Re: [9fans] NAT implementation

["Devon H. O'Dell" <devon.odell@gmail.com>]

2009/4/15 Patrick Kristiansen <patrick.kasserer@gmail.com>:
> Hello 9fans.
> I'm thinking of writing a NAT implementation for plan 9. I have searched the
> archives and I'm not quite sure how to get started.

Hi Patrick,

> As I see it there could be three ways of approaching this:
> 1. User space implementation using ipmux
> 2. User space using pkt interfaces in ipifc.
> 3. Kernel using something like sources/dho/nfil

I think #2 would be an easily testable and maybe more `correct' way to
do this in Plan 9. I think doing an implementation directly in the IP
path is easier, overall, but that's where my experience lies anyway.

nfil is horribly broken. I wrote it some years ago when I was first
getting into Plan 9, Plan 9's C, and kernel stuff. Also, I wasn't
horribly experienced with C at the time either; I think last time I
looked at nfil, there were at least several memory leaks.

> Do you have any advices on how to capture packets and how to send them out
> again after replacing src/dst addr and port?

It's not quite that simple. At the simplest, when the packet goes out,
you have to keep a tab of the destination host / port and source host
/ port. When a packet comes in, you look up the source host / port in
the hash table (hashed by dest host / port). You rewrite the packet.
You have to regenerate the packet checksum after rewriting it. You
send it back out.

(If you're doing the rewriting in userland, you may be able to avoid
doing a recalculation of the checksum, as the kernel may notice it's
bad and re-write it, thinking it's trash).

> Are there any ways of testing NAT in a virtual machine? Right now I'm using
> vmware and it would be nice to be able to test it without setting up a real
> machine with two Ethernet interfaces.

Sure, configure a couple VMs with hostonly networking and set up their
IP addresses accordingly.

> -Patrick Kristiansen

--dho