* Re: [9fans] ip masquerading
@ 2004-09-08 9:17 bmaroshe
0 siblings, 0 replies; 9+ messages in thread
From: bmaroshe @ 2004-09-08 9:17 UTC (permalink / raw)
To: Nikhil S, Fans of the OS Plan 9 from Bell Labs
----- Original Message -----
From: Nikhil S <nikils@gmail.com>
Date: Wednesday, September 8, 2004 12:10 pm
Subject: Re: [9fans] ip masquerading
> Just curious to know what is the plan9's equivalent
http://pages.cpsc.ucalgary.ca/~mirtchov/lanlp9/newnetwork/index.html#cpu
boris
^ permalink raw reply [flat|nested] 9+ messages in thread
* [9fans] ip masquerading @ 2004-09-08 6:44 Nikhil S 2004-09-08 8:49 ` geoff [not found] ` <497b48e52d028c9cd68b5283a6a78927@collyer.net> 0 siblings, 2 replies; 9+ messages in thread From: Nikhil S @ 2004-09-08 6:44 UTC (permalink / raw) To: 9fans How to enable ip masquerading in plan9 ? or it is not needed if both the systems are using plan9 ? thanks and regards nikhil ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9fans] ip masquerading 2004-09-08 6:44 Nikhil S @ 2004-09-08 8:49 ` geoff [not found] ` <497b48e52d028c9cd68b5283a6a78927@collyer.net> 1 sibling, 0 replies; 9+ messages in thread From: geoff @ 2004-09-08 8:49 UTC (permalink / raw) To: nikils, 9fans IP Masquerading is Linux's terminology for NA(P)T, isn't it? What are you trying to do? ^ permalink raw reply [flat|nested] 9+ messages in thread
[parent not found: <497b48e52d028c9cd68b5283a6a78927@collyer.net>]
* Re: [9fans] ip masquerading [not found] ` <497b48e52d028c9cd68b5283a6a78927@collyer.net> @ 2004-09-08 9:10 ` Nikhil S 2004-09-08 9:14 ` geoff ` (2 more replies) 0 siblings, 3 replies; 9+ messages in thread From: Nikhil S @ 2004-09-08 9:10 UTC (permalink / raw) To: 9fans Just curious to know what is the plan9's equivalent ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9fans] ip masquerading 2004-09-08 9:10 ` Nikhil S @ 2004-09-08 9:14 ` geoff 2004-09-08 9:34 ` Charles Forsyth [not found] ` <10978f9511a2be00107237fc8117c104@terzarima.net> 2 siblings, 0 replies; 9+ messages in thread From: geoff @ 2004-09-08 9:14 UTC (permalink / raw) To: nikils, 9fans There's no built-in NA(P)T. Most of the available IP facilities are described in ip(3) and the pages cited in its SEE ALSO section. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9fans] ip masquerading 2004-09-08 9:10 ` Nikhil S 2004-09-08 9:14 ` geoff @ 2004-09-08 9:34 ` Charles Forsyth [not found] ` <10978f9511a2be00107237fc8117c104@terzarima.net> 2 siblings, 0 replies; 9+ messages in thread From: Charles Forsyth @ 2004-09-08 9:34 UTC (permalink / raw) To: nikils, 9fans if a plan 9 machine has a network interface, other plan 9 machines can import that interface to use it as a gateway; to outsiders, calls made from inside machine(s) appear to come from the gateway (because they do, really). just import /net (and see below re /net.alt). the cost is extra traffic on the inside network for 9p requests, exportfs processes on the gateway, and some added latency. an advantage is that since the calls do originate on the gateway, none of the usual mess for address and port mapping is needed. programs on the inside in a name space where /net has been imported make connections by reading and writing the files in /net, but that's controlled by the gateway, so address and port assignment are consistent across all clients and for all protocols, without fuss. furthermore, if the gateway has two interfaces, one can be connected to one IP stack on the inside (say #I0), and another to a distinct IP stack on the outside (say #I1), where the two stacks are completely separate, and the outside stack can have different listeners (offer different services) compared to the inside stack. that gives you the effect of a firewall. one difference from the usual firewall is that because there is no path between the two stacks except by intervention of a program or manipulation of the name space, it's easier to ensure that nothing will leak. in other words, it isn't relying on filtering rules within a single stack in the kernel, but on having complete isolation between the two networks, as far as the kernel and IP stacks are concerned. because of a hack in dial(), if insiders bind the outside stack to /net.alt, dial will try that if a call through /net can't be made (eg, because it hasn't got the names or addresses needed). to do nat/natp, some programming is required. (others have done this but the code isn't available.) one approach is to have two stacks as above, and have a single application bind a netdev (see ip(3)) onto each, one with an inside address and the other with the external address known to outsiders. it can then copy packets between them with any filtering or transformation as required (ipmux might be helpful). it again adds a bit of latency, but no network traffic (and it will work for non plan 9 clients). the ftp/dns/http protocol-specific code is in user mode. it is possible to mix these approaches. ^ permalink raw reply [flat|nested] 9+ messages in thread
