Date: Tue, 12 Feb 2008 14:51:32 +0600 From: "Vadim Goncharov" <vadimnuclight@tpu.ru> To: freebsd-current@freebsd.org, freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: [PATCH] ng_nat(4) redirects and rc.d script Message-ID: <opt6elj6r24fjv08@nuclight.avtf.net>
next in thread | raw e-mail | index | archive | help
Hello! Please test: http://antigreen.org/vadim/freebsd/ng_nat/ (I've ran for a week on a production 6.2 router without any problems). This is a patched version of ng_nat(4) for FreeBSD 6.x, providing support for all libalias(3) features, especially port redirections (before this moment ng_nat(4) has supported only the basic functionality of the library). To compile kernel module: $ make To load it into the running kernel: $ kldload ./ng_nat.ko To view the man page documenting new messages: $ tbl ng_nat.4 | nroff -man | more There is also included a convenient rcNG-style boot script, ng_nat.sh, which allows to easily configure ng_nat(4) nodes and ipfw(8) from rc.conf(5). It is based on a Eugene Grosbein's version and heavily modified by me. Example for two nodes from /etc/rc.conf: ng_nat_nodes="simple full" # list of node names # Simple example - all we need is only three lines ng_nat_simple_interface="em1" # take IP addr from "em1" ng_nat_simple_cookies="50 51" # ipfw's "netgraph" arguments, "in" then "out" ng_nat_simple_ipfw_rules="80 90" # ipfw rule numbers to create, "in" then "out" # More complex example, in which we need custom ipfw(8) rules for several # selected networks (default rule will catch all) and setup some redirections. ng_nat_full_interface="1.2.3.4" # external alias address ng_nat_full_cookies="60 61" # for custom rules these numbers are used only for deletion on shutdown; # these can duplicate and be more than two ng_nat_full_ipfw_rules="172 172 182" # Actual custom rules - if not defined, rules are created automatically ng_nat_full_ipfw_rule0="172 netgraph 60 ip from 172.16.0.0/25 to any out xmit em0" ng_nat_full_ipfw_rule1="172 netgraph 60 ip from 172.16.0.128/27 to any out xmit em0" ng_nat_full_ipfw_rule2="182 netgraph 61 ip from any to 1.2.3.4 in recv em0" # Set natd(8)-like flags for node (if not specified, node uses "same_ports") # Available flags are: log, deny_incoming, same_ports, unregistered_only, # proxy_only, reverse, reset_on_addr_change. The last is new and means that # after aliasing address change internal table should be cleared (breaks # current connections like node restart). ng_nat_full_set_mode="same_ports unregistered_only" # Set target address for any unspecified incoming traffic, like "natd -t" ng_nat_full_set_target="172.16.0.100" # Set up several redirection rules, each can have an optional description # string of up to 63 chars in length. DNS hostnames are disallowed. # natd(8) -redirect_port ng_nat_full_redirect_port0="tcp 172.16.0.1:22 222" ng_nat_full_redirect_port1="udp 172.16.0.2:2300-2399 3300-3399" ng_nat_full_redirect_port1_description="For P2P and VoIP apps" ng_nat_full_redirect_port2="tcp 172.16.0.101:80,172.16.0.102:80,172.16.0.103:80 1.2.3.4:80" # -redirect_proto and -redirect_address (including LSNAT) can be # specified the same way, if needed, as long as -proxy_rule. The script also supports additional command-line keywords, along with standard "start" and "stop" ones. They include "redirect_port", "redirect_proto" and "redirect_address", along with "list_redirects". The format is: $ /path/to/ng_nat.sh <keyword> <node_name> [arguments] e.g. $ /etc/rc.d/ng_nat.sh redirect_port full tcp 172.16.0.8:80 8080 This allows to add redirections "on the fly" without need to restart entire node breaking current connections. The "list_redirects" keyword prints table of all redirects (no matter what type) in a pretty human-readable format. This can be used to obtain ID of specific redirection to make it dynamic or delete it "on the fly": $ ngctl msg full: redirectdelete 3 # delete redirection with ID number 3 Enjoy! ;-) -- WBR, Vadim Goncharov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?opt6elj6r24fjv08>