From owner-freebsd-net@FreeBSD.ORG Tue Jul 25 03:17:55 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0268316A4DA for ; Tue, 25 Jul 2006 03:17:55 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8EDA043D5F for ; Tue, 25 Jul 2006 03:17:52 +0000 (GMT) (envelope-from brett@lariat.net) Received: from Anne (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id VAA10285; Mon, 24 Jul 2006 21:17:43 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <7.0.1.0.2.20060724204450.09bcbe80@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0 Date: Mon, 24 Jul 2006 21:17:37 -0600 To: Marko Zec , freebsd-net@freebsd.org From: Brett Glass In-Reply-To: <200607241609.30783.zec@icir.org> References: <7.0.1.0.2.20060721105813.0971ae90@lariat.net> <20060724090909.GB3412@uk.tiscali.com> <200607241609.30783.zec@icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Brian Candler Subject: Re: Multiple NAT router X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2006 03:17:55 -0000 At 08:09 AM 7/24/2006, Marko Zec wrote: >Yes this should work with a virtualized stack - all the "outsied" interfaces >in each jail / virtual stack could be simply bridged together using netgraph >which is virtualization-agnostic, i.e. a global facility in the current >implementation of "vimage". Does this virtualization facility virtualize the arp table? It would need to, because there would be hosts with duplicate addresses inside each interface. I've been noodling over this for two weeks now, and am thinking that the easiest thing to do might be is map every address in each "virtual" router to a unique address from FreeBSD's point of view (i.e. 192.168.0.2 on LAN 1 becomes 10.0.0.2, while 192.168.0.2 on LAN 1 becomes 10.0.1.2, etc.). The translation would be done by "hooks" as close as possible to the interfaces, so FreeBSD's stack wouldn't know it was being done. All that would be needed in that case would be to do "dumb" address translation at the interfaces -- transparently to FreeBSD -- just before the packets entered and left. This seems to be the method that would leverage FreeBSD's existing facilities the most, since FreeBSD's own routing, NAT, etc. would "just work" as they always do. I'd need to figure out what to do about protocols like DHCP.... I don't know if DHCP will assign addresses that it are not on the subnet it "thinks" it's talking to. And I might need to hack into the content of some packets. For example, I'd have to make ARP work. If I were to try this, the question would of course be which "hook" to use to capture the packets (BPF? Divert sockets? Netgraph? Something in IPFW? A hook into the driver?)... and whether I could use existing code to do the bilateral translation or would have to hack an "address smasher". --Brett Glass