Re: Multiple NAT router

Brett Glass wrote:

At 08:09 AM 7/24/2006, Marko Zec wrote:

Yes this should work with a virtualized stack - all the "outsied" interfaces
in each jail / virtual stack could be simply bridged together using netgraph
which is virtualization-agnostic, i.e. a global facility in the current
implementation of "vimage".


Does this virtualization facility virtualize the arp table? It would need to, because there would be hosts with duplicate addresses inside each interface.


yes it virtuialises the entire network system

look for 'vimage FreeBSD ' under google,

unfortunatly it is 4.x only at the moment but you may be able to use a 4.x machine.


I've been noodling over this for two weeks now, and am thinking that the easiest thing to do might be is map every address in each "virtual" router to a unique address from FreeBSD's point of view (i.e. 192.168.0.2 on LAN 1 becomes 10.0.0.2, while 192.168.0.2 on LAN 1 becomes 10.0.1.2, etc.). The translation would be done by "hooks" as close as possible to the interfaces, so FreeBSD's stack wouldn't know it was being done.

netgraph shims?
netgraph can shim into the interfaces the way you suggest. man ng_ether.



All that would be needed in that case would be to do "dumb" address translation at the interfaces -- transparently to FreeBSD -- just before the packets entered and left. This seems to be the method that would leverage FreeBSD's existing facilities the most, since FreeBSD's own routing, NAT, etc. would "just work" as they always do. I'd need to figure out what to do about protocols like DHCP.... I don't know if DHCP will assign addresses that it are not on the subnet it "thinks" it's talking to. And I might need to hack into the content of some packets. For example, I'd have to make ARP work.

If I were to try this, the question would of course be which "hook" to use to capture the packets (BPF? Divert sockets? Netgraph? Something in IPFW? A hook into the driver?)... and whether I could use existing code to do the bilateral translation or would have to hack an "address smasher".

--Brett Glass

_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Multiple NAT router
    ... in each jail / virtual stack could be simply bridged together using netgraph ... Does this virtualization facility virtualize the arp table? ...
    (freebsd-net)
  • Re: Multiple NAT router
    ... interfaces in each jail / virtual stack could be simply bridged together ... using netgraph which is virtualization-agnostic, ... Does this virtualization facility virtualize the arp table? ...
    (freebsd-net)
  • Re: [PATCH 0/1] IPN: Inter Process Networking
    ... exiting tap interfaces would seem to do everything you are looking for. ... So, you say, it's a networking issue and we could live with tun/tap. ... at present, dealing with tun/tap, bridges, ... virtualization, but that's another topic). ...
    (Linux-Kernel)
  • Re: [PATCH 0/1] IPN: Inter Process Networking
    ... exiting tap interfaces would seem to do everything you are looking for. ... So, you say, it's a networking issue and we could live with tun/tap. ... virtualization, but that's another topic). ... in doing this you started by duplicating the kernel networking functionality into userspace and are running into performance problems so trying to push this into the kernel to reduce context switches. ...
    (Linux-Kernel)
  • RE: netgraph with 10Gig interfaces
    ... enabling the NETGRAPH in the config file and compiled the new kernel. ... booted with the new kernel. ... Is that means these drivers are not supporting the netgraph? ... Subject: netgraph with 10Gig interfaces ...
    (freebsd-net)