From owner-freebsd-net@FreeBSD.ORG Tue May 2 11:38:39 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AEAB16A419 for ; Tue, 2 May 2006 11:38:39 +0000 (UTC) (envelope-from tbyte@otel.net) Received: from mail.otel.net (gw3.OTEL.net [212.36.8.151]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04A7C43D45 for ; Tue, 2 May 2006 11:38:38 +0000 (GMT) (envelope-from tbyte@otel.net) Received: from dragon.otel.net ([212.36.8.135]) by mail.otel.net with esmtp (Exim 4.60 (FreeBSD)) (envelope-from ) id 1FatDA-000HX0-2P; Tue, 02 May 2006 14:38:36 +0300 From: Iasen Kostov To: Paolo Pisati In-Reply-To: <20060430135702.GA48117@tin.it> References: <20060430135702.GA48117@tin.it> Content-Type: text/plain Date: Tue, 02 May 2006 14:38:35 +0300 Message-Id: <1146569915.79123.9.camel@DraGoN.OTEL.net> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: FreeBSD_Net Subject: Re: [6.x patchset] Ipfw nat and libalias modules X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 May 2006 11:38:39 -0000 On Sun, 2006-04-30 at 15:57 +0200, Paolo Pisati wrote: > I just released a new revision of my libalias+ipfw work as a > patchset for 6.x, get it here: > http://mercurio.srv.dsi.unimi.it/~pisati/libalias/libalias-6.x.tgz > > To apply it: > > cp libalias_ipfw.patch /usr/src > cd /usr/src > patch -p3 < libalias_ipfw.patch > > then you have to recompile & install: > > kernel, sbin/ipfw, sbin/natd, sbin/ppp, lib/libalias, > sys/modules/ipfw, sys/modules/libalias > > or simply do a world. > > With this patch you get: > > -ipfw nat + redirect + LSNAT support > > -libalias modules (both in user and kernel land) > -for kernel land, all the libalias modules are installed > in /boot/kernel as alias_*.ko. > -for user land (natd & ppp), modules are shared lib > loaded according to /etc/libalias.conf. To reload > modules for a known process, just 'kill -HUP $PID' it. > -natd & ppp are patched to use libalias modules > > If your natd/ppp/ipfw behaves strangely after you applied my > patch (i.e. active ftp stops working), remember to check > libalias modules. > > Some ipfw examples: > > ipfw add nat 666 all from any to any via $IF > > ipfw nat 666 confg ip 192.168.0.1 # nat with a fixed address > > ipfw nat 666 confg if $IF log # dynamic if addr nat and logging > > ipfw nat 666 confg if $IF redir_port ... # redirect support with > ipfw nat 666 confg if $IF redir_addr ... # linkspec natd syntax, > ipfw nat 666 confg if $IF redir_proto ... # LSNAT works too. > > # different ipfw rules can be redirected to use > # the same nat instance > > ipfw add nat 666 all from $IP1 to any via $IF1 > ipfw add nat 666 all from any to any via $IF2 out > ipfw add nat 666 all from $IP2 to $IP3 > > ipfw nat show # see logs > ipfw nat show config # nat configuration > > To load/unload a libalias module (kernel): > > kldload alias_ftp # active ftp work ok now > kldunload alias_ftp > > To load/unload a libalias module (user): > > [edit /etc/libalias.conf and add/cut needed modules] > kill -HUP $PID > > For more info see the readme inside the archive. > > TODO: > Not tested on SMP & !i386, logging ability should be improved(right now > it's the same as original libalias), documentation should be man-pagified, > patchset for 7.x, etcetc > > bye Have you done any performace comparisons with pf's NAT ? I realy would prefer libalias based kernel NAT than pf because libalias works better with ftp, irc dcc and things like that (VoIP would be nice too :P ). So the only reason I've not put it in production is because its to new and untested but as soon as I upgrade mine home to 6.x router I'll test it more extensivly. Btw what is the status of the multi-session to the same point PPTP NAT (e.g call ID tracking) ?