Date: Fri, 6 Jul 2001 02:05:28 +0400 (MSD) From: "Vladimir B. Grebenschikov" <vova@express.ru> To: Julian Elischer <julian@elischer.org> Cc: Nicolai Petri <freebsd@petri.cc>, freebsd-hackers@freebsd.org Subject: Re: An netgraph firewall module ? Is this possible / good performing ? Message-ID: <15172.58536.932722.980245@vbook.express.ru> In-Reply-To: <3B3C198F.F21EABB3@elischer.org> References: <008e01c0fafd$034e8000$8632a8c0@atomic.dk> <3B3C198F.F21EABB3@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer writes: > Nicolai Petri wrote: > > > > Hi hackers, > > > > I've used some time writing a custom natd like daemon which makes som > > speciel packet processing. > > One of the issues with the natd approach is the large amount of > > context-switches it gives. > > This can be a real performance problem on very loaded networks. Would it be > > possible to do this with netgraph instead. And what is the pro's and con's > > for this approach. > > > > As a second step in developement how should protocol verification > > (ftp/smtp/whatever) be added to a netgraph firewall approach in a structured > > and dynamic extendable way ? > > Unfortunatly, the netgraph code does not have a hook into the IP > code so at this time you cannot pass packets into the > IP protocol and have them then go to netgraph. > > You could however put a filter onto the ethernet interface, but then you'd have > to take into account the 14 byte header too. I think you are not right, it is possible to use ksocket node to read diverted packets from firewall rules and inject they back (I am use such setup) and I am write small netgraph node for doing very simple specific nat for high traffic, with no per-packet context-switches. # ngctl -f - << EOF mkpeer tee dummy left2right name .:dummy tee mkpeer tee: ksocket left inet/raw/divert msg tee:left bind inet/0.0.0.0:11 mkpeer tee: echo right echo EOF # ipfw divert 11 ip from any to any out via someif0 above example simple rebonuce all outgoing packets from interface someif0 There one known problem - there no work loop-prevention mechanism for such scheme, and if injected through divert socket packet going into divert socket again we will have kernel panic. I have write about this problem to archie@whistle.com (author of netgraph and divert mechanisms) I think it will really cool to have natd ported into kernel. > > Best regards, > > Nicolai Petri -- TSB Russian Express, Moscow Vladimir B. Grebenschikov, vova@express.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15172.58536.932722.980245>