I found `struct ipv*_nat_entry` is missing `_s` suffix, but the name is too long in some cases, so maybe `ipv*_nat_entry_t` could be better.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
Notes:
1. This version of NAT66 is a stateful one like NAT44, corresponding to Linux's MASQUERADE target of ip6tables. We can support stateless NAT66 & NPTv6 later by slightly modify the address & port selection logic (maybe just match the rules and skip the entry find).
2. We're using same flag `IFF_NAT` for both NAT44 & NAT66 to make control easier. Which means, if we enable NAT, both NAT44 & NAT66 will be enabled. If we don't want one of them, we can just disable that one in Kconfig.
3. Maybe we can accelerate the checksum adjustment by pre-calculate a difference of checksum, and apply it to each packet, instead of calling `net_chksum_adjust` each time. Just a thought, maybe do it later.
4. IP fragment segments on NAT66 connections are not supported yet.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
To prepare for future IPv6 NAT functions.
- Rename common ipv4_nat_xxx to nat_xxx
- Move some common definitions into header
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
The symmetric NAT limits one external port to be used with only one peer ip:port.
Note:
1. To avoid using too much #ifdef, we're always passing peer_ip and peer_port as arguments, but won't use them under full cone NAT, let the compiler optimize them.
2. We need to find port binding without peer ip:port, so don't add peer ip:port into hash key.
3. Symmetric NAT needs to *select another external port if a port is used by any other NAT entry*, this behavior is exactly same as Full Cone NAT, so we don't need to change anything related to `ipv4_nat_port_inuse`.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
1. Don't assert on IGMP inside ICMP, just ignore it.
2. Check we have full IP header inside ICMP payload before accessing it.
3. `inner_l4hdrbak` need to be `L4_MAXHDRLEN`, not `L4_MAXHDRLEN/2`.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
1.
ipfrag/ipv4_frag.c: In function ‘ipv4_fragin’:
ipfrag/ipv4_frag.c:184:22: warning: ‘head’ may be used uninitialized in this function [-Wmaybe-uninitialized]
184 | ipv4->len[1] = head->io_pktlen & 0xff;
| ~~~~^~~~~~~~~~~
ipfrag/ipv4_frag.c:123:21: note: ‘head’ was declared here
123 | FAR struct iob_s *head;
| ^~~~
2.
devif/ipv6_input.c: In function ‘ipv6_in’:
devif/ipv6_input.c:60:33: error: ‘TCPIPv6BUF’ undeclared (first use in this function); did you mean ‘UDPIPv6BUF’?
60 | #define PAYLOAD ((FAR uint8_t *)TCPIPv6BUF)
| ^~~~~~~~~~
3.
nat/ipv4_nat.c: In function ‘ipv4_nat_inbound_icmp’:
nat/ipv4_nat.c:67:30: error: ‘TCP_HDRLEN’ undeclared (first use in this function); did you mean ‘UDP_HDRLEN’?
67 | ((proto) == IP_PROTO_TCP ? TCP_HDRLEN : \
| ^~~~~~~~~~
nat/ipv4_nat.c:323:47: note: in expansion of macro ‘L4_HDRLEN’
323 | inner_l4hdrlen = MIN(inner_l4len, L4_HDRLEN(inner->proto));
| ^~~~~~~~~
Signed-off-by: chao an <anchao@xiaomi.com>
Split out ipv4_nat_in/outbound_internal which returns entry instead of error code, for later ICMP error types, does not change any current logic.
Reason: Outer packet doesn't have information of port, so we need to find entry by inner packet, and apply the entry to outer packet.
| Outer Packet: SRC = Peer IP<No Port>, DST = External IP<No Port> |
| Inner Packet: SRC = External IP:Port, DST = Peer IP:Port |
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
This commit is for later ICMP error types processing, and does not change any current logic.
Reason for supporting both side of modification is that an inbound ICMP Error MSG may carry original packet like this:
| IP HDR: SRC = Peer IP, DST = External IP |
| ICMP HDR: ERROR MSG |
| <Origin> IP HDR: SRC = External IP, DST = Peer IP |
| <Origin> L4 HDR: SRC = External Port, DST = Peer Port |
So we need to support inbound translation (External -> Local) on SRC or DST of each header.
And so do the outbound direction.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
Support ICMP ECHO REQUEST & REPLY. Id of ICMP is processed like port of TCP in NAT. However, our ICMP stack doesn't have a method to manage id allocation like tcp_selectport(), the id is set by apps (like icmp_ping.c) without conflict avoidance, so not adding such conflict avoidance logic to ICMP stack when implementing NAT.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
Add basic functions for NAT (NAPT), remaining some logic unimplemented (UDP, ICMP, port assignment, etc). NAT for TCP can work now (unless port conflicts).
Outbound: LAN -> Forward -> NAT(only if targeting at WAN) -> WAN
Inbound: WAN -> NAT(only from WAN, change dest) -> Forward -> LAN
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>