From owner-freebsd-net@FreeBSD.ORG Tue Jul 25 12:04:16 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2C4616A4DA for ; Tue, 25 Jul 2006 12:04:16 +0000 (UTC) (envelope-from zec@icir.org) Received: from xaqua.tel.fer.hr (xaqua.tel.fer.hr [161.53.19.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25F9843D58 for ; Tue, 25 Jul 2006 12:04:16 +0000 (GMT) (envelope-from zec@icir.org) Received: by xaqua.tel.fer.hr (Postfix, from userid 20006) id 673EA9B655; Tue, 25 Jul 2006 14:04:15 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on xaqua.tel.fer.hr X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.1 Received: from [192.168.200.106] (zec2.tel.fer.hr [161.53.19.79]) by xaqua.tel.fer.hr (Postfix) with ESMTP id 3D43B9B64F; Tue, 25 Jul 2006 14:04:11 +0200 (CEST) From: Marko Zec To: Brett Glass Date: Tue, 25 Jul 2006 14:04:06 +0200 User-Agent: KMail/1.9.1 References: <7.0.1.0.2.20060721105813.0971ae90@lariat.net> <200607241609.30783.zec@icir.org> <7.0.1.0.2.20060724204450.09bcbe80@lariat.net> In-Reply-To: <7.0.1.0.2.20060724204450.09bcbe80@lariat.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200607251404.07244.zec@icir.org> Cc: freebsd-net@freebsd.org, Brian Candler Subject: Re: Multiple NAT router X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2006 12:04:16 -0000 On Tuesday 25 July 2006 05:17, Brett Glass wrote: > At 08:09 AM 7/24/2006, Marko Zec wrote: > >Yes this should work with a virtualized stack - all the "outsied" > > interfaces in each jail / virtual stack could be simply bridged together > > using netgraph which is virtualization-agnostic, i.e. a global facility > > in the current implementation of "vimage". > > Does this virtualization facility virtualize the arp table? It > would need to, because there would be hosts with duplicate > addresses inside each interface. Yes. > I've been noodling over this for two weeks now, and am thinking > that the easiest thing to do might be is map every address in each > "virtual" router to a unique address from FreeBSD's point of view > (i.e. 192.168.0.2 on LAN 1 becomes 10.0.0.2, while 192.168.0.2 on > LAN 1 becomes 10.0.1.2, etc.). The translation would be done by > "hooks" as close as possible to the interfaces, so FreeBSD's stack > wouldn't know it was being done. > > All that would be needed in that case would be to do "dumb" address > translation at the interfaces -- transparently to FreeBSD -- just > before the packets entered and left. This seems to be the method > that would leverage FreeBSD's existing facilities the most, since > FreeBSD's own routing, NAT, etc. would "just work" as they always > do. I'd need to figure out what to do about protocols like DHCP.... > I don't know if DHCP will assign addresses that it are not on the > subnet it "thinks" it's talking to. And I might need to hack into > the content of some packets. For example, I'd have to make ARP work. > > If I were to try this, the question would of course be which "hook" > to use to capture the packets (BPF? Divert sockets? Netgraph? > Something in IPFW? A hook into the driver?)... and whether I could > use existing code to do the bilateral translation or would have to > hack an "address smasher". > > --Brett Glass