NATD and Address Redirection
Jim Durham
durham at jcdurham.com
Sat Jul 26 19:13:09 PDT 2003
On Saturday 26 July 2003 03:13 am, you wrote:
> On Sat, Jul 26, 2003 at 02:22:05AM +0200, Clement Laforet wrote:
> > for incoming traffic, you must use -redirect_address, but for
> > outgoing you have to set -alias_address.
> > If you want to use a specific public IP to map incoming AND
> > outgoing packets, you need to run 2 natd, using ipfw matching.
>
> I'm afraid this is not exactly correct.
>
> IIRC when 5 years ago I was hacking natd and libalias to use them
> for transparent HTTP proxying, their internals looked rather clear.
> In a nutshell, they were as follows.
>
> There was a translation table inside libalias with 3 columns in it:
> the internal connection point (IP&port), alias point, and external
> point.
>
> When a packet was heading outside, its source IP&port were matched
> against the "internal" column, and its destination IP&port against
> the "external" column. If an entry were found, the packet's source
> IP&port would be replaced with the values from the "alias" column.
>
> When a packet was going in the opposite direction, inside, its
> source IP&port were matched against the "external" column, and its
> destination IP&port against the "alias" column. Then the packet's
> destination IP&port were replaced with the values from the
> "internal" column of the entry found.
>
> By specifying a redirect_address rule, just an entry was inserted
> to that table with a wildcard value for all the ports and for the
> external IP address. Upon matching, such an entry would clone into
> a new one containing the information specific for a particular
> session. Thus the solution was symmetric by design, without
> requiring 2 natd's or additional ipfw rules.
>
> P.S. As I can see, today's libalias still uses the same approach.
That's a great explanation! Thanks. I knew that NAT worked by
establishing a "session" when an inside machine initiated a
connection to the outside world and used that info the figure out how
packets going back to that inside machine from the outside address
got routed. I didn't know the internals.
So redirect_address apparently just forces a permanent entry in the
table, which would be symmetrical. Hmmmm... OK.
--
-Jim
More information about the freebsd-hackers
mailing list