From owner-freebsd-net@FreeBSD.ORG Tue Feb 12 08:51:42 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0460016A417 for ; Tue, 12 Feb 2008 08:51:42 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay.tpu.ru [85.143.64.15]) by mx1.freebsd.org (Postfix) with ESMTP id EE33013C458 for ; Tue, 12 Feb 2008 08:51:39 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from localhost (localhost.localdomain [127.0.0.1]) by relay1.tpu.ru (Postfix) with ESMTP id BCAD8105674; Tue, 12 Feb 2008 14:51:37 +0600 (NOVT) X-Virus-Scanned: amavisd-new at tpu.ru Received: from relay1.tpu.ru ([127.0.0.1]) by localhost (relay1.tpu.ru [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bvEIdT5P8rm7; Tue, 12 Feb 2008 14:51:35 +0600 (NOVT) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id 6FB0D10570A; Tue, 12 Feb 2008 14:51:35 +0600 (NOVT) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.3959); Tue, 12 Feb 2008 14:51:35 +0600 Received: from nuclight.avtf.net ([78.140.3.41]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Tue, 12 Feb 2008 14:51:34 +0600 To: freebsd-current@freebsd.org, freebsd-net@freebsd.org, freebsd-stable@freebsd.org Date: Tue, 12 Feb 2008 14:51:32 +0600 From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 12 Feb 2008 08:51:35.0040 (UTC) FILETIME=[78BD2000:01C86D54] Cc: Subject: [PATCH] ng_nat(4) redirects and rc.d script X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2008 08:51:42 -0000 Hello! Please test: http://antigreen.org/vadim/freebsd/ng_nat/ (I've ran for a week on a production 6.2 router without any problems). This is a patched version of ng_nat(4) for FreeBSD 6.x, providing support for all libalias(3) features, especially port redirections (before this moment ng_nat(4) has supported only the basic functionality of the library). To compile kernel module: $ make To load it into the running kernel: $ kldload ./ng_nat.ko To view the man page documenting new messages: $ tbl ng_nat.4 | nroff -man | more There is also included a convenient rcNG-style boot script, ng_nat.sh, which allows to easily configure ng_nat(4) nodes and ipfw(8) from rc.conf(5). It is based on a Eugene Grosbein's version and heavily modified by me. Example for two nodes from /etc/rc.conf: ng_nat_nodes="simple full" # list of node names # Simple example - all we need is only three lines ng_nat_simple_interface="em1" # take IP addr from "em1" ng_nat_simple_cookies="50 51" # ipfw's "netgraph" arguments, "in" then "out" ng_nat_simple_ipfw_rules="80 90" # ipfw rule numbers to create, "in" then "out" # More complex example, in which we need custom ipfw(8) rules for several # selected networks (default rule will catch all) and setup some redirections. ng_nat_full_interface="1.2.3.4" # external alias address ng_nat_full_cookies="60 61" # for custom rules these numbers are used only for deletion on shutdown; # these can duplicate and be more than two ng_nat_full_ipfw_rules="172 172 182" # Actual custom rules - if not defined, rules are created automatically ng_nat_full_ipfw_rule0="172 netgraph 60 ip from 172.16.0.0/25 to any out xmit em0" ng_nat_full_ipfw_rule1="172 netgraph 60 ip from 172.16.0.128/27 to any out xmit em0" ng_nat_full_ipfw_rule2="182 netgraph 61 ip from any to 1.2.3.4 in recv em0" # Set natd(8)-like flags for node (if not specified, node uses "same_ports") # Available flags are: log, deny_incoming, same_ports, unregistered_only, # proxy_only, reverse, reset_on_addr_change. The last is new and means that # after aliasing address change internal table should be cleared (breaks # current connections like node restart). ng_nat_full_set_mode="same_ports unregistered_only" # Set target address for any unspecified incoming traffic, like "natd -t" ng_nat_full_set_target="172.16.0.100" # Set up several redirection rules, each can have an optional description # string of up to 63 chars in length. DNS hostnames are disallowed. # natd(8) -redirect_port ng_nat_full_redirect_port0="tcp 172.16.0.1:22 222" ng_nat_full_redirect_port1="udp 172.16.0.2:2300-2399 3300-3399" ng_nat_full_redirect_port1_description="For P2P and VoIP apps" ng_nat_full_redirect_port2="tcp 172.16.0.101:80,172.16.0.102:80,172.16.0.103:80 1.2.3.4:80" # -redirect_proto and -redirect_address (including LSNAT) can be # specified the same way, if needed, as long as -proxy_rule. The script also supports additional command-line keywords, along with standard "start" and "stop" ones. They include "redirect_port", "redirect_proto" and "redirect_address", along with "list_redirects". The format is: $ /path/to/ng_nat.sh [arguments] e.g. $ /etc/rc.d/ng_nat.sh redirect_port full tcp 172.16.0.8:80 8080 This allows to add redirections "on the fly" without need to restart entire node breaking current connections. The "list_redirects" keyword prints table of all redirects (no matter what type) in a pretty human-readable format. This can be used to obtain ID of specific redirection to make it dynamic or delete it "on the fly": $ ngctl msg full: redirectdelete 3 # delete redirection with ID number 3 Enjoy! ;-) -- WBR, Vadim Goncharov