ipfw : Enable support for EIM NAT

Enable support for endpoint-independent mapping ("full cone NAT") via
Libalias's UDP NAT.

Reviewed by:    igoro, thj
Differential Revision:  https://reviews.freebsd.org/D46689D

sbin/ipfw/ipfw.8

@@ -1,5 +1,5 @@
 .\"
-.Dd December 17, 2023
+.Dd December 6, 2024
 .Dt IPFW 8
 .Os
 .Sh NAME
@@ -3403,6 +3403,26 @@ Skip instance in case of global state lookup (see below).
 .It Cm port_range Ar lower-upper
 Set the aliasing ports between the ranges given.
 Upper port has to be greater than lower.
+.It Cm udp_eim
+When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787
+("full cone" NAT of RFC 3489).
+All packets from the same internal address:port are mapped to the same NAT
+address:port, regardless of their destination address:port.
+If filtering rules allow, and if
+.Em deny_in
+is unset, any other external address:port can
+also send to the internal address:port through its mapped NAT address:port.
+This is more compatible with applications, and can reduce the need for port
+forwarding, but less scalable as each NAT address:port can only be
+concurrently used by at most one internal address:port.
+.Pp
+When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric"
+NAT).
+Each connection from a particular internal address:port to different
+external addresses:ports is mapped to a random and unpredictable NAT
+address:port.
+Two appplications behind EDM NATs can only connect to each other
+by port forwarding on the NAT, or tunnelling through an in-between server.
 .El
 .Pp
 Some special values can be supplied instead of

sbin/ipfw/ipfw2.h

@@ -324,6 +324,7 @@ enum tokens {
 	TOK_SETMARK,
 
 	TOK_SKIPACTION,
+	TOK_UDP_EIM,
 };
 
 /*

sbin/ipfw/main.c

@@ -43,7 +43,7 @@ help(void)
 "add [num] [set N] [prob x] RULE-BODY\n"
 "{pipe|queue} N config PIPE-BODY\n"
 "[pipe|queue] {zero|delete|show} [N{,N}]\n"
-"nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|unreg_cgn|\n"
+"nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|unreg_cgn|udp_eim|\n"
 "		reset|reverse|proxy_only|redirect_addr linkspec|\n"
 "		redirect_port linkspec|redirect_proto linkspec|\n"
 "		port_range lower-upper}\n"

sbin/ipfw/nat.c

@@ -67,6 +67,7 @@ static struct _s_x nat_params[] = {
 	{ "redirect_addr",	TOK_REDIR_ADDR },
 	{ "redirect_port",	TOK_REDIR_PORT },
 	{ "redirect_proto",	TOK_REDIR_PROTO },
+	{ "udp_eim",		TOK_UDP_EIM },
  	{ NULL, 0 }	/* terminator */
 };
 
@@ -676,6 +677,9 @@ nat_show_cfg(struct nat44_cfg_nat *n, void *arg __unused)
 		} else if (n->mode & PKT_ALIAS_PROXY_ONLY) {
 			printf(" proxy_only");
 			n->mode &= ~PKT_ALIAS_PROXY_ONLY;
+		} else if (n->mode & PKT_ALIAS_UDP_EIM) {
+			printf(" udp_eim");
+			n->mode &= ~PKT_ALIAS_UDP_EIM;
 		}
 	}
 	/* Print all the redirect's data configuration. */
@@ -821,6 +825,7 @@ ipfw_config_nat(int ac, char **av)
 		case TOK_RESET_ADDR:
 		case TOK_ALIAS_REV:
 		case TOK_PROXY_ONLY:
+		case TOK_UDP_EIM:
 			break;
 		case TOK_REDIR_ADDR:
 			if (ac1 < 2)
@@ -927,6 +932,9 @@ ipfw_config_nat(int ac, char **av)
 		case TOK_PROXY_ONLY:
 			n->mode |= PKT_ALIAS_PROXY_ONLY;
 			break;
+		case TOK_UDP_EIM:
+			n->mode |= PKT_ALIAS_UDP_EIM;
+			break;
 			/*
 			 * All the setup_redir_* functions work directly in
 			 * the final buffer, see above for details.