you are correct. I had forgotten about that..
On Fri, 6 Jul 2001, Vladimir B. Grebenschikov wrote:
> Julian Elischer writes:
> > Nicolai Petri wrote:
> > >
> > > Hi hackers,
> > >
> > > I've used some time writing a custom natd like daemon which makes som
> > > speciel packet processing.
> > > One of the issues with the natd approach is the large amount of
> > > context-switches it gives.
> > > This can be a real performance problem on very loaded networks. Would it be
> > > possible to do this with netgraph instead. And what is the pro's and con's
> > > for this approach.
> > >
> > > As a second step in developement how should protocol verification
> > > (ftp/smtp/whatever) be added to a netgraph firewall approach in a structured
> > > and dynamic extendable way ?
> >
> > Unfortunatly, the netgraph code does not have a hook into the IP
> > code so at this time you cannot pass packets into the
> > IP protocol and have them then go to netgraph.
> >
> > You could however put a filter onto the ethernet interface, but then you'd have
> > to take into account the 14 byte header too.
>
> I think you are not right, it is possible to use ksocket node to
> read diverted packets from firewall rules and inject they back (I am use
> such setup) and I am write small netgraph node for doing very simple
> specific nat for high traffic, with no per-packet context-switches.
>
> # ngctl -f - << EOF
> mkpeer tee dummy left2right
> name .:dummy tee
> mkpeer tee: ksocket left inet/raw/divert
> msg tee:left bind inet/0.0.0.0:11
> mkpeer tee: echo right echo
> EOF
> # ipfw divert 11 ip from any to any out via someif0
>
> above example simple rebonuce all outgoing packets from interface someif0
>
> There one known problem - there no work loop-prevention mechanism for
> such scheme, and if injected through divert socket packet going into
> divert socket again we will have kernel panic.
>
> I have write about this problem to [EMAIL PROTECTED]
> (author of netgraph and divert mechanisms)
Actually I wrote netgfraph and divert with Archie, so you might send me a
more detailed description :-)
>
> I think it will really cool to have natd ported into kernel.
>
> > > Best regards,
> > > Nicolai Petri
>
> --
> TSB Russian Express, Moscow
> Vladimir B. Grebenschikov, [EMAIL PROTECTED]
>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
