Re: Avoiding natd overhead

On 10/22/06, Vladimir Grebenschikov <vova@xxxxxxx> wrote:
В сб, 21/10/2006 в 16:08 -0600, Brett Glass пишет:
> At 03:54 AM 10/21/2006, Vladimir Grebenschikov wrote:
>
> > 1. use PF for nat - it does aliasing in kernel space
>
> True, but it doesn't let me translate the packets and
> then continue processing within the firewall -- which
> is necessary if you want to catch unregistered destination
> addresses BEFORE translation and then unregistered source
> addresses AFTER translation.
>
> > 2. use in-kernel libalias implementation
> > (I guess man-page for ng_nat(4) will help)
>
> Same problem. I don't know how I could send packets
> through a Netgraph node in the middle of processing
> by IPFW and then bring them back at the next rule.

Some years ago, I've managed to use ksocket interface to catch divert
packets from ipfw and even return them back (surprisingly it did support
divert AF).

But, be careful, it is easy to get infinite loop in kernel with this
technique. Probably some loop prevention appears in from these times,
but I am not sure.

Yes, one can use mbuf_tags(9) to prevent loops.


> I suppose that one solution might be, for lack of a
> better term, a "kernel divert socket," which would
> pass packets through a kernel module rather than a
> user process. (This could actually be used to speed
> up many things for which the current "userland"
> divert sockets are now used.) It would then be
> possible to make a "nat.ko" module, and either
> provide a utility to control it or roll that
> functionality into ipfw(8).
>
> --Brett
>
--
Vladimir B. Grebenschikov
vova@xxxxxxx
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"



--
If it's there, and you can see it, it's real.
If it's not there, and you can see it, it's virtual.
If it's there, and you can't see it, it's transparent.
If it's not there, and you can't see it, you erased it.
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Avoiding natd overhead
    ... is necessary if you want to catch unregistered destination ... addresses BEFORE translation and then unregistered source ... I don't know how I could send packets ... better term, a "kernel divert socket," which would ...
    (freebsd-net)
  • Re: freeBSD /ipfw/ divert socket
    ... I need a little help with FreeBSD Kernel stuff. ... when no application is reading at divert socket. ... Speaking from experience, it would be trivial to borrow sys/netgraph/ng_tee.c and modify it to pass packets through the left2right and right2left hooks when the hooks are connected, and pass packets directly right or left when the left2right and right2left hooks aren't connected. ...
    (freebsd-net)
  • Re: Linux v Dedicated NAT routers - secure remote differences
    ... > NAT After IPSec ... > one-to-one address translation occurs it will ... I don't think this is the case - it was reported to me that my packets had ... This scenario is possible because ESP does not use the IP ...
    (comp.security.firewalls)
  • Re: Changing TOS of forwarded packets?
    ... use ipfw to send sessions that match to a divert socket at port X. ... (he's looking at ethernet packets where you would be looking at IP ... My little goodie is a netgraph node for packet mangling in its ...
    (freebsd-net)
  • Re: iptables: fake ip using DNAT and SNAT
    ... :I.e, the application receieves the real source address, so the ... the "ip rule add nat" command reports to be deprecated. ... what bothers me is why packets arriving via ... You can force the translation on machine A by routing packets out the ...
    (comp.os.linux.networking)