[PATCH] ng_nat(4) redirects and rc.d script

Vadim Goncharov vadimnuclight at tpu.ru
Tue Feb 12 09:13:32 UTC 2008


Please test: http://antigreen.org/vadim/freebsd/ng_nat/ (I've ran for a  
week on a production 6.2 router without any problems).

This is a patched version of ng_nat(4) for FreeBSD 6.x, providing support
for all libalias(3) features, especially port redirections (before this
moment ng_nat(4) has supported only the basic functionality of the  

To compile kernel module:

     $ make

To load it into the running kernel:

     $ kldload ./ng_nat.ko

To view the man page documenting new messages:

     $ tbl ng_nat.4 | nroff -man | more

There is also included a convenient rcNG-style boot script, ng_nat.sh,
which allows to easily configure ng_nat(4) nodes and ipfw(8) from  
It is based on a Eugene Grosbein's version and heavily modified by me.

Example for two nodes from /etc/rc.conf:

ng_nat_nodes="simple full"       # list of node names

# Simple example - all we need is only three lines
ng_nat_simple_interface="em1"    # take IP addr from "em1"
ng_nat_simple_cookies="50 51"    # ipfw's "netgraph" arguments, "in" then  
ng_nat_simple_ipfw_rules="80 90" # ipfw rule numbers to create, "in" then  

# More complex example, in which we need custom ipfw(8) rules for several
# selected networks (default rule will catch all) and setup some  
ng_nat_full_interface=""  # external alias address
ng_nat_full_cookies="60 61"

# for custom rules these numbers are used only for deletion on shutdown;
# these can duplicate and be more than two
ng_nat_full_ipfw_rules="172 172 182"

# Actual custom rules - if not defined, rules are created automatically
ng_nat_full_ipfw_rule0="172 netgraph 60 ip from to any out  
xmit em0"
ng_nat_full_ipfw_rule1="172 netgraph 60 ip from to any out  
xmit em0"
ng_nat_full_ipfw_rule2="182 netgraph 61 ip from any to in recv em0"

# Set natd(8)-like flags for node (if not specified, node uses  
# Available flags are: log, deny_incoming, same_ports, unregistered_only,
# proxy_only, reverse, reset_on_addr_change. The last is new and means that
# after aliasing address change internal table should be cleared (breaks
# current connections like node restart).
ng_nat_full_set_mode="same_ports unregistered_only"

# Set target address for any unspecified incoming traffic, like "natd -t"

# Set up several redirection rules, each can have an optional description
# string of up to 63 chars in length. DNS hostnames are disallowed.

# natd(8) -redirect_port
ng_nat_full_redirect_port0="tcp 222"
ng_nat_full_redirect_port1="udp 3300-3399"
ng_nat_full_redirect_port1_description="For P2P and VoIP apps"

# -redirect_proto and -redirect_address (including LSNAT) can be
# specified the same way, if needed, as long as -proxy_rule.

The script also supports additional command-line keywords, along with  
"start" and "stop" ones. They include "redirect_port", "redirect_proto" and
"redirect_address", along with "list_redirects". The format is:

     $ /path/to/ng_nat.sh <keyword> <node_name> [arguments]


     $ /etc/rc.d/ng_nat.sh redirect_port full tcp 8080

This allows to add redirections "on the fly" without need to restart entire
node breaking current connections.

The "list_redirects" keyword prints table of all redirects (no matter what
type) in a pretty human-readable format. This can be used to obtain ID of
specific redirection to make it dynamic or delete it "on the fly":

     $ ngctl msg full: redirectdelete 3  # delete redirection with ID  
number 3

Enjoy! ;-)

WBR, Vadim Goncharov

More information about the freebsd-stable mailing list