code: 9ferno

ref: b548687a8ed1d0a159c9d3f3f921d93bbb56908e
dir: /nat.readme/

View raw version
This is a NAT implementation for Plan 9 from Bell Labs.

* Introduction

This is a NAPT (Network Address Port Translation) implementation,
also known under the name "IP masquerade".

This is an early work, don't expect too much from it. Improvements
will come in the next future.

* Installation

First, apply the patches with the "apply" script:

/n/sources/contrib/djc/nat/apply

Then, add "nat" to you kernel configuration file, under
section dev/ip.

Finally, compile and install your kernel.

* Documentation

First, enable routing:

echo iprouting > /net/ipifc/clone

Then, enable NAT:

echo nat add <src> <mask> <dst> > /net/ipifc/<ifc>/ctl

Where:
 - <src> is the address of the source network or machine
   allowed to pass through the NAT
 - <mask> is the corresponding mask
 - <dst> is the address to be translated to, which must
   exist on the specified interface
 - <ifc> is your network physical interface number.

You can add or remove any NAT rule you want.

* Performance

The current implementation can handle up to 800 TCP connections
per second on a Soekris net5501-70, but the performance quickly
decrease as the table grows.

* Future

We plan to implement the following features in the next future:

 - improve performance
 - improve garbage collector
 - handling of TCP and IL connection states
 - IPv6 support
 - port forwarding (you can currently use trampoline(8) instead)
 - FTP proxy
 - statistics

* History

The work began in June 2010 and quickly evolved to the current state.
Erik Quanstrom offered his help in March 2011 with code review
and suggestions. We thank him much.

* Contact

David du Colombier <[email protected]>
With the help of Jean-Baptiste Campesato <[email protected]>

> But, I could not get the routing to work. Just want to check if you do
> not mind sharing the ip configuration that made the patch work.
>
> Thanks so much for the patch,

Personally, on my NAT gateway, I was running:

bind -a '#'l1 /net
ip/ipconfig ether /net/ether1 <dst> 255.255.255.0
echo iprouting > /net/ipifc/clone

Where #l1 (which provides /net/ether1) is the internal LAN
interface and <dst> is the public WAN address (on /net/ether0).

Then, you have to enable iprouting, so the packets can pass
through the NAT.

==================
my notes from here

different ip stacks - working, can see the traffic going out from /net/ether0
-------------------
#I0 /net
	0/ bind ether /net/ether0, dhcp
		adds 192.168.88.2 /96 192.168.88.1 # from dhcp
			default route all traffic to gateway added by dhcp
				0.0.0.0 /96 192.168.88.1
	1/ bind pkt
		add 192.168.1.1 /120 192.168.1.2 - local address of the bind packet
		192.168.89.0 /120 192.168.1.2
			traffic to 192.168.89.0/120 network to the /net.alt ether ipifc			
		iprouting 1
#I1 /net.alt
	0/ bind ether /net.alt/ether1, manual address
		add 192.168.89.1 /120
		#192.168.89.0 /120 192.168.89.1 - not needed? default remote adds this?
		#	traffic to 192.168.89.0 network through 192.168.89.1
	1/ bind netdev /net/ipifc/1/data
		add 192.168.1.2 /120 192.168.1.1
		0.0.0.0/96 192.168.1.1
			default route for all traffic to /net ether ipifc
			traffic to 192.168.88.2 goes through this interface
		iprouting 1

nat traffic going out of 192.168.88.2 with a source of 192.168.89.0/120
echo nat add 192.168.89.0 /120 192.168.88.2 > /net/ipifc/0/ctl

crude test
ip/ping -n 1 192.168.88.1
ip/ping -n 1 192.168.89.1
ip/ping -n 1 1.1.1.1

script to do the above

	<>/net/ipifc/clone {
		x=`{read}
		{
			echo bind ether /net/ether0
			echo iprouting 1
		}> /net/ipifc/^$x^/ctl
		ip/dhcp -p -g 192.168.88.1 -h $sysname -x /net /net/ipifc/$x 192.168.88.2
	}
	cat /net/iproute

	bind -a '#I1' /net.alt
	bind -a '#l1' /net.alt
	<>/net.alt/ipifc/clone {
		y=`{read};
		echo $y;
		{
			echo bind ether /net.alt/ether1 ;
			echo iprouting 1;
			echo add 192.168.89.1 /120
		}> /net.alt/ipifc/$y/ctl
	}
	cat /net.alt/iproute

	# need to bind the netdev while holding the bind pkt clone open
	#	else, the ipifc will be unbound as none of it's files are being read
	<>/net/ipifc/clone {
		x=`{read};
		echo $x;
		{
			echo bind pkt;
			echo iprouting 1;
			echo add 192.168.1.1 /120 192.168.1.2
		}> /net/ipifc/$x/ctl
		<>/net.alt/ipifc/clone {
			y=`{read};
			echo $y;
			{
				echo bind netdev /net/ipifc/$x/data ;
				echo iprouting 1;
				echo add 192.168.1.2 /120 192.168.1.1
			}> /net.alt/ipifc/$y/ctl
			echo add 192.168.89.0 /120 192.168.1.2 > /net/iproute
			echo add 0.0.0.0 /96 192.168.1.1 > /net.alt/iproute
		}
	}
	echo nat add 192.168.89.0 /120 192.168.88.2 > /net/ipifc/0/ctl
	echo route after bind packet
	cat /net/iproute
	echo route after bind packet
	cat /net.alt/iproute

-------------------
TODO below does not work yet:

same ip stack
-------------
/net/ipifc/0/	ip=192.168.88.2/96 gateway=192.168.88.1
	bind ether /net/ether0
/net/ipifc/1/	ip=192.168.88.2/96 gateway=192.168.88.1
	bind ether /net/ether1

x=`{cat /net/ipifc/clone}
echo bind ether /net/ether1 >/net/ipifc/$x/cl
echo iprouting 1 > /net/ipifc/$x/ctl
echo add 192.168.88.2 255.255.255.0 >/net/ipifc/$x/ctl
echo nat add 192.168.89.2 255.255.255.0 192.168.88.2 > /net/ipifc/$x/ctl

connect a physical machine to /net/ether1
	set  static ip to 192.168.89.2 and gateway to 192.168.88.2
	ping from this machine

cannot ping 192.168.89.2 or 192.168.88.2 from the client machine

another approach
echo remove 192.168.89.1 255.255.255.0 >/net.alt/ipifc/0/ctl
echo unbind >/net.alt/ipifc/0/ctl
unmount '#l1' /net.alt
unmount '#I1' /net.alt

x=`{cat /net/ipifc/clone}
echo bind ether /net/ether1 >/net/ipifc/$x/cl
echo iprouting 1 > /net/ipifc/$x/ctl
echo add 0.0.0.0 255.255.255.0 192.168.88.2 >/net/ipifc/$x/ctl
echo nat add 192.168.89.0 255.255.255.0 192.168.88.2 > /net/ipifc/$x/ctl

connect a physical machine to /net/ether1
	set  static ip to 192.168.89.2 and gateway to 192.168.88.2
	ping from this machine

cannot ping 192.168.89.2 or 192.168.88.2 from the client machine