From owner-freebsd-net@FreeBSD.ORG Tue Jul 25 19:34:12 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 026EA16A4E6 for ; Tue, 25 Jul 2006 19:34:12 +0000 (UTC) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id B070243D9A for ; Tue, 25 Jul 2006 19:34:11 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.18.229]) ([10.251.18.229]) by a50.ironport.com with ESMTP; 25 Jul 2006 12:34:10 -0700 Message-ID: <44C67232.70508@elischer.org> Date: Tue, 25 Jul 2006 12:34:10 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brett Glass References: <7.0.1.0.2.20060721105813.0971ae90@lariat.net> <20060724090909.GB3412@uk.tiscali.com> <200607241609.30783.zec@icir.org> <7.0.1.0.2.20060724204450.09bcbe80@lariat.net> In-Reply-To: <7.0.1.0.2.20060724204450.09bcbe80@lariat.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Marko Zec , Brian Candler Subject: Re: Multiple NAT router X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jul 2006 19:34:12 -0000 Brett Glass wrote: > At 08:09 AM 7/24/2006, Marko Zec wrote: > >> Yes this should work with a virtualized stack - all the "outsied" >> interfaces >> in each jail / virtual stack could be simply bridged together using >> netgraph >> which is virtualization-agnostic, i.e. a global facility in the current >> implementation of "vimage". > > > Does this virtualization facility virtualize the arp table? It would > need to, because there would be hosts with duplicate addresses inside > each interface. yes it virtuialises the entire network system look for 'vimage FreeBSD ' under google, unfortunatly it is 4.x only at the moment but you may be able to use a 4.x machine. > > I've been noodling over this for two weeks now, and am thinking that > the easiest thing to do might be is map every address in each > "virtual" router to a unique address from FreeBSD's point of view > (i.e. 192.168.0.2 on LAN 1 becomes 10.0.0.2, while 192.168.0.2 on LAN > 1 becomes 10.0.1.2, etc.). The translation would be done by "hooks" as > close as possible to the interfaces, so FreeBSD's stack wouldn't know > it was being done. netgraph shims? netgraph can shim into the interfaces the way you suggest. man ng_ether. > > All that would be needed in that case would be to do "dumb" address > translation at the interfaces -- transparently to FreeBSD -- just > before the packets entered and left. This seems to be the method that > would leverage FreeBSD's existing facilities the most, since FreeBSD's > own routing, NAT, etc. would "just work" as they always do. I'd need > to figure out what to do about protocols like DHCP.... I don't know if > DHCP will assign addresses that it are not on the subnet it "thinks" > it's talking to. And I might need to hack into the content of some > packets. For example, I'd have to make ARP work. > > If I were to try this, the question would of course be which "hook" to > use to capture the packets (BPF? Divert sockets? Netgraph? Something > in IPFW? A hook into the driver?)... and whether I could use existing > code to do the bilateral translation or would have to hack an "address > smasher". > > --Brett Glass > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"