Date: Sat, 26 Jul 2003 22:12:59 -0400 From: Jim Durham <durham@jcdurham.com> To: Yar Tikhiy <yar@comp.chem.msu.su> Cc: freebsd-hackers@freebsd.org Subject: Re: NATD and Address Redirection Message-ID: <200307262212.59810.durham@jcdurham.com> In-Reply-To: <20030726071359.GA61353@comp.chem.msu.su> References: <200307251349.38413.durham@jcdurham.com> <20030726022205.452c374f.sheepkiller@cultdeadsheep.org> <20030726071359.GA61353@comp.chem.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday 26 July 2003 03:13 am, you wrote: > On Sat, Jul 26, 2003 at 02:22:05AM +0200, Clement Laforet wrote: > > for incoming traffic, you must use -redirect_address, but for > > outgoing you have to set -alias_address. > > If you want to use a specific public IP to map incoming AND > > outgoing packets, you need to run 2 natd, using ipfw matching. > > I'm afraid this is not exactly correct. > > IIRC when 5 years ago I was hacking natd and libalias to use them > for transparent HTTP proxying, their internals looked rather clear. > In a nutshell, they were as follows. > > There was a translation table inside libalias with 3 columns in it: > the internal connection point (IP&port), alias point, and external > point. > > When a packet was heading outside, its source IP&port were matched > against the "internal" column, and its destination IP&port against > the "external" column. If an entry were found, the packet's source > IP&port would be replaced with the values from the "alias" column. > > When a packet was going in the opposite direction, inside, its > source IP&port were matched against the "external" column, and its > destination IP&port against the "alias" column. Then the packet's > destination IP&port were replaced with the values from the > "internal" column of the entry found. > > By specifying a redirect_address rule, just an entry was inserted > to that table with a wildcard value for all the ports and for the > external IP address. Upon matching, such an entry would clone into > a new one containing the information specific for a particular > session. Thus the solution was symmetric by design, without > requiring 2 natd's or additional ipfw rules. > > P.S. As I can see, today's libalias still uses the same approach. That's a great explanation! Thanks. I knew that NAT worked by establishing a "session" when an inside machine initiated a connection to the outside world and used that info the figure out how packets going back to that inside machine from the outside address got routed. I didn't know the internals. So redirect_address apparently just forces a permanent entry in the table, which would be symmetrical. Hmmmm... OK. -- -Jim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307262212.59810.durham>