From owner-freebsd-hackers Thu Jul 5 15:35:18 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from InterJet.elischer.org (c421509-a.pinol1.sfba.home.com [24.7.86.9]) by hub.freebsd.org (Postfix) with ESMTP id B666937B401 for ; Thu, 5 Jul 2001 15:35:13 -0700 (PDT) (envelope-from julian@elischer.org) Received: from InterJet.elischer.org (InterJet.elischer.org [192.168.1.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id RAA29468; Thu, 5 Jul 2001 17:15:10 -0700 (PDT) Date: Thu, 5 Jul 2001 17:15:09 -0700 (PDT) From: Julian Elischer To: "Vladimir B. Grebenschikov" Cc: Nicolai Petri , freebsd-hackers@freebsd.org Subject: Re: An netgraph firewall module ? Is this possible / good performing ? In-Reply-To: <15172.58536.932722.980245@vbook.express.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG you are correct. I had forgotten about that.. On Fri, 6 Jul 2001, Vladimir B. Grebenschikov wrote: > Julian Elischer writes: > > Nicolai Petri wrote: > > > > > > Hi hackers, > > > > > > I've used some time writing a custom natd like daemon which makes som > > > speciel packet processing. > > > One of the issues with the natd approach is the large amount of > > > context-switches it gives. > > > This can be a real performance problem on very loaded networks. Would it be > > > possible to do this with netgraph instead. And what is the pro's and con's > > > for this approach. > > > > > > As a second step in developement how should protocol verification > > > (ftp/smtp/whatever) be added to a netgraph firewall approach in a structured > > > and dynamic extendable way ? > > > > Unfortunatly, the netgraph code does not have a hook into the IP > > code so at this time you cannot pass packets into the > > IP protocol and have them then go to netgraph. > > > > You could however put a filter onto the ethernet interface, but then you'd have > > to take into account the 14 byte header too. > > I think you are not right, it is possible to use ksocket node to > read diverted packets from firewall rules and inject they back (I am use > such setup) and I am write small netgraph node for doing very simple > specific nat for high traffic, with no per-packet context-switches. > > # ngctl -f - << EOF > mkpeer tee dummy left2right > name .:dummy tee > mkpeer tee: ksocket left inet/raw/divert > msg tee:left bind inet/0.0.0.0:11 > mkpeer tee: echo right echo > EOF > # ipfw divert 11 ip from any to any out via someif0 > > above example simple rebonuce all outgoing packets from interface someif0 > > There one known problem - there no work loop-prevention mechanism for > such scheme, and if injected through divert socket packet going into > divert socket again we will have kernel panic. > > I have write about this problem to archie@whistle.com > (author of netgraph and divert mechanisms) Actually I wrote netgfraph and divert with Archie, so you might send me a more detailed description :-) > > I think it will really cool to have natd ported into kernel. > > > > Best regards, > > > Nicolai Petri > > -- > TSB Russian Express, Moscow > Vladimir B. Grebenschikov, vova@express.ru > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message