From 200209bc4c3abe8dd894497d70b32679df626834 Mon Sep 17 00:00:00 2001 From: "Andrew O. Shadura" Date: Wed, 15 Jun 2011 15:56:55 +0300 Subject: 01-use-var-spool use /var/spool/tayga instead of /var/db/tayga Gbp-Pq: Name 01-use-var-spool.patch --- tayga.conf.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tayga.conf.example b/tayga.conf.example index e5603d7..99b23c1 100644 --- a/tayga.conf.example +++ b/tayga.conf.example @@ -84,7 +84,7 @@ dynamic-pool 192.168.255.0/24 # # Optional. # -data-dir /var/db/tayga +data-dir /var/spool/tayga # # Establishes a single-host map. If an IPv6 host should be consistently -- cgit v1.2.3 From c6cf75df546fa048f1993bc6d6933546be6168f0 Mon Sep 17 00:00:00 2001 From: "Andrew O. Shadura" Date: Wed, 15 Jun 2011 15:56:55 +0300 Subject: 02-manpage don't use hyphen as minus sign Gbp-Pq: Name 02-manpage.patch --- tayga.8 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tayga.8 b/tayga.8 index d13d9ac..efb746f 100644 --- a/tayga.8 +++ b/tayga.8 @@ -53,7 +53,7 @@ not running. This allows host-side network parameters and firewall rules to be configured prior to commencement of packet translation. This may simplify network configuration on the host; for example, systems which use a Debian-style /etc/network/interfaces file may configure TAYGA's TUN device at -boot by running `tayga --mktun` as a "pre-up" command and then configuring the +boot by running `tayga \-\-mktun` as a "pre-up" command and then configuring the TUN device as any other network interface. .SH OPTIONS -- cgit v1.2.3 From 2d3501842913098b4483142737bb525bf606218b Mon Sep 17 00:00:00 2001 From: "Barak A. Pearlmutter" Date: Wed, 18 Apr 2012 09:07:57 +0100 Subject: 03 configure no-CFLAGS Allow CFLAGS to default in configure.ac instead of hardwiring to -g -O2 Gbp-Pq: Name 03-configure-no-CFLAGS.patch --- configure.ac | 2 -- 1 file changed, 2 deletions(-) diff --git a/configure.ac b/configure.ac index 3d2a6c9..5640305 100644 --- a/configure.ac +++ b/configure.ac @@ -5,8 +5,6 @@ AC_CONFIG_HEADERS(config.h) AC_PROG_CC -CFLAGS='-g -Wall' - tayga_conf_path=${sysconfdir}/tayga.conf AC_SUBST(tayga_conf_path) -- cgit v1.2.3 From 811e63019e61daced93e836feb8fa8663488a1df Mon Sep 17 00:00:00 2001 From: "Barak A. Pearlmutter" Date: Wed, 18 Apr 2012 09:09:11 +0100 Subject: 04 quote make var Quote filename containing variable modifiable at make time. Gbp-Pq: Name 04-quote-make-var.patch --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 5640305..fa99305 100644 --- a/configure.ac +++ b/configure.ac @@ -5,7 +5,7 @@ AC_CONFIG_HEADERS(config.h) AC_PROG_CC -tayga_conf_path=${sysconfdir}/tayga.conf +tayga_conf_path='${sysconfdir}/tayga.conf' AC_SUBST(tayga_conf_path) -- cgit v1.2.3 From 7bffbd34adcd5b02176c0c7410efdf77b34d9b16 Mon Sep 17 00:00:00 2001 From: "Barak A. Pearlmutter" Date: Wed, 18 Apr 2012 11:37:58 +0100 Subject: 05 guard chdir Guard chdir calls to avoid ignored-return-value warnings. Gbp-Pq: Name 05-guard-chdir.patch --- tayga.