Now we only supports conntrack info from NAT entries, to let our apps in user space know the mapping status in NAT.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
I found `struct ipv*_nat_entry` is missing `_s` suffix, but the name is too long in some cases, so maybe `ipv*_nat_entry_t` could be better.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
Notes:
1. This version of NAT66 is a stateful one like NAT44, corresponding to Linux's MASQUERADE target of ip6tables. We can support stateless NAT66 & NPTv6 later by slightly modify the address & port selection logic (maybe just match the rules and skip the entry find).
2. We're using same flag `IFF_NAT` for both NAT44 & NAT66 to make control easier. Which means, if we enable NAT, both NAT44 & NAT66 will be enabled. If we don't want one of them, we can just disable that one in Kconfig.
3. Maybe we can accelerate the checksum adjustment by pre-calculate a difference of checksum, and apply it to each packet, instead of calling `net_chksum_adjust` each time. Just a thought, maybe do it later.
4. IP fragment segments on NAT66 connections are not supported yet.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
To prepare for future IPv6 NAT functions.
- Rename common ipv4_nat_xxx to nat_xxx
- Move some common definitions into header
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
Because CAN is a broadcast protocol, each conn needs to be given independent data to avoid mutual interference.
Signed-off-by: zhanghongyu <zhanghongyu@xiaomi.com>
The symmetric NAT limits one external port to be used with only one peer ip:port.
Note:
1. To avoid using too much #ifdef, we're always passing peer_ip and peer_port as arguments, but won't use them under full cone NAT, let the compiler optimize them.
2. We need to find port binding without peer ip:port, so don't add peer ip:port into hash key.
3. Symmetric NAT needs to *select another external port if a port is used by any other NAT entry*, this behavior is exactly same as Full Cone NAT, so we don't need to change anything related to `ipv4_nat_port_inuse`.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
Fix minor problems when reading codes:
- icmpv6_autoconfig: Call net_unlock before return
- pkt_sendmsg: Return error for types other than SOCK_RAW
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
1. Don't assert on IGMP inside ICMP, just ignore it.
2. Check we have full IP header inside ICMP payload before accessing it.
3. `inner_l4hdrbak` need to be `L4_MAXHDRLEN`, not `L4_MAXHDRLEN/2`.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
https://github.com/apache/nuttx/pull/11384 has changed the source
address selection of UDP from raddr to laddr, but not all UDP
connections have laddr set, then we need to fallback to get source from
raddr.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
Support longest prefix match routing described as "Longest Match" in
RFC 1812, Section 5.2.4.3, Page 75.
Introduced `prefixlen` to indicate the prefix length of currently
founded route, and only looks up for longer prefix in all later steps.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
If we only enable one of `CONFIG_NET_ARP_SEND` and
`CONFIG_NET_ICMPv6_NEIGHBOR`, both IPv4 and IPv6 traffic will send
ARP or NDP, which causes problem.
Example:
`CONFIG_NET_ARP_SEND=n`
`CONFIG_NET_ICMPv6_NEIGHBOR=y`
Wrong:
IPv4 traffic (`PF_INET`) goes into `icmpv6_neighbor`, which
definitely causes problem.
Correct:
IPv4 traffic doesn't call anything, IPv6 traffic calls `icmpv6_neighbor`
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
Follow the posix standard:
If no messages are available to be received and the peer has
performed an orderly shutdown, recv() shall return 0.
Signed-off-by: Bowen Wang <wangbowen6@xiaomi.com>
When peer->lc_cfpcount == LOCAL_NCONTROLFDS,
Line 122: peer->lc_cfps[peer->lc_cfpcount++] = filep2; access
out-of-range
Signed-off-by: Bowen Wang <wangbowen6@xiaomi.com>
In this case, remote addr is all zero, and the length of the
ip header is not recognized as ipv6_is_ipv4, This will cause
problems in subsequent data filling.
Signed-off-by: zhanghongyu <zhanghongyu@xiaomi.com>
move the accept logic into connect flow.
In order to successfully establish a blocking connection between
the client and server on the same thread.
nonblock is not affected, and the block connect is now the same
as the nonblock flow, other apis are not affected.
Signed-off-by: zhanghongyu <zhanghongyu@xiaomi.com>
The `xxx_ipv6multicast` function in each driver is not adapted to
multiple IPv6 addresses yet, and they're redundant, so try to take them
into common code.
Change:
1. Add MAC `g_ipv6_ethallnodes` and `g_ipv6_ethallrouters` in
`icmpv6_devinit` and call them in `netdev_register`
2. Add multicast MAC for Neighbor Solicitation when adding any IPv6
address, and remove them when IPv6 address is removed
3. Select `NET_MCASTGROUP` when `NET_ICMPv6` because now we need
`d_addmac` when we have ICMPv6
Note:
We want modules outside net stack to call functions like
`netdev_ipv6_add` and never touch the related MAC address, so these MAC
functions are added as internal functions to `net/netdev/netdev.h`
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
When CONFIG_NET_TCP_WRITE_BUFFERS is enabled, iobs are used for
both queuing data from application, and for assembling packets
for sending. If there is a system-wide shortage of iobs, it could
happen that there is not enough free space to form any packets
to send. The buffers allocated for TCP data also can't be released
until the packet is sent.
Normally this should be avoided by setting suitable values for
CONFIG_IOB_NBUFFERS and CONFIG_IOB_THROTTLE. The default values
are ok for light usage, but can run out when using multiple
simultaneous TCP streams.
Before this commit, iob shortage would cause TCP connections to
get stuck and eventually timeout. With this change, TCP stack
sends smaller packets, eventually freeing some buffers from the
write queue.
