From owner-freebsd-hackers Thu Jul 5 15: 4:19 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from vbook.express.ru (h170.37.elnet.msk.ru [195.58.37.170]) by hub.freebsd.org (Postfix) with ESMTP id E3D9537B408 for ; Thu, 5 Jul 2001 15:04:06 -0700 (PDT) (envelope-from vova@express.ru) Received: from vova by vbook.express.ru with local (Exim 3.22 #1) id 15IHFZ-0003As-00; Fri, 06 Jul 2001 02:05:29 +0400 From: "Vladimir B. Grebenschikov" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15172.58536.932722.980245@vbook.express.ru> Date: Fri, 6 Jul 2001 02:05:28 +0400 (MSD) To: Julian Elischer Cc: Nicolai Petri , freebsd-hackers@freebsd.org Subject: Re: An netgraph firewall module ? Is this possible / good performing ? In-Reply-To: <3B3C198F.F21EABB3@elischer.org> References: <008e01c0fafd$034e8000$8632a8c0@atomic.dk> <3B3C198F.F21EABB3@elischer.org> X-Mailer: VM 6.72 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Julian Elischer writes: > Nicolai Petri wrote: > > > > Hi hackers, > > > > I've used some time writing a custom natd like daemon which makes som > > speciel packet processing. > > One of the issues with the natd approach is the large amount of > > context-switches it gives. > > This can be a real performance problem on very loaded networks. Would it be > > possible to do this with netgraph instead. And what is the pro's and con's > > for this approach. > > > > As a second step in developement how should protocol verification > > (ftp/smtp/whatever) be added to a netgraph firewall approach in a structured > > and dynamic extendable way ? > > Unfortunatly, the netgraph code does not have a hook into the IP > code so at this time you cannot pass packets into the > IP protocol and have them then go to netgraph. > > You could however put a filter onto the ethernet interface, but then you'd have > to take into account the 14 byte header too. I think you are not right, it is possible to use ksocket node to read diverted packets from firewall rules and inject they back (I am use such setup) and I am write small netgraph node for doing very simple specific nat for high traffic, with no per-packet context-switches. # ngctl -f - << EOF mkpeer tee dummy left2right name .:dummy tee mkpeer tee: ksocket left inet/raw/divert msg tee:left bind inet/0.0.0.0:11 mkpeer tee: echo right echo EOF # ipfw divert 11 ip from any to any out via someif0 above example simple rebonuce all outgoing packets from interface someif0 There one known problem - there no work loop-prevention mechanism for such scheme, and if injected through divert socket packet going into divert socket again we will have kernel panic. I have write about this problem to archie@whistle.com (author of netgraph and divert mechanisms) I think it will really cool to have natd ported into kernel. > > Best regards, > > Nicolai Petri -- TSB Russian Express, Moscow Vladimir B. Grebenschikov, vova@express.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message