a1a09f271f
The symmetric NAT limits one external port to be used with only one peer ip:port. Note: 1. To avoid using too much #ifdef, we're always passing peer_ip and peer_port as arguments, but won't use them under full cone NAT, let the compiler optimize them. 2. We need to find port binding without peer ip:port, so don't add peer ip:port into hash key. 3. Symmetric NAT needs to *select another external port if a port is used by any other NAT entry*, this behavior is exactly same as Full Cone NAT, so we don't need to change anything related to `ipv4_nat_port_inuse`. Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
89 lines
2.5 KiB
Plaintext
89 lines
2.5 KiB
Plaintext
#
|
|
# For a description of the syntax of this configuration file,
|
|
# see the file kconfig-language.txt in the NuttX tools repository.
|
|
#
|
|
|
|
config NET_NAT
|
|
bool "Network Address Translation (NAT)"
|
|
default n
|
|
depends on NET_IPFORWARD && IOB_BUFSIZE >= 68
|
|
---help---
|
|
Enable or disable Network Address Translation (NAT) function.
|
|
|
|
Note: When forwarding IPv4 packet and applying NAT, NAT may be
|
|
applied directly on a single I/O buffer containing L3 packet header,
|
|
and NAT may need a continuous buffer of at least 68 Bytes
|
|
(IPv4 20B + ICMP 8B + IPv4 20B + TCP 20B).
|
|
|
|
choice
|
|
prompt "NAT Type"
|
|
default NET_NAT_FULL_CONE
|
|
depends on NET_NAT
|
|
|
|
config NET_NAT_FULL_CONE
|
|
bool "Full Cone NAT"
|
|
---help---
|
|
Full Cone NAT is easier to traverse than Symmetric NAT, and uses
|
|
less resources than Symmetric NAT.
|
|
|
|
config NET_NAT_SYMMETRIC
|
|
bool "Symmetric NAT"
|
|
---help---
|
|
Symmetric NAT will be safer than Full Cone NAT, be more difficult
|
|
to traverse, and has more entries which may lead to heavier load.
|
|
|
|
endchoice
|
|
|
|
config NET_NAT_HASH_BITS
|
|
int "The bits of NAT entry hashtable"
|
|
default 5
|
|
range 1 10
|
|
depends on NET_NAT
|
|
---help---
|
|
The hashtable of NAT entries will have (1 << bits) buckets.
|
|
|
|
config NET_NAT_TCP_EXPIRE_SEC
|
|
int "TCP NAT entry expiration seconds"
|
|
default 86400
|
|
depends on NET_NAT
|
|
---help---
|
|
The expiration time for idle TCP entry in NAT.
|
|
|
|
Note: The default value 86400 is suggested by RFC2663, Section 2.6,
|
|
Page 5.
|
|
|
|
config NET_NAT_UDP_EXPIRE_SEC
|
|
int "UDP NAT entry expiration seconds"
|
|
default 240
|
|
depends on NET_NAT
|
|
---help---
|
|
The expiration time for idle UDP entry in NAT.
|
|
|
|
Note: RFC2663 (Section 2.6, Page 5) suggests that non-TCP sessions
|
|
that have not been used for a couple of minutes can be assumed to be
|
|
terminated.
|
|
|
|
config NET_NAT_ICMP_EXPIRE_SEC
|
|
int "ICMP NAT entry expiration seconds"
|
|
default 60
|
|
depends on NET_NAT
|
|
---help---
|
|
The expiration time for idle ICMP entry in NAT.
|
|
|
|
Note: The default value 60 is suggested by RFC5508, Section 3.2,
|
|
Page 8.
|
|
|
|
config NET_NAT_ENTRY_RECLAIM_SEC
|
|
int "The time to auto reclaim all expired entries"
|
|
default 3600
|
|
depends on NET_NAT
|
|
---help---
|
|
The time to auto reclaim all expired entries. A value of zero will
|
|
disable auto reclaiming.
|
|
|
|
Note: Expired entries will be automatically reclaimed when matching
|
|
inbound/outbound entries, so this config does not have significant
|
|
impact when NAT is normally used, but very useful when the hashtable
|
|
is big and there are only a few connections using NAT (which will
|
|
only trigger reclaiming on a few chains in hashtable).
|