[6.x patchset] Ipfw nat and libalias modules

Iasen Kostov tbyte at otel.net
Tue May 2 11:38:39 UTC 2006 

On Sun, 2006-04-30 at 15:57 +0200, Paolo Pisati wrote:
> I just released a new revision of my libalias+ipfw work as a 
> patchset for 6.x, get it here: 
> http://mercurio.srv.dsi.unimi.it/~pisati/libalias/libalias-6.x.tgz
> 
> To apply it: 
> 
> cp libalias_ipfw.patch /usr/src
> cd /usr/src
> patch -p3 < libalias_ipfw.patch
> 
> then you have to recompile & install:
> 
> kernel, sbin/ipfw, sbin/natd, sbin/ppp, lib/libalias, 
> sys/modules/ipfw, sys/modules/libalias
> 
> or simply do a world.
> 
> With this patch you get:
> 
> -ipfw nat + redirect + LSNAT support
> 
> -libalias modules (both in user and kernel land)
>  -for kernel land, all the libalias modules are installed
>   in /boot/kernel as alias_*.ko.
>  -for user land (natd & ppp), modules are shared lib
>   loaded according to /etc/libalias.conf. To reload 
>   modules for a known process, just 'kill -HUP $PID' it.
> -natd & ppp are patched to use libalias modules
> 
> If your natd/ppp/ipfw behaves strangely after you applied my 
> patch (i.e. active ftp stops working), remember to check
> libalias modules. 
> 
> Some ipfw examples:
> 
> ipfw add nat 666 all from any to any via $IF
> 
> ipfw nat 666 confg ip 192.168.0.1 	# nat with a fixed address
> 
> ipfw nat 666 confg if $IF log		# dynamic if addr nat and logging
> 
> ipfw nat 666 confg if $IF redir_port ...	# redirect support with
> ipfw nat 666 confg if $IF redir_addr ...	# linkspec natd syntax,
> ipfw nat 666 confg if $IF redir_proto ...	# LSNAT works too. 
> 
> # different ipfw rules can be redirected to use 
> # the same nat instance
> 
> ipfw add nat 666 all from $IP1 to any via $IF1
> ipfw add nat 666 all from any to any via $IF2 out
> ipfw add nat 666 all from $IP2 to $IP3 
> 
> ipfw nat show 				# see logs
> ipfw nat show config 			# nat configuration
> 
> To load/unload a libalias module (kernel):
> 
> kldload alias_ftp 	# active ftp work ok now
> kldunload alias_ftp
> 
> To load/unload a libalias module (user):
> 
> [edit /etc/libalias.conf and add/cut needed modules]
> kill -HUP $PID
> 
> For more info see the readme inside the archive.
> 
> TODO: 
> Not tested on SMP & !i386, logging ability should be improved(right now 
> it's the same as original libalias), documentation should be man-pagified, 
> patchset for 7.x, etcetc
> 
> bye

	Have you done any performace comparisons with pf's NAT ? I realy would
prefer libalias based kernel NAT than pf because libalias works better
with ftp, irc dcc and things like that (VoIP would be nice too :P ). So
the only reason I've not put it in production is because its to new and
untested but as soon as I upgrade mine home to 6.x router I'll test it
more extensivly. Btw what is the status of the multi-session to the same
point PPTP NAT (e.g call ID tracking) ?

More information about the freebsd-net mailing list