[NetBSD logo]    &    [Google logo]

NetBSD-SoC: IPv6 support for NPF firewall

What is it?

[Short, general description for outside people who have no idea about the project, or even NetBSD]

Status

I'm going to change the minus sign in front to a plus and the text to a link to the commit
if an item on the list below is done.
Task 1: Support for packet cache interface, n-code (npf_processor.c), other

- Modify npf_fetch_ip(), in npf_inet.c, to support IPv6 part.  Essential
  mechanism to is IPv6 header length calculation.  Reading of IPv6 address
  into the cache using nbuf_fetch_*() routines is straightforward.

- Implement IPv6 equivalents of IPv4 instruction helper routines, see
  npf_instr.c module.  The following fetch functions should have equivalents:
  npf_match_ip4mask(), npf_match_ip4mask() and npf_match_icmp4().

- Add CISC-like instructions for common cases: NPF_OPCODE_IP6MASK and
  NPF_OPCODE_IP6TABLE.  Amend npf_ncode_process() and npf_ncode_validate()
  routines for these opcodes (execution and validation).  Alternatively,
  add address family argument to existing operations.

- Additionally, npf_return_tcp() should be able to construct IPv6 header
  for RST packet according to the version of received packet.  Also,
  equivalent ICMPv6 call for npf_return_icmp().

- Search for any 'ip->ip_hl' uses and amend to support IPv6.  Consider
  addition of npf_cache_hlen(), which return IP header(s) length and
  replace all direct uses of ip_hl with the routine.

- Modify npf_mk_tables() in npf_ctl.c to use npf_addr_t for table entries
  and add ioctls in npfctl_table() for IPv6 addresses.  This requires the
  change to npf_ioctl_table_t structure.  Consider using npf_addr_t in it.

Task 2: Session handling (npf_session.c) and NAT (npf_nat.c)

- IPv6 has no checksums, however npf_rwrcksum() should advance to layer 4
  header.  Trivial change is needed to advance by IPv6 header(s) size.

- Remove asserts which will no longer be relevant.  Sprinkle new ones.

Task 3: NPF library

- Add equivalent of npf_table_add_entry() to take IPv6 address, or modify
  this routine to take npf_addr_t and address family (AF_INET / AF_INET6).

Task 4: NPF parser and other npfctl changes (npf_parser.c, npf_data.c)

- Add address familty argument to npfctl_getif() and return either IPv4
  or IPv6 address on request.  Caller i.e. rule parser should request for
  AF_INET or AF_INET6 depending on "inet" or "inet6" option (syntax).

- Add IPv6 equivalent of npfctl_parse_v4mask().  Modify npfctl_parse_cidr()
  to deal with modified routines and return IPv4 or v6 address in npf_addr_t,
  rather than in_addr_t.

- Update npfctl_fill_table() to distinguish IPv4 from IPv6 addresses and pass
  this info (or use correct routine) when adding the entry into the table.

- Replace the uses of in_addr_t in npfctl_parse_nat() with npf_addr_t,
  which would be taken directly from npfctl_parse_cidr().

Task 5: NPF n-code generation in npfctl (npf_ncgen.c)

- Add IPv6 equivalents for npfctl_gennc_v4cidr() and npfctl_gennc_tbl().
  Use NPF_OPCODE_IP6MASK and NPF_OPCODE_IP6TABLE instructions added in
  one of the Task I steps.

- Calculate the size of IPv6 fragment generation routines add new blocks
  with the size values into npfctl_calc_ncsize() and npfctl_failure_offset().

- Add new blocks into npfctl_rule_ncode() accordingly to note IPv6 fragments
  in them.  Modify npfctl_rulenc_block()/npfctl_rulenc_v4cidr() to distinguish
  IPv6 blocks and decrement the values in the right blocks

Timeline

Deliverables

Committed IPv6 support for NPF inside the kernel
Updated userland tools to support these changes
Updated documentation to reflect these changes

Documentation

Technical Details

Get NetBSD Summer of Code projects at SourceForge.net. Fast, secure and Free Open Source software downloads
Zoltan Arnold Nagy <$student_email>
$Id: index.html,v 1.4 2011/05/26 14:50:43 nagyz Exp $