 303 insertions(+), 10 deletions(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b0b9525172ba9f8704f810d974f56d4ee3aad51f commit b0b9525172ba9f8704f810d974f56d4ee3aad51f Author: Kurosawa Takahiro <takahiro.kurosawa@gmail.com> AuthorDate: 2021-04-13 08:50:00 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-05-11 08:27:57 +0000 pf: Implement the NAT source port selection of MAP-E Customer Edge MAP-E (RFC 7597) requires special care for selecting source ports in NAT operation on the Customer Edge because a part of bits of the port numbers are used by the Border Relay to distinguish another side of the IPv4-over-IPv6 tunnel. PR: 254577 Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D29468 (cherry picked from commit 2aa21096c7349390f22aa5d06b373a575baed1b4) lib/libpfctl/libpfctl.c | 24 ++++++++++ lib/libpfctl/libpfctl.h | 1 + sbin/pfctl/parse.y | 57 ++++++++++++++++++++++- sbin/pfctl/pfctl_parser.c | 3 ++ share/man/man5/pf.conf.5 | 24 +++++++++- sys/net/pfvar.h | 1 + sys/netpfil/pf/pf.h | 6 +++ sys/netpfil/pf/pf_ioctl.c | 40 ++++++++++++++++ sys/netpfil/pf/pf_lb.c | 65 ++++++++++++++++++++++---- tests/sys/netpfil/pf/Makefile | 1 + tests/sys/netpfil/pf/map_e.sh (new) | 91 +++++++++++++++++++++++++++++++++++++ 11 files changed, 303 insertions(+), 10 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=e49799dcf14e7026f377d26a70fe0a3a3d15390a commit e49799dcf14e7026f377d26a70fe0a3a3d15390a Author: Kurosawa Takahiro <takahiro.kurosawa@gmail.com> AuthorDate: 2021-04-13 08:50:00 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-05-11 15:04:45 +0000 pf: Implement the NAT source port selection of MAP-E Customer Edge MAP-E (RFC 7597) requires special care for selecting source ports in NAT operation on the Customer Edge because a part of bits of the port numbers are used by the Border Relay to distinguish another side of the IPv4-over-IPv6 tunnel. PR: 254577 Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D29468 (cherry picked from commit 2aa21096c7349390f22aa5d06b373a575baed1b4) lib/libpfctl/libpfctl.c | 24 ++++++++++ lib/libpfctl/libpfctl.h | 1 + sbin/pfctl/parse.y | 57 ++++++++++++++++++++++- sbin/pfctl/pfctl_parser.c | 3 ++ share/man/man5/pf.conf.5 | 24 +++++++++- sys/net/pfvar.h | 1 + sys/netpfil/pf/pf.h | 6 +++ sys/netpfil/pf/pf_ioctl.c | 40 ++++++++++++++++ sys/netpfil/pf/pf_lb.c | 65 ++++++++++++++++++++++---- tests/sys/netpfil/pf/Makefile | 1 + tests/sys/netpfil/pf/map_e.sh (new) | 91 +++++++++++++++++++++++++++++++++++++ 11 files changed, 303 insertions(+), 10 deletions(-)
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>
Committed and MFC'd, thank you for the contribution.