[PATCH] ng_nat(4) redirects and rc.d script
vadimnuclight at tpu.ru
Tue Feb 12 09:13:32 UTC 2008
Please test: http://antigreen.org/vadim/freebsd/ng_nat/ (I've ran for a
week on a production 6.2 router without any problems).
This is a patched version of ng_nat(4) for FreeBSD 6.x, providing support
for all libalias(3) features, especially port redirections (before this
moment ng_nat(4) has supported only the basic functionality of the
To compile kernel module:
To load it into the running kernel:
$ kldload ./ng_nat.ko
To view the man page documenting new messages:
$ tbl ng_nat.4 | nroff -man | more
There is also included a convenient rcNG-style boot script, ng_nat.sh,
which allows to easily configure ng_nat(4) nodes and ipfw(8) from
It is based on a Eugene Grosbein's version and heavily modified by me.
Example for two nodes from /etc/rc.conf:
ng_nat_nodes="simple full" # list of node names
# Simple example - all we need is only three lines
ng_nat_simple_interface="em1" # take IP addr from "em1"
ng_nat_simple_cookies="50 51" # ipfw's "netgraph" arguments, "in" then
ng_nat_simple_ipfw_rules="80 90" # ipfw rule numbers to create, "in" then
# More complex example, in which we need custom ipfw(8) rules for several
# selected networks (default rule will catch all) and setup some
ng_nat_full_interface="188.8.131.52" # external alias address
# for custom rules these numbers are used only for deletion on shutdown;
# these can duplicate and be more than two
ng_nat_full_ipfw_rules="172 172 182"
# Actual custom rules - if not defined, rules are created automatically
ng_nat_full_ipfw_rule0="172 netgraph 60 ip from 172.16.0.0/25 to any out
ng_nat_full_ipfw_rule1="172 netgraph 60 ip from 172.16.0.128/27 to any out
ng_nat_full_ipfw_rule2="182 netgraph 61 ip from any to 184.108.40.206 in recv em0"
# Set natd(8)-like flags for node (if not specified, node uses
# Available flags are: log, deny_incoming, same_ports, unregistered_only,
# proxy_only, reverse, reset_on_addr_change. The last is new and means that
# after aliasing address change internal table should be cleared (breaks
# current connections like node restart).
# Set target address for any unspecified incoming traffic, like "natd -t"
# Set up several redirection rules, each can have an optional description
# string of up to 63 chars in length. DNS hostnames are disallowed.
# natd(8) -redirect_port
ng_nat_full_redirect_port0="tcp 172.16.0.1:22 222"
ng_nat_full_redirect_port1="udp 172.16.0.2:2300-2399 3300-3399"
ng_nat_full_redirect_port1_description="For P2P and VoIP apps"
# -redirect_proto and -redirect_address (including LSNAT) can be
# specified the same way, if needed, as long as -proxy_rule.
The script also supports additional command-line keywords, along with
"start" and "stop" ones. They include "redirect_port", "redirect_proto" and
"redirect_address", along with "list_redirects". The format is:
$ /path/to/ng_nat.sh <keyword> <node_name> [arguments]
$ /etc/rc.d/ng_nat.sh redirect_port full tcp 172.16.0.8:80 8080
This allows to add redirections "on the fly" without need to restart entire
node breaking current connections.
The "list_redirects" keyword prints table of all redirects (no matter what
type) in a pretty human-readable format. This can be used to obtain ID of
specific redirection to make it dynamic or delete it "on the fly":
$ ngctl msg full: redirectdelete 3 # delete redirection with ID
WBR, Vadim Goncharov
More information about the freebsd-stable