From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: Date: Wed, 15 Apr 2009 08:32:14 -0400 Message-ID: <9ab217670904150532l6e9805dcvc339b03c7892aba9@mail.gmail.com> From: "Devon H. O'Dell" To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [9fans] NAT implementation Topicbox-Message-UUID: db0b4e7a-ead4-11e9-9d60-3106f5b1d025 2009/4/15 Patrick Kristiansen : > Hello 9fans. > I'm thinking of writing a NAT implementation for plan 9. I have searched the > archives and I'm not quite sure how to get started. Hi Patrick, > As I see it there could be three ways of approaching this: > 1. User space implementation using ipmux > 2. User space using pkt interfaces in ipifc. > 3. Kernel using something like sources/dho/nfil I think #2 would be an easily testable and maybe more `correct' way to do this in Plan 9. I think doing an implementation directly in the IP path is easier, overall, but that's where my experience lies anyway. nfil is horribly broken. I wrote it some years ago when I was first getting into Plan 9, Plan 9's C, and kernel stuff. Also, I wasn't horribly experienced with C at the time either; I think last time I looked at nfil, there were at least several memory leaks. > Do you have any advices on how to capture packets and how to send them out > again after replacing src/dst addr and port? It's not quite that simple. At the simplest, when the packet goes out, you have to keep a tab of the destination host / port and source host / port. When a packet comes in, you look up the source host / port in the hash table (hashed by dest host / port). You rewrite the packet. You have to regenerate the packet checksum after rewriting it. You send it back out. (If you're doing the rewriting in userland, you may be able to avoid doing a recalculation of the checksum, as the kernel may notice it's bad and re-write it, thinking it's trash). > Are there any ways of testing NAT in a virtual machine? Right now I'm using > vmware and it would be nice to be able to test it without setting up a real > machine with two Ethernet interfaces. Sure, configure a couple VMs with hostonly networking and set up their IP addresses accordingly. > -Patrick Kristiansen --dho