Hi all,
this RFC series introduces ipxlat, a virtual netdevice for stateless
packet translation between IPv6 and IPv4.
This stateless IP/ICMP translation (SIIT, RFC 7915) device is a building
block ultimately allowing suitably configured Linux systems to cover all
IPv6<>IPv4 connectivity scenarios outlined in RFC 6144, "Framework for
IPv4/IPv6 Translation".
While the packet translation function implemented in ipxlat itself is
stateless, building stateful NAT64 translators is easy in combination
with a sandwich of simple nft SNAT and MASQUERADE rules. Even SIIT-DC
(RFC 7755 / 7756) ER/BR functions including EAMT (RFC 7757) are thought
to be possible with suitable nft/iptables configuration, but this needs
further testing.
The series contains patches covering driver core, translation paths,
netlink API, selftests and documentation.
See Documentation/networking/ipxlat.rst for more details.
== Architecture ==
ipxlat sits at a boundary between two kernel models. It is exposed as a
netdevice, so it has device semantics such as MTU and netdev statistics.
However, most of its processing falls within protocol translation logic.
The implementation therefore uses netdevice hooks for integration and
lifecycle, while translation behavior follows RFC rules and reuses
existing IP stack helpers for routing, fragmentation and checksum
handling.
Feedback on the netdevice integration model is welcome, yet this series
intentionally keeps scope limited to a self-contained module to make
review and validation tractable.
ipxlat devices are created and destroyed via rtnl link operations.
Per-device translation parameters are configured through a generic
netlink family named ipxlat.
No generic networking core behavior is changed.
== RFCs ==
The ipxlat packet translation code considers:
- RFC 7915 - Stateless IP/ICMP translation (SIIT) behavior
- RFC 6052 - Address mapping for xlat-prefix sizes between /32 and /96
- RFC 6791 - Although we use standard ICMP source-address selection
- RFC 4884 - Translation painstakingly handles ICMP extensions
- RFC 5837 - Interface Information Objects from RFC 6791 are not
implemented in this series and are planned as follow-up work
== Implementation ==
We enforce a strict processing contract: packet validation is done once,
then translation runs on that validated layout. When translation cannot
continue, the packet is either dropped or we switch to the ICMP error
emission path.
Control-plane updates are serialized, while the data path reads
configuration locklessly to keep per-packet overhead low.
During live reconfiguration, readers may transiently observe mixed old
and new values; this may cause a small number of packet drops while
configuration is being changed.
This tradeoff is intentional to keep the fast path simple and
lightweight.
== Selftests ==
Selftests are added under tools/testing/selftests/net/ipxlat and cover
ICMP, TCP and UDP translation in both directions, large-packet and
fragmentation-sensitive paths, ICMP error translation and PMTUD-related
emission paths.
== Points of Discussion ==
- Tighter stack integration?
== Work Planned for v1 ==
- icmp: Simplify FRAG_NEEDED / PKT_TOOBIG MTU calculation.
- translation: Prevent skb loops without TTL/HLIM decrement?
- netdevice: Decide on hardcoding MTU = 0xffff - $xlat_overhead
- UDPv4 defrag and csum recalc for NAT64 (RFC 6146 Sec 3.4.) "For
incoming IPv4 packets carrying UDP packets with a zero checksum ...
MUST calculate the checksum"
== Acknowledgements ==
The ipxlat translation code is based on the Jool project in order to
benefit from years of accumulated experience and its golden-packet
test-suite.
Thanks to Jool's Principal Author, Alberto Leiva Popper, for developing
and maintaining Jool since IPv6 translation was last in-vogue and
writing the initial "joolif" netdevice prototype our work was able to
start from.
Thanks to NLnet's NGI0 Core Fund for supporting development of the
ipxlat driver.
