Date: Thu, 5 Jul 2001 17:15:09 -0700 (PDT) From: Julian Elischer <julian@elischer.org> To: "Vladimir B. Grebenschikov" <vova@express.ru> Cc: Nicolai Petri <freebsd@petri.cc>, freebsd-hackers@freebsd.org Subject: Re: An netgraph firewall module ? Is this possible / good performing ? Message-ID: <Pine.BSF.4.21.0107051713540.21114-100000@InterJet.elischer.org> In-Reply-To: <15172.58536.932722.980245@vbook.express.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
you are correct. I had forgotten about that.. On Fri, 6 Jul 2001, Vladimir B. Grebenschikov wrote: > Julian Elischer writes: > > Nicolai Petri wrote: > > > > > > Hi hackers, > > > > > > I've used some time writing a custom natd like daemon which makes som > > > speciel packet processing. > > > One of the issues with the natd approach is the large amount of > > > context-switches it gives. > > > This can be a real performance problem on very loaded networks. Would it be > > > possible to do this with netgraph instead. And what is the pro's and con's > > > for this approach. > > > > > > As a second step in developement how should protocol verification > > > (ftp/smtp/whatever) be added to a netgraph firewall approach in a structured > > > and dynamic extendable way ? > > > > Unfortunatly, the netgraph code does not have a hook into the IP > > code so at this time you cannot pass packets into the > > IP protocol and have them then go to netgraph. > > > > You could however put a filter onto the ethernet interface, but then you'd have > > to take into account the 14 byte header too. > > I think you are not right, it is possible to use ksocket node to > read diverted packets from firewall rules and inject they back (I am use > such setup) and I am write small netgraph node for doing very simple > specific nat for high traffic, with no per-packet context-switches. > > # ngctl -f - << EOF > mkpeer tee dummy left2right > name .:dummy tee > mkpeer tee: ksocket left inet/raw/divert > msg tee:left bind inet/0.0.0.0:11 > mkpeer tee: echo right echo > EOF > # ipfw divert 11 ip from any to any out via someif0 > > above example simple rebonuce all outgoing packets from interface someif0 > > There one known problem - there no work loop-prevention mechanism for > such scheme, and if injected through divert socket packet going into > divert socket again we will have kernel panic. > > I have write about this problem to archie@whistle.com > (author of netgraph and divert mechanisms) Actually I wrote netgfraph and divert with Archie, so you might send me a more detailed description :-) > > I think it will really cool to have natd ported into kernel. > > > > Best regards, > > > Nicolai Petri > > -- > TSB Russian Express, Moscow > Vladimir B. Grebenschikov, vova@express.ru > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0107051713540.21114-100000>