Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#3490 - Please include Full Cone NAT package #8358

Closed
openwrt-bot opened this issue Dec 5, 2020 · 8 comments
Closed

FS#3490 - Please include Full Cone NAT package #8358

openwrt-bot opened this issue Dec 5, 2020 · 8 comments
Labels
flyspray kernel pull request/issue with Linux kernel related changes release/19.07 pull request/issue targeted (also) for OpenWrt 19.07 release

Comments

@openwrt-bot
Copy link

fullcone:

The default OpenWrt netfilter implements “Port Restricted Cone” NAT. Sometimes it’s useful to have less restricted NAT.

Someone recently created a netfilter extension that implements “Full Cone” NAT. Please include it in the package feeds.

Full Cone NAT description:
https://tools.ietf.org/html/rfc3489#section-5

Netfilter extension:
https://github.com/Chion82/netfilter-full-cone-nat

OpenWrt package:

https://github.com/LGA1150/openwrt-fullconenat
https://github.com/LGA1150/fullconenat-fw3-patch

@openwrt-bot
Copy link
Author

fullcone:

Full Cone NAT package

@aparcar aparcar added release/19.07 pull request/issue targeted (also) for OpenWrt 19.07 release kernel pull request/issue with Linux kernel related changes labels Feb 22, 2022
@981213
Copy link
Member

981213 commented Mar 7, 2022

As no one wants to maintain an OOT module in the main OpenWrt tree, there are two possible solution to this:

  1. the kernel module itself should be upstreamed and we can backport it afterwards.
  2. Someone submit the package into the community package feed: https://github.com/openwrt/packages

@Lanchon
Copy link
Contributor

Lanchon commented Aug 7, 2022

a bit more info here... #9248 (comment)

@fanthos
Copy link

fanthos commented Sep 19, 2022

Some new codes:
https://github.com/fullcone-nat-nftables/

@marekm72
Copy link

RFC 3489 was obsoleted by 5389 and later 8489. While the "cone" shapes terminology may be obsolete, the issue is still valid. Please see RFC 4787 "Network Address Translation (NAT) Behavioral Requirements for Unicast UDP" with updates (RFC 6888, RFC 7857), it is Best Current Practice (BCP 127) - it would be a good idea to review the Linux NAT implementation (which predates the RFCs by many years) for compliance. It's not a small task though.

@981213
Copy link
Member

981213 commented Feb 24, 2023

Let me emphasise this again:
We have no interest in maintaining such an out-of-tree kernel module, meaning:

  1. We don't want to be responsible for fixing any bugs that may be caused by these random OOT kernel modules.
  2. We don't want to put in extra efforts in forward-porting these modules to newer kernel versions in the future.

Also, we are less adequate at properly reviewing these modules comparing to the netfilter maintainers at linux upstream.

OpenWrt firewall relies on infrastructures provided by the Linux Netfilter project. If it's implemented in mainline Linux, OpenWrt will automatically get this function supported.

I hope I've explained clearly that here is not the right place for this discussion, and OpenWrt maintainers are not the proper people to review these kernel modules. (See also: #9248 (comment)) Please redirect your discussion and/or code to the upstrem Linux Netfilter project instead.

I'm closing this issue as won't fix.

@981213 981213 closed this as not planned Won't fix, can't repro, duplicate, stale Feb 24, 2023
@marekm72
Copy link

Understood. Could you point me in the right direction, as the upstream Linux Netfilter project seems to be mature, not very actively maintained, but perhaps I'm looking in the wrong places?

@981213
Copy link
Member

981213 commented Feb 24, 2023

For patch submission you could follow the Linux kernel contribution guide here: https://www.kernel.org/doc/html/latest/process/submitting-patches.html
For other general discussion with the netfilter community you may send emails to a suitable netfilter mailing list described at: https://www.netfilter.org/mailinglists.html
As with other open-source projects, you can expect a proper review of the patches if you submit the code, but it's unlikely that someone will implement these for you when you are just talking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
flyspray kernel pull request/issue with Linux kernel related changes release/19.07 pull request/issue targeted (also) for OpenWrt 19.07 release
Projects
None yet
Development

No branches or pull requests

6 participants