[GitHub] [incubator-nuttx] wengzhe opened a new pull request, #7562: Add Network address translation (NAT) for NuttX

[GitBox]

wengzhe opened a new pull request, #7562:
URL: https://github.com/apache/incubator-nuttx/pull/7562

   ## Summary
   Add full cone NAT for NuttX, supports TCP / UDP / ICMP ECHO (PING)
   
   patches included:
   - net: add basic NAT workflow
   - net: verify NAT port usage in tcp_selectport
   - net: select NAT external port by tcp_selectport for TCP
   - net/nat: Add TCP entry expiration logic
   - net/nat: Add ICMP ECHO (REQUEST & REPLY) support
   - net/nat: Add UDP support
   
   ## Impact
   If `CONFIG_NET_NAT` is enabled, and `ipv4_nat_enable` is called on any 
netdev (which sets `IFF_NAT`), outbound packets will be masqueraded on the 
device.
   
   ## Testing
   Tested on Ubuntu 22.04 x86_64 by following steps:
   1. Configure NuttX with >=2 TAP devices (host route mode) and NAT enabled:
   ```Kconfig
   CONFIG_NET_IPFORWARD=y
   CONFIG_NET_NAT=y
   # CONFIG_SIM_NET_BRIDGE is not set
   CONFIG_SIM_NETDEV_NUMBER=2
   ```
   2. Call `ipv4_nat_enable` on one dev on startup
   ```C
   /* arch/sim/src/sim/up_netdriver.c */
   int netdriver_init(void)
   {
     ...
     ipv4_nat_enable(&g_sim_dev[0]);
     ...
   }
   ```
   3. Set IP Address for NuttX on startup
   ```shell
   ifconfig eth0 10.0.1.2
   ifup eth0
   ifconfig eth1 10.0.10.2
   ifup eth1
   ```
   4. Configure IP & namespace & route on host side (maybe need to be root, 
then try `sudo -i`)
   ```bash
   IF_HOST="enp1s0"
   IF_0="tap0"
   IP_HOST_0="10.0.1.1"
   IF_1="tap1"
   IP_HOST_1="10.0.10.1"
   IP_NUTTX_1="10.0.10.2"
   
   # add net namespace LAN for $IF_1
   ip netns add LAN
   ip netns exec LAN sysctl -w net.ipv4.ip_forward=1
   ip link set $IF_1 netns LAN
   ip netns exec LAN ip link set $IF_1 up
   ip netns exec LAN ip link set lo up
   
   # add address and set default route
   ip addr add $IP_HOST_0/24 dev $IF_0
   ip netns exec LAN ip addr add $IP_HOST_1/24 dev $IF_1
   ip netns exec LAN ip route add default dev $IF_1 via $IP_NUTTX_1
   
   # nat to allow NuttX to access the internet
   iptables -t nat -A POSTROUTING -o $IF_HOST -j MASQUERADE
   iptables -A FORWARD -i $IF_HOST -o $IF_0 -j ACCEPT
   iptables -A FORWARD -i $IF_0 -o $IF_HOST -j ACCEPT
   sysctl -w net.ipv4.ip_forward=1
   ```
   5. Do anything in the LAN namespace will go through NAT
   ```shell
   # Host side
   iperf -B 10.0.1.1 -s -i 1
   # LAN side
   sudo ip netns exec LAN iperf -B 10.0.10.1 -c 10.0.1.1 -i 1
   ```
   ```shell
   # Host side
   python3 -m http.server
   # LAN side
   for i in {1..20000}; do sudo ip netns exec LAN curl 'http://10.0.1.1:8000/' 
> /dev/null 2>1; done
   ```
   ```shell
   # LAN side
   sudo ip netns exec LAN ping 8.8.8.8
   ```
   ```shell
   # Host side
   tcpdump -nn -i tap0
   # LAN side
   sudo ip netns exec LAN tcpdump -nn -i tap1
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@nuttx.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org