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/tayga.c b/tayga.c index fbd2e64..3886831 100644 --- a/tayga.c +++ b/tayga.c @@ -388,7 +388,11 @@ int main(int argc, char **argv) "is specified in %s\n", conffile); exit(1); } - chdir("/"); + if (chdir("/")) { + slog(LOG_CRIT, "Error: unable to chdir to /, aborting: %s\n", + strerror(errno)); + exit(1); + } } else if (chdir(gcfg->data_dir) < 0) { if (user || errno != ENOENT) { slog(LOG_CRIT, "Error: unable to chdir to %s, " @@ -460,7 +464,11 @@ int main(int argc, char **argv) gcfg->data_dir, strerror(errno)); exit(1); } - chdir("/"); + if (chdir("/")) { + slog(LOG_CRIT, "Error: unable to chdir to /, aborting: %s\n", + strerror(errno)); + exit(1); + } } if (gr) { -- cgit v1.2.3 From eb356eaec969eca5e81a27178600ff408efea71b Mon Sep 17 00:00:00 2001 From: "Barak A. Pearlmutter" Date: Wed, 18 Apr 2012 11:47:19 +0100 Subject: 06 guard write Guard write call, avoid ignored-return-value warning. (This is not a false positive: a very subtle attack would consist of filling up the filesystem so much that only a partial PID is written, causing the wrong PID to be signaled later.) (Note that, technically speaking, if only some of the buffer is written we should retry the rest in a loop. But in this case, that seems exceedingly unlikely.) Gbp-Pq: Name 06-guard-write.patch --- tayga.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tayga.c b/tayga.c index 3886831..5027d0a 100644 --- a/tayga.c +++ b/tayga.c @@ -439,7 +439,10 @@ int main(int argc, char **argv) if (pidfile) { snprintf(addrbuf, sizeof(addrbuf), "%ld\n", (long)getpid()); - write(pidfd, addrbuf, strlen(addrbuf)); + if (write(pidfd, addrbuf, strlen(addrbuf)) != strlen(addrbuf)) { + slog(LOG_CRIT, "Error, unable to write PID file.\n"); + exit(1); + } close(pidfd); } -- cgit v1.2.3 From f770e262f81b702451b6ed0aebbdd9206067d849 Mon Sep 17 00:00:00 2001 From: Benda Xu Date: Fri, 28 Dec 2018 00:00:00 +0000 Subject: static EAM Support SIIT-DC styled EAM static maps Introduce Explicit Address Mapping as defined in RFC7757. This extends the `map ` into `map `. Forwarded: Nathan Lutchansky Gbp-Pq: Name 07-static-EAM.patch --- addrmap.c | 18 +++++++++++++++++- conffile.c | 40 +++++++++++++++++++++++++++++++++++++--- 2 files changed, 54 insertions(+), 4 deletions(-) diff --git a/addrmap.c b/addrmap.c index 7a4bf8b..895c3fc 100644 --- a/addrmap.c +++ b/addrmap.c @@ -422,6 +422,9 @@ int map_ip4_to_ip6(struct in6_addr *addr6, const struct in_addr *addr4, case MAP_TYPE_STATIC: s = container_of(map4, struct map_static, map4); *addr6 = s->map6.addr; + if (map4->prefix_len < 32) { + addr6->s6_addr32[3] = s->map6.addr.s6_addr32[3] | (addr4->s_addr & ~map4->mask.s_addr); + } break; case MAP_TYPE_RFC6052: s = container_of(map4, struct map_static, map4); @@ -564,7 +567,13 @@ int map_ip6_to_ip4(struct in_addr *addr4, const struct in6_addr *addr6, switch (map6->type) { case MAP_TYPE_STATIC: s = container_of(map6, struct map_static, map6); - *addr4 = s->map4.addr; + + if (map6->prefix_len < 128) { + addr4->s_addr = s->map4.addr.s_addr | (addr6->s6_addr32[3] & ~map6->mask.s6_addr32[3]); + } else { + *addr4 = s->map4.addr; + } + break; case MAP_TYPE_RFC6052: if (extract_from_prefix(addr4, addr6, map6->prefix_len) < 0) @@ -629,3 +638,10 @@ void addrmap_maint(void) } } } + +/* +Local Variables: +c-basic-offset: 8 +indent-tabs-mode: t +End: +*/ diff --git a/conffile.c b/conffile.c index ec6433c..1c77371 100644 --- a/conffile.c +++ b/conffile.c @@ -217,16 +217,43 @@ static void config_map(int ln, int arg_count, char **args) m = alloc_map_static(ln); + char *slash; + slash = strchr(args[0], '/'); + unsigned int prefix4 = 32; + if (slash) { + prefix4 = atoi(slash+1); + slash[0] = NULL; + } + if (!inet_pton(AF_INET, args[0], &m->map4.addr)) { - slog(LOG_CRIT, "Expected an IPv4 address but found \"%s\" on " - "line %d\n", args[0], ln); + slog(LOG_CRIT, "Expected an IPv4 subnet but found \"%s\" on " + "line %d\n", args[0], ln); exit(1); } + m->map4.prefix_len = prefix4; + calc_ip4_mask(&m->map4.mask, NULL, prefix4); + + unsigned int prefix6 = 128; + slash = strchr(args[1], '/'); + if (slash) { + prefix6 = atoi(slash+1); + slash[0] = NULL; + } + + if ((32 - prefix4) != (128 - prefix6)) { + slog(LOG_CRIT, "IPv4 and IPv6 subnet must be of the same size, but found" + " %s and %s line %d\n", args[0], args[1], ln); + exit(1); + } + if (!inet_pton(AF_INET6, args[1], &m->map6.addr)) { - slog(LOG_CRIT, "Expected an IPv6 address but found \"%s\" on " + slog(LOG_CRIT, "Expected an IPv6 subnet but found \"%s\" on " "line %d\n", args[1], ln); exit(1); } + m->map6.prefix_len = prefix6; + calc_ip6_mask(&m->map6.mask, NULL, prefix6); + if (validate_ip4_addr(&m->map4.addr) < 0) { slog(LOG_CRIT, "Cannot use reserved address %s in map " "directive, aborting...\n", args[0]); @@ -490,3 +517,10 @@ malloc_fail: slog(LOG_CRIT, "Unable to allocate config memory\n"); exit(1); } + +/* +Local Variables: +c-basic-offset: 8 +indent-tabs-mode: t +End: +*/ -- cgit v1.2.3 From af4cf980a9fd97a6b63daf2d6b357662e8abbd50 Mon Sep 17 00:00:00 2001 From: Benda Xu Date: Fri, 28 Dec 2018 00:00:00 +0000 Subject: manpage-RFC Gbp-Pq: Name 08-manpage-RFC.patch --- tayga.8 | 10 +++++----- tayga.conf.5 | 19 ++++++++++++++----- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/tayga.8 b/tayga.8 index efb746f..e69cfc3 100644 --- a/tayga.8 +++ b/tayga.8 @@ -1,4 +1,4 @@ -.TH TAYGA "8" "June 2011" "TAYGA 0.9.2" "" +.TH TAYGA "8" "Dec 2018" "TAYGA 0.9.2" "" .SH NAME tayga \- stateless NAT64 daemon @@ -19,10 +19,10 @@ driver, TAYGA receives IPv4 and IPv6 packets from the host's network stack, translates them to the other protocol, and then sends the translated packets back to the host using the same TUN interface. .P -Translation is compliant with IETF Internet-Draft -draft-ietf-behave-v6v4-xlate-23, and address mapping is performed in -accordance with RFC 6052. Optionally, TAYGA may be configured to dynamically -map IPv6 hosts to addresses drawn from a configured IPv4 address pool. +Translation is compliant with IETF RFC 6145, and address mapping is +performed in accordance with RFC 6052 or RFC 7757. Optionally, TAYGA may be +configured to dynamically map IPv6 hosts to addresses drawn from a +configured IPv4 address pool. .P As a stateless NAT, TAYGA requires a one-to-one mapping between IPv4 addresses and IPv6 addresses. Mapping multiple IPv6 addresses onto a single IPv4 diff --git a/tayga.conf.5 b/tayga.conf.5 index 3e084aa..76b1df8 100644 --- a/tayga.conf.5 +++ b/tayga.conf.5 @@ -1,4 +1,4 @@ -.TH TAYGA.CONF "5" "June 2011" "TAYGA 0.9.2" "" +.TH TAYGA.CONF "5" "Dec 2018" "TAYGA 0.9.2" "" .SH NAME tayga.conf \- configuration file of the TAYGA stateless NAT64 daemon .SH DESCRIPTION @@ -75,12 +75,21 @@ must be listed individually with the .B map directive. .TP -.BI "map " "ipv4_address ipv6_address" -Creates a static mapping between -.I ipv4_address +.BI "map " "ipv4_address[/length] ipv6_address[/length]" +Creates a static mapping between RFC 7577 compliant hosts or subnets +.I ipv4_address[/length] and -.I ipv6_address +.I ipv6_address[/length] to be used when translating IPv4 packets to IPv6 or IPv6 packets to IPv4. +If +.I /length +is not present, +.I /length +after +.I ipv4_address +is treated as "/32" and that of +.I ipv6_address +as "/128". Multiple .B map directives are permitted in the tayga.conf file. -- cgit v1.2.3