kgess-mirror/freebsd-src
1
0
Fork 0
mirror of https://git.freebsd.org/src.git synced 2026-01-11 19:57:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

natd: Enable support for EIM NAT

Browse source 
Enable support for endpoint-independent mapping ("full cone NAT") via
Libalias's UDP NAT.

Reviewed by:    igoro, thj
Differential Revision:  https://reviews.freebsd.org/D46689
This commit is contained in:
Damjan Jovanovic 2024-12-06 09:21:06 +00:00 committed by Tom Jones
parent b6c90b9099
commit ef18594985
2 changed files with 30 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
sbin/natd/natd.8
View file

@ -1,4 +1,4 @@
.Dd October 5, 2016
.Dd December 6, 2024
.Dt NATD 8
.Os
.Sh NAME
@ -14,6 +14,7 @@
.Op Fl deny_incoming | d
.Op Fl use_sockets | s
.Op Fl same_ports | m
.Op Fl udp_eim
.Op Fl verbose | v
.Op Fl dynamic
.Op Fl in_port | i Ar port
@ -114,6 +115,26 @@ With this option, protocols such as RPC will have a better chance
of working.
If it is not possible to maintain the port number, it will be silently
changed as per normal.
.It Fl udp_eim
When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787
("full cone" NAT of RFC 3489).
All packets from the same internal address:port are mapped to the same NAT
address:port, regardless of their destination address:port.
If filtering rules allow, and if
.Em deny_incoming
is disabled, any other external address:port can
also send to the internal address:port through its mapped NAT address:port.
This is more compatible with applications, and can reduce the need for port
forwarding, but less scalable as each NAT address:port can only be
concurrently used by at most one internal address:port.
.Pp
When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric"
NAT).
Each connection from a particular internal address:port to different
external addresses:ports is mapped to a random and unpredictable NAT
address:port.
Two appplications behind EDM NATs can only connect to each other
by port forwarding on the NAT, or tunnelling through an in-between server.
.It Fl verbose | v
Do not call
.Xr daemon 3

8
sbin/natd/natd.c
View file

@ -1138,6 +1138,14 @@ static struct OptionInfo optionTable[] = {
"same_ports",
"m" },
{ LibAliasOption,
PKT_ALIAS_UDP_EIM,
YesNo,
"[yes|no]",
"UDP traffic uses endpoint-independent mapping (\"full cone\" NAT)",
"udp_eim",
NULL },
{ Verbose,
0,
YesNo,