[parent not found: <10978f9511a2be00107237fc8117c104@terzarima.net>]
* Re: [9fans] ip masquerading [not found] ` <10978f9511a2be00107237fc8117c104@terzarima.net> @ 2004-09-08 10:08 ` Nikhil S 2004-09-08 10:23 ` Charles Forsyth 2004-09-08 12:59 ` Russ Cox 0 siblings, 2 replies; 9+ messages in thread From: Nikhil S @ 2004-09-08 10:08 UTC (permalink / raw) To: 9fans When you import gateway's outside ip stack as /net.alt and try to ping /net.alt/<outside ipaddress> i can understand that the ping packet is sent from gateway's outside ip stack using its outside ipaddress etc. what happens when the ping response comes back. will that packet be forwarded to both gateway and inside machine ? or only to inside machine ? how does this internally work. i mean when you import /net.alt the ippacket with header is forwarded or without header ? i havent seen kernel code. just curious ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9fans] ip masquerading 2004-09-08 10:08 ` Nikhil S @ 2004-09-08 10:23 ` Charles Forsyth 2004-09-08 12:59 ` Russ Cox 1 sibling, 0 replies; 9+ messages in thread From: Charles Forsyth @ 2004-09-08 10:23 UTC (permalink / raw) To: nikils, 9fans [-- Attachment #1: Type: text/plain, Size: 1363 bytes --] it goes back to the port that sent it, which is always on the gateway machine, which corresponds to a file in /net/icmp/ on the gateway but if another node has imported that, and that node did the ping, it's something like this: node imports /net from gateway (import(4) dials exportfs(4) service on gateway) gateway starts a gateway.exportfs serving 9P ... node opens imported /net/icmp/clone 9P: Topen -> gateway.exportfs exportfs opens appropriate file on gateway Ropen <- gateway.exportfs node writes to the opened file Twrite -> gateway.exportfs gateway.exportfs does the write to the file on gateway gateway.IPstack -> ICMP packet on net on port P Rwrite <- gateway.exportfs gateway.IPstack <- ICMP responses, queued for port P's file ... node reads opened file Tread -> gateway.exportfs gateway.exportfs does the read of file on gateway Rread <- gateway.exportfs (with data for port P's file) ... where the T- and R-messages are 9P messages on the channel set up by import(4) between node and the exportfs(4) on the gateway, assuming the gateway provides that service (see listen(8)). the kernel doesn't do anything special, which is indeed the point, so reading the kernel code wouldn't be particularly helpful. man 4 import, man 4 exportfs, and man 3 ip would be more helpful. [-- Attachment #2: Type: message/rfc822, Size: 3045 bytes --] From: Nikhil S <nikils@gmail.com> To: 9fans <9fans@cse.psu.edu> Subject: Re: [9fans] ip masquerading Date: Wed, 8 Sep 2004 15:38:38 +0530 Message-ID: <de0199910409080308331204f2@mail.gmail.com> When you import gateway's outside ip stack as /net.alt and try to ping /net.alt/<outside ipaddress> i can understand that the ping packet is sent from gateway's outside ip stack using its outside ipaddress etc. what happens when the ping response comes back. will that packet be forwarded to both gateway and inside machine ? or only to inside machine ? how does this internally work. i mean when you import /net.alt the ippacket with header is forwarded or without header ? i havent seen kernel code. just curious ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [9fans] ip masquerading 2004-09-08 10:08 ` Nikhil S 2004-09-08 10:23 ` Charles Forsyth @ 2004-09-08 12:59 ` Russ Cox 1 sibling, 0 replies; 9+ messages in thread From: Russ Cox @ 2004-09-08 12:59 UTC (permalink / raw) To: Nikhil S, Fans of the OS Plan 9 from Bell Labs ping is a program that works by accessing files in /net/icmp (or /net.alt/icmp). when you import another machine's /net/icmp directory and run ping, you are using the other machine's ip stack -- the other machine is doing the pinging. you wouldn't even need ip on the local machine, assuming you had some other way to get at the alternate machine's /net. russ ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2004-09-08 12:59 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2004-09-08 9:17 [9fans] ip masquerading bmaroshe -- strict thread matches above, loose matches on Subject: below -- 2004-09-08 6:44 Nikhil S 2004-09-08 8:49 ` geoff [not found] ` <497b48e52d028c9cd68b5283a6a78927@collyer.net> 2004-09-08 9:10 ` Nikhil S 2004-09-08 9:14 ` geoff 2004-09-08 9:34 ` Charles Forsyth [not found] ` <10978f9511a2be00107237fc8117c104@terzarima.net> 2004-09-08 10:08 ` Nikhil S 2004-09-08 10:23 ` Charles Forsyth 2004-09-08 12:59 ` Russ Cox
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).