Re: NATD and Address Redirection
From: Jim Durham (durham_at_jcdurham.com)
Date: 07/27/03
- Previous message: Diomidis Spinellis: "Re: Network pipes"
- In reply to: Yar Tikhiy: "Re: NATD and Address Redirection"
- Next in thread: Yar Tikhiy: "Re: NATD and Address Redirection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: Yar Tikhiy <yar@comp.chem.msu.su> Date: Sat, 26 Jul 2003 22:12:59 -0400
On Saturday 26 July 2003 03:13 am, you wrote:
> On Sat, Jul 26, 2003 at 02:22:05AM +0200, Clement Laforet wrote:
> > for incoming traffic, you must use -redirect_address, but for
> > outgoing you have to set -alias_address.
> > If you want to use a specific public IP to map incoming AND
> > outgoing packets, you need to run 2 natd, using ipfw matching.
>
> I'm afraid this is not exactly correct.
>
> IIRC when 5 years ago I was hacking natd and libalias to use them
> for transparent HTTP proxying, their internals looked rather clear.
> In a nutshell, they were as follows.
>
> There was a translation table inside libalias with 3 columns in it:
> the internal connection point (IP&port), alias point, and external
> point.
>
> When a packet was heading outside, its source IP&port were matched
> against the "internal" column, and its destination IP&port against
> the "external" column. If an entry were found, the packet's source
> IP&port would be replaced with the values from the "alias" column.
>
> When a packet was going in the opposite direction, inside, its
> source IP&port were matched against the "external" column, and its
> destination IP&port against the "alias" column. Then the packet's
> destination IP&port were replaced with the values from the
> "internal" column of the entry found.
>
> By specifying a redirect_address rule, just an entry was inserted
> to that table with a wildcard value for all the ports and for the
> external IP address. Upon matching, such an entry would clone into
> a new one containing the information specific for a particular
> session. Thus the solution was symmetric by design, without
> requiring 2 natd's or additional ipfw rules.
>
> P.S. As I can see, today's libalias still uses the same approach.
That's a great explanation! Thanks. I knew that NAT worked by
establishing a "session" when an inside machine initiated a
connection to the outside world and used that info the figure out how
packets going back to that inside machine from the outside address
got routed. I didn't know the internals.
So redirect_address apparently just forces a permanent entry in the
table, which would be symmetrical. Hmmmm... OK.
-- -Jim _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
- Previous message: Diomidis Spinellis: "Re: Network pipes"
- In reply to: Yar Tikhiy: "Re: NATD and Address Redirection"
- Next in thread: Yar Tikhiy: "Re: NATD and Address Redirection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
