ppp: Enable support for EIM NAT

Enable support for endpoint-independent mapping ("full cone NAT") via
Libalias's UDP NAT.

Reviewed by:    igoro, thj
Differential Revision:  https://reviews.freebsd.org/D46689
This commit is contained in:
Damjan Jovanovic
2024-12-06 09:22:51 +00:00
committed by Tom Jones
parent ef18594985
commit cb21fa3d0d
2 changed files with 25 additions and 1 deletions
+4
View File
@@ -793,6 +793,10 @@ static struct cmdtab const NatCommands[] =
{"use_sockets", NULL, NatOption, LOCAL_AUTH,
"allocate host sockets", "nat use_sockets yes|no",
(const void *) PKT_ALIAS_USE_SOCKETS},
{"udp_eim", NULL, NatOption, LOCAL_AUTH,
"UDP uses endpoint-independent mapping (\"full cone\" NAT)",
"nat udp_eim yes|no",
(const void *) PKT_ALIAS_UDP_EIM},
{"help", "?", HelpCommand, LOCAL_AUTH | LOCAL_NO_AUTH,
"Display this message", "nat help|? [command]", NatCommands},
{NULL, NULL, NULL, 0, NULL, NULL, NULL},
+21 -1
View File
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd November 18, 2024
.Dd December 6, 2024
.Dt PPP 8
.Os
.Sh NAME
@@ -3579,6 +3579,26 @@ network.
The target address may be set to
.Dq MYADDR ,
in which case libalias will redirect all packets to the interface address.
.It nat udp_eim yes|no
When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787
("full cone" NAT of RFC 3489).
All packets from the same internal address:port are mapped to the same NAT
address:port, regardless of their destination address:port.
If filtering rules allow, and if
.Em deny_incoming
is disabled, any other external address:port can
also send to the internal address:port through its mapped NAT address:port.
This is more compatible with applications, and can reduce the need for port
forwarding, but less scalable as each NAT address:port can only be
concurrently used by at most one internal address:port.
.Pp
When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric"
NAT).
Each connection from a particular internal address:port to different
external addresses:ports is mapped to a random and unpredictable NAT
address:port.
Two appplications behind EDM NATs can only connect to each other
by port forwarding on the NAT, or tunnelling through an in-between server.
.It nat use_sockets yes|no
When enabled, this option tells the network address translation engine to
create a socket so that it can guarantee a correct incoming ftp data or