Add ipfw_nat64 module that implements stateless and stateful NAT64.

The module works together with ipfw(4) and implemented as its external
action module.

Stateless NAT64 registers external action w

Add ipfw_nat64 module that implements stateless and stateful NAT64.

The module works together with ipfw(4) and implemented as its external
action module.

Stateless NAT64 registers external action with name nat64stl. This
keyword should be used to create NAT64 instance and to address this
instance in rules. Stateless NAT64 uses two lookup tables with mapped
IPv4->IPv6 and IPv6->IPv4 addresses to perform translation.

A configuration of instance should looks like this:
1. Create lookup tables:
# ipfw table T46 create type addr valtype ipv6
# ipfw table T64 create type addr valtype ipv4
2. Fill T46 and T64 tables.
3. Add rule to allow neighbor solicitation and advertisement:
# ipfw add allow icmp6 from any to any icmp6types 135,136
4. Create NAT64 instance:
# ipfw nat64stl NAT create table4 T46 table6 T64
5. Add rules that matches the traffic:
# ipfw add nat64stl NAT ip from any to table(T46)
# ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96
6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
via NAT64 host.

Stateful NAT64 registers external action with name nat64lsn. The only
one option required to create nat64lsn instance - prefix4. It defines
the pool of IPv4 addresses used for translation.

A configuration of instance should looks like this:
1. Add rule to allow neighbor solicitation and advertisement:
# ipfw add allow icmp6 from any to any icmp6types 135,136
2. Create NAT64 instance:
# ipfw nat64lsn NAT create prefix4 A.B.C.D/28
3. Add rules that matches the traffic:
# ipfw add nat64lsn NAT ip from any to A.B.C.D/28
# ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96
4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
via NAT64 host.

Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D6434

show more ...

An old tables implementation had all tables preallocated,
so when user did `ipfw table N flush` it always worked, but now
when table N doesn't exist the kernel returns ESRCH error.
This isn't fatal e

An old tables implementation had all tables preallocated,
so when user did `ipfw table N flush` it always worked, but now
when table N doesn't exist the kernel returns ESRCH error.
This isn't fatal error for flush and destroy commands. Do not
call err(3) when errno is equal to ESRCH. Also warn only when
quiet mode isn't enabled. This fixes a regression in behavior,
when old rules are loaded from file.
Also use correct value for switch in the table_swap().

Reported by: Kevin Oberman
MFC after: 3 days

show more ...

Hide warning about non-existent lookup tables and informational messages
about modified table entry when quied mode enabled.

Approved by: re (hrs)
Obtained from: Yandex LLC

MFH

Sponsored by: The FreeBSD Foundation

Add External Actions KPI to ipfw(9).

It allows implementing loadable kernel modules with new actions and
without needing to modify kernel headers and ipfw(8). The module
registers its action handler

Add External Actions KPI to ipfw(9).

It allows implementing loadable kernel modules with new actions and
without needing to modify kernel headers and ipfw(8). The module
registers its action handler and keyword string, that will be used
as action name. Using generic syntax user can add rules with this
action. Also ipfw(8) can be easily modified to extend basic syntax
for external actions, that become a part base system.
Sample modules will coming soon.

Obtained from: Yandex LLC
Sponsored by: Yandex LLC

show more ...

MFH r289384-r293170

Sponsored by: The FreeBSD Foundation

Catch up with head (r291075).

Merge from head

Merge from head

Sponsored by: Gandi.net

Fix a ton of speelling errors

arc lint is helpful

Reviewed By: allanjude, wblock, #manpages, chris@bsdjunk.com
Differential Revision: https://reviews.freebsd.org/D3337

Merge from head

Merge r286744-r287584 from head.

Merge ^/head r286858 through r287489.

Merge from HEAD

Code cleanup unused-but-set-variable spotted by gcc.

Reviewed by: melifaro
Approved by: bapt (mentor)
Differential Revision: D3473

Catch up with head, primarily for the 1.14.4.0 firmware.

Merge ^/head r286422 through r286684.

sbin/ipfw fix typo: info -> into

example:

DEPRECATED: inserting data into non-existent table sshguard. (auto-created)

Approved by: bdrewery

Catch up with HEAD (r280229-r284686).

MFH: r282615-r283655

Sponsored by: The FreeBSD Foundation

Merge sync of head

Bring back support for checking tables via "ipfw -n".

Currently we have different table key types which can easily interfere
with each other (numbers and IPv4 address, interface names and hostnames,

Bring back support for checking tables via "ipfw -n".

Currently we have different table key types which can easily interfere
with each other (numbers and IPv4 address, interface names and hostnames,
flows and hostnames/addresses).
This conflicts are solved by [auto-]creating _typed_ tables, so after
table is created, only keys of given type can be inserted to that table.
ipfw(8) consults with kernel about key/value type for particular table so
it knows key/value interpretation.
However, we have 2 cases (adding entries to non-existing table and
parsing configuration file via `ipfw -n`) when kernel is unable to
provide us table info we need. Fix the latter case by partially importing
old `table_fill_xentry()` parse function responsible for guessing key type.

Sponsored by: Yandex LLC

show more ...

Merge from HEAD

MFH: r282315-r282534

Sponsored by: The FreeBSD Foundation

Correctly print valtype for empty bitmask.