Julian Elischer writes:
> Nicolai Petri wrote:
> >
> > Hi hackers,
> >
> > I've used some time writing a custom natd like daemon which makes som
> > speciel packet processing.
> > One of the issues with the natd approach is the large amount of
> > context-switches it gives.
> > This can be a real performance problem on very loaded networks. Would it be
> > possible to do this with netgraph instead. And what is the pro's and con's
> > for this approach.
> >
> > As a second step in developement how should protocol verification
> > (ftp/smtp/whatever) be added to a netgraph firewall approach in a structured
> > and dynamic extendable way ?
>
> Unfortunatly, the netgraph code does not have a hook into the IP
> code so at this time you cannot pass packets into the
> IP protocol and have them then go to netgraph.
>
> You could however put a filter onto the ethernet interface, but then you'd have
> to take into account the 14 byte header too.
I think you are not right, it is possible to use ksocket node to
read diverted packets from firewall rules and inject they back (I am use
such setup) and I am write small netgraph node for doing very simple
specific nat for high traffic, with no per-packet context-switches.
# ngctl -f - << EOF
mkpeer tee dummy left2right
name .:dummy tee
mkpeer tee: ksocket left inet/raw/divert
msg tee:left bind inet/0.0.0.0:11
mkpeer tee: echo right echo
EOF
# ipfw divert 11 ip from any to any out via someif0
above example simple rebonuce all outgoing packets from interface someif0
There one known problem - there no work loop-prevention mechanism for
such scheme, and if injected through divert socket packet going into
divert socket again we will have kernel panic.
I have write about this problem to [EMAIL PROTECTED]
(author of netgraph and divert mechanisms)
I think it will really cool to have natd ported into kernel.
> > Best regards,
> > Nicolai Petri
--
TSB Russian Express, Moscow
Vladimir B. Grebenschikov, [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