Thanks for your review,
Ralf Lici
Mandelbit SRL
---
Daniel Gröber (1):
Documentation: networking: add ipxlat translator guide
Ralf Lici (14):
drivers/net: add ipxlat netdevice skeleton and build plumbing
ipxlat: add RFC 6052 address conversion helpers
ipxlat: add packet metadata control block helpers
ipxlat: add IPv4 packet validation path
ipxlat: add IPv6 packet validation path
ipxlat: add transport checksum and offload helpers
ipxlat: add 4to6 and 6to4 TCP/UDP translation helpers
ipxlat: add translation engine and dispatch core
ipxlat: emit translator-generated ICMP errors on drop
ipxlat: add 4to6 pre-fragmentation path
ipxlat: add ICMP informational translation paths
ipxlat: add ICMP error translation and quoted-inner handling
ipxlat: add netlink control plane and uapi
selftests: net: add ipxlat coverage
Documentation/netlink/specs/ipxlat.yaml | 97 +++
Documentation/networking/ipxlat.rst | 190 +++++
drivers/net/Kconfig | 13 +
drivers/net/Makefile | 1 +
drivers/net/ipxlat/Makefile | 17 +
drivers/net/ipxlat/address.c | 132 ++++
drivers/net/ipxlat/address.h | 59 ++
drivers/net/ipxlat/dispatch.c | 263 ++++++
drivers/net/ipxlat/dispatch.h | 78 ++
drivers/net/ipxlat/icmp.h | 45 ++
drivers/net/ipxlat/icmp_46.c | 552 +++++++++++++
drivers/net/ipxlat/icmp_64.c | 531 +++++++++++++
drivers/net/ipxlat/ipxlpriv.h | 53 ++
drivers/net/ipxlat/main.c | 148 ++++
drivers/net/ipxlat/main.h | 27 +
drivers/net/ipxlat/netlink-gen.c | 71 ++
drivers/net/ipxlat/netlink-gen.h | 31 +
drivers/net/ipxlat/netlink.c | 348 ++++++++
drivers/net/ipxlat/netlink.h | 27 +
drivers/net/ipxlat/packet.c | 747 ++++++++++++++++++
drivers/net/ipxlat/packet.h | 166 ++++
drivers/net/ipxlat/translate_46.c | 256 ++++++
drivers/net/ipxlat/translate_46.h | 84 ++
drivers/net/ipxlat/translate_64.c | 206 +++++
drivers/net/ipxlat/translate_64.h | 56 ++
drivers/net/ipxlat/transport.c | 401 ++++++++++
drivers/net/ipxlat/transport.h | 122 +++
include/uapi/linux/ipxlat.h | 48 ++
tools/testing/selftests/net/ipxlat/.gitignore | 1 +
tools/testing/selftests/net/ipxlat/Makefile | 25 +
.../selftests/net/ipxlat/ipxlat_data.sh | 70 ++
.../selftests/net/ipxlat/ipxlat_frag.sh | 70 ++
.../selftests/net/ipxlat/ipxlat_icmp_err.sh | 54 ++
.../selftests/net/ipxlat/ipxlat_lib.sh | 273 +++++++
.../net/ipxlat/ipxlat_udp4_zero_csum_send.c | 119 +++
35 files changed, 5381 insertions(+)
create mode 100644 Documentation/netlink/specs/ipxlat.yaml
create mode 100644 Documentation/networking/ipxlat.rst
create mode 100644 drivers/net/ipxlat/Makefile
create mode 100644 drivers/net/ipxlat/address.c
create mode 100644 drivers/net/ipxlat/address.h
create mode 100644 drivers/net/ipxlat/dispatch.c
create mode 100644 drivers/net/ipxlat/dispatch.h
create mode 100644 drivers/net/ipxlat/icmp.h
create mode 100644 drivers/net/ipxlat/icmp_46.c
create mode 100644 drivers/net/ipxlat/icmp_64.c
create mode 100644 drivers/net/ipxlat/ipxlpriv.h
create mode 100644 drivers/net/ipxlat/main.c
create mode 100644 drivers/net/ipxlat/main.h
create mode 100644 drivers/net/ipxlat/netlink-gen.c
create mode 100644 drivers/net/ipxlat/netlink-gen.h
create mode 100644 drivers/net/ipxlat/netlink.c
create mode 100644 drivers/net/ipxlat/netlink.h
create mode 100644 drivers/net/ipxlat/packet.c
create mode 100644 drivers/net/ipxlat/packet.h
create mode 100644 drivers/net/ipxlat/translate_46.c
create mode 100644 drivers/net/ipxlat/translate_46.h
create mode 100644 drivers/net/ipxlat/translate_64.c
create mode 100644 drivers/net/ipxlat/translate_64.h
create mode 100644 drivers/net/ipxlat/transport.c
create mode 100644 drivers/net/ipxlat/transport.h
create mode 100644 include/uapi/linux/ipxlat.h
create mode 100644 tools/testing/selftests/net/ipxlat/.gitignore
create mode 100644 tools/testing/selftests/net/ipxlat/Makefile
create mode 100755 tools/testing/selftests/net/ipxlat/ipxlat_data.sh
create mode 100755 tools/testing/selftests/net/ipxlat/ipxlat_frag.sh
create mode 100755 tools/testing/selftests/net/ipxlat/ipxlat_icmp_err.sh
create mode 100644 tools/testing/selftests/net/ipxlat/ipxlat_lib.sh
create mode 100644 tools/testing/selftests/net/ipxlat/ipxlat_udp4_zero_csum_send.c
--
2.53.0