sergiotarxz/nuttx
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
1c8d0bfdc7
nuttx/net/nat/Kconfig
Zhe Weng f3b34c84c2 net/nat: Support IPv6 Masquerading (NAT66) 
Notes:
1. This version of NAT66 is a stateful one like NAT44, corresponding to Linux's MASQUERADE target of ip6tables.  We can support stateless NAT66 & NPTv6 later by slightly modify the address & port selection logic (maybe just match the rules and skip the entry find).
2. We're using same flag `IFF_NAT` for both NAT44 & NAT66 to make control easier.  Which means, if we enable NAT, both NAT44 & NAT66 will be enabled.  If we don't want one of them, we can just disable that one in Kconfig.
3. Maybe we can accelerate the checksum adjustment by pre-calculate a difference of checksum, and apply it to each packet, instead of calling `net_chksum_adjust` each time.  Just a thought, maybe do it later.
4. IP fragment segments on NAT66 connections are not supported yet.

Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2024-04-11 22:23:29 +08:00

127 lines
3.4 KiB
Plaintext
Raw Blame History

#
# For a description of the syntax of this configuration file,
# see the file kconfig-language.txt in the NuttX tools repository.
#
config NET_NAT
bool "Network Address Translation (NAT)"
default n
depends on NET_IPFORWARD
---help---
Enable or disable Network Address Translation (NAT) function.
Note: When forwarding IPv4 packet and applying NAT, NAT may be
applied directly on a single I/O buffer containing L3 packet header,
and NAT may need a continuous buffer of at least 68 Bytes
(IPv4 20B + ICMP 8B + IPv4 20B + TCP 20B). And 108 Bytes for IPv6.
config NET_NAT44
bool "IPv4-to-IPv4 NAT (NAT44)"
default y
depends on NET_IPv4 && NET_NAT
depends on IOB_BUFSIZE >= 68
choice
prompt "NAT44 Type"
default NET_NAT44_FULL_CONE
depends on NET_NAT44
config NET_NAT44_FULL_CONE
bool "Full Cone NAT"
---help---
Full Cone NAT is easier to traverse than Symmetric NAT, and uses
less resources than Symmetric NAT.
config NET_NAT44_SYMMETRIC
bool "Symmetric NAT"
---help---
Symmetric NAT will be safer than Full Cone NAT, be more difficult
to traverse, and has more entries which may lead to heavier load.
endchoice
config NET_NAT66
bool "IPv6-to-IPv6 NAT (NAT66)"
default y
depends on NET_IPv6 && NET_NAT
depends on IOB_BUFSIZE >= 108
choice
prompt "NAT66 Type"
default NET_NAT66_FULL_CONE
depends on NET_NAT66
config NET_NAT66_FULL_CONE
bool "Full Cone NAT"
---help---
Full Cone NAT is easier to traverse than Symmetric NAT, and uses
less resources than Symmetric NAT.
config NET_NAT66_SYMMETRIC
bool "Symmetric NAT"
---help---
Symmetric NAT will be safer than Full Cone NAT, be more difficult
to traverse, and has more entries which may lead to heavier load.
endchoice
config NET_NAT_HASH_BITS
int "The bits of NAT entry hashtable"
default 5
range 1 10
depends on NET_NAT
---help---
The hashtable of NAT entries will have (1 << bits) buckets.
config NET_NAT_TCP_EXPIRE_SEC
int "TCP NAT entry expiration seconds"
default 86400
depends on NET_NAT
---help---
The expiration time for idle TCP entry in NAT.
Note: The default value 86400 is suggested by RFC2663, Section 2.6,
Page 5.
config NET_NAT_UDP_EXPIRE_SEC
int "UDP NAT entry expiration seconds"
default 240
depends on NET_NAT
---help---
The expiration time for idle UDP entry in NAT.
Note: RFC2663 (Section 2.6, Page 5) suggests that non-TCP sessions
that have not been used for a couple of minutes can be assumed to be
terminated.
config NET_NAT_ICMP_EXPIRE_SEC
int "ICMP NAT entry expiration seconds"
default 60
depends on NET_NAT
---help---
The expiration time for idle ICMP entry in NAT.
Note: The default value 60 is suggested by RFC5508, Section 3.2,
Page 8.
config NET_NAT_ICMPv6_EXPIRE_SEC
int "ICMPv6 NAT entry expiration seconds"
default 60
depends on NET_NAT
---help---
The expiration time for idle ICMPv6 entry in NAT.
config NET_NAT_ENTRY_RECLAIM_SEC
int "The time to auto reclaim all expired entries"
default 3600
depends on NET_NAT
---help---
The time to auto reclaim all expired entries. A value of zero will
disable auto reclaiming.
Note: Expired entries will be automatically reclaimed when matching
inbound/outbound entries, so this config does not have significant
impact when NAT is normally used, but very useful when the hashtable
is big and there are only a few connections using NAT (which will
only trigger reclaiming on a few chains in hashtable).
Reference in New Issue View Git Blame Copy Permalink