From owner-freebsd-net@FreeBSD.ORG Thu Feb 10 10:07:22 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A89EC16A4CE; Thu, 10 Feb 2005 10:07:22 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3BDD43D45; Thu, 10 Feb 2005 10:07:21 +0000 (GMT) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id j1AA7HVS090033 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 10 Feb 2005 13:07:17 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.12.11/8.12.8) with ESMTP id j1AA7GQ5021005 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 10 Feb 2005 13:07:17 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.sick.ru (8.12.11/8.12.11/Submit) id j1AA7FmP021003; Thu, 10 Feb 2005 13:07:15 +0300 (MSK) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@freebsd.org using -f Date: Thu, 10 Feb 2005 13:07:15 +0300 From: Gleb Smirnoff To: net@freebsd.org, current@freebsd.org Message-ID: <20050210100715.GB20344@cell.sick.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.5.6i X-Virus-Scanned: ClamAV version devel-20050125, clamav-milter version 0.80ff on relay.bestcom.ru X-Virus-Status: Clean Subject: ng_nat: proof of concept X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2005 10:07:22 -0000 [pls, remove current@freebsd.org from Cc, when replying] Collegues, I'm glad to announce new and VERY immature node - ng_nat. Actually it is just a proof of concept, not ready for any practical usage. ng_nat is a netgraph node, performing NAT. It works using libalias(3) ported to kernel, that's why it is going to have the same functionality as good old natd(8). But it will work in netgraph, in kernel. Node has two hooks - "in" and "out". Packets to be masqueraded should be sent to "out" hook, packets to be demasqueraded should be sent to "in" hook. Here a sample P.O.C. setup, which is working: kldload ng_ipfw ipfw add 30 netgraph 60 ip from 192.168.0.1 to ${some_host} out via ng1 ipfw add 31 netgraph 61 ip from ${some_host} to ${oif} in via ng1 kldload libalias kldload ng_nat ngctl mkpeer ipfw: nat 60 out ngctl name ipfw:60 nat ngctl connect ipfw: nat: 61 in ngctl msg nat: setaliasaddr ${oif} [on 192.168.0.1 host] ping ${some_host} And it works! :) Well, it is not yet time to call for testers, but patches are already shared. First kernel alias library needs to be built. cd /usr/src/lib/libalias fetch http://people.freebsd.org/~glebius/totest/ng_nat/libalias-kernel.diff patch < libalias-kernel.diff cd /usr/src/sys/modules mkdir libalias cd libalias fetch http://people.freebsd.org/~glebius/totest/ng_nat/Makefile make make install Then ng_nat module can be built: cd /usr/src/sys/netgraph fetch http://people.freebsd.org/~glebius/totest/ng_nat/ng_nat.c fetch http://people.freebsd.org/~glebius/totest/ng_nat/ng_nat.h cd /usr/src/sys/modules/netgraph mkdir nat cd nat fetch http://people.freebsd.org/~glebius/totest/ng_nat/ng_nat/Makefile make make install The snapshots at http://people.freebsd.org/~glebius/totest/ng_nat are going to be updated several times per weeek. Comments are welcome. Especially I'd be glad for criticism and advices concerning of clean porting libalias to kernel. Make ifdefs and defines more nice, etc. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE