Re: [9fans] ip masquerading

[Charles Forsyth <forsyth@terzarima.net>]

if a plan 9 machine has a network interface, other plan 9
machines can import that interface to use it as a gateway; to outsiders,
calls made from inside machine(s) appear to come from the gateway
(because they do, really).   just import /net (and see below re /net.alt).

the cost is extra traffic on the inside network for 9p requests,
exportfs processes on the gateway, and some added latency.
an advantage is that since the calls do originate
on the gateway, none of the usual mess for address and port mapping is
needed.  programs on the inside in a name space where /net
has been imported make connections by reading and writing
the files in /net, but that's controlled by the gateway, so address
and port assignment are consistent across all clients and for all protocols,
without fuss.

furthermore, if the gateway has two interfaces, one can be connected to one
IP stack on the inside (say #I0), and another to a distinct IP stack
on the outside (say #I1), where the two stacks are completely separate,
and the outside stack can have different listeners (offer different services)
compared to the inside stack.  that gives you the effect of a firewall.
one difference from the usual firewall is that because there is
no path between the two stacks except by intervention of a
program or manipulation of the name space, it's easier to
ensure that nothing will leak.  in other words, it isn't relying
on filtering rules within a single stack in the kernel, but on
having complete isolation between the two networks,
as far as the kernel and IP stacks are concerned.

because of a hack in dial(), if insiders bind the outside stack to
/net.alt, dial will try that if a call through /net can't be made (eg,
because it hasn't got the names or addresses needed).

to do nat/natp, some programming is required.  (others have done this
but the code isn't available.)  one approach is to have two
stacks as above, and have a single application bind a netdev (see ip(3))
onto each, one with an inside address and the other with the external
address known to outsiders.  it can then copy packets between them with
any filtering or transformation as required (ipmux might be helpful).
it again adds a bit of latency, but no network traffic (and it will work
for non plan 9 clients).  the ftp/dns/http protocol-specific
code is in user mode.

it is possible to mix these approaches.