ref: 40554c2f569dbfca2823883f856ed2a68404e09b
parent: a29ae89d4d90aad544a8e21fb35b286c16bc944d
author: 9ferno <gophone2015@gmail.com>
date: Thu Aug 26 10:24:27 EDT 2021
nat notes
--- /dev/null
+++ b/nat.readme
@@ -1,0 +1,215 @@
+This is a NAT implementation for Plan 9 from Bell Labs.
+
+* Introduction
+
+This is a NAPT (Network Address Port Translation) implementation,
+also known under the name "IP masquerade".
+
+This is an early work, don't expect too much from it. Improvements
+will come in the next future.
+
+* Installation
+
+First, apply the patches with the "apply" script:
+
+/n/sources/contrib/djc/nat/apply
+
+Then, add "nat" to you kernel configuration file, under
+section dev/ip.
+
+Finally, compile and install your kernel.
+
+* Documentation
+
+First, enable routing:
+
+echo iprouting > /net/ipifc/clone
+
+Then, enable NAT:
+
+echo nat add <src> <mask> <dst> > /net/ipifc/<ifc>/ctl
+
+Where:
+ - <src> is the address of the source network or machine
+ allowed to pass through the NAT
+ - <mask> is the corresponding mask
+ - <dst> is the address to be translated to, which must
+ exist on the specified interface
+ - <ifc> is your network physical interface number.
+
+You can add or remove any NAT rule you want.
+
+* Performance
+
+The current implementation can handle up to 800 TCP connections
+per second on a Soekris net5501-70, but the performance quickly
+decrease as the table grows.
+
+* Future
+
+We plan to implement the following features in the next future:
+
+ - improve performance
+ - improve garbage collector
+ - handling of TCP and IL connection states
+ - IPv6 support
+ - port forwarding (you can currently use trampoline(8) instead)
+ - FTP proxy
+ - statistics
+
+* History
+
+The work began in June 2010 and quickly evolved to the current state.
+Erik Quanstrom offered his help in March 2011 with code review
+and suggestions. We thank him much.
+
+* Contact
+
+David du Colombier <0intro@gmail.com>
+With the help of Jean-Baptiste Campesato <camjelemon@gmail.com>
+
+> But, I could not get the routing to work. Just want to check if you do
+> not mind sharing the ip configuration that made the patch work.
+>
+> Thanks so much for the patch,
+
+Personally, on my NAT gateway, I was running:
+
+bind -a '#'l1 /net
+ip/ipconfig ether /net/ether1 <dst> 255.255.255.0
+echo iprouting > /net/ipifc/clone
+
+Where #l1 (which provides /net/ether1) is the internal LAN
+interface and <dst> is the public WAN address (on /net/ether0).
+
+Then, you have to enable iprouting, so the packets can pass
+through the NAT.
+
+==================
+my notes from here
+
+different ip stacks - working, can see the traffic going out from /net/ether0
+-------------------
+#I0 /net
+ 0/ bind ether /net/ether0, dhcp
+ adds 192.168.88.2 /96 192.168.88.1 # from dhcp
+ default route all traffic to gateway added by dhcp
+ 0.0.0.0 /96 192.168.88.1
+ 1/ bind pkt
+ add 192.168.1.1 /120 192.168.1.2 - local address of the bind packet
+ 192.168.89.0 /120 192.168.1.2
+ traffic to 192.168.89.0/120 network to the /net.alt ether ipifc
+ iprouting 1
+#I1 /net.alt
+ 0/ bind ether /net.alt/ether1, manual address
+ add 192.168.89.1 /120
+ #192.168.89.0 /120 192.168.89.1 - not needed? default remote adds this?
+ # traffic to 192.168.89.0 network through 192.168.89.1
+ 1/ bind netdev /net/ipifc/1/data
+ add 192.168.1.2 /120 192.168.1.1
+ 0.0.0.0/96 192.168.1.1
+ default route for all traffic to /net ether ipifc
+ traffic to 192.168.88.2 goes through this interface
+ iprouting 1
+
+nat traffic going out of 192.168.88.2 with a source of 192.168.89.0/120
+echo nat add 192.168.89.0 /120 192.168.88.2 > /net/ipifc/0/ctl
+
+crude test
+ip/ping -n 1 192.168.88.1
+ip/ping -n 1 192.168.89.1
+ip/ping -n 1 1.1.1.1
+
+script to do the above
+
+ <>/net/ipifc/clone {
+ x=`{read}
+ {
+ echo bind ether /net/ether0
+ echo iprouting 1
+ }> /net/ipifc/^$x^/ctl
+ ip/dhcp -p -g 192.168.88.1 -h $sysname -x /net /net/ipifc/$x 192.168.88.2
+ }
+ cat /net/iproute
+
+ bind -a '#I1' /net.alt
+ bind -a '#l1' /net.alt
+ <>/net.alt/ipifc/clone {
+ y=`{read};
+ echo $y;
+ {
+ echo bind ether /net.alt/ether1 ;
+ echo iprouting 1;
+ echo add 192.168.89.1 /120
+ }> /net.alt/ipifc/$y/ctl
+ }
+ cat /net.alt/iproute
+
+ # need to bind the netdev while holding the bind pkt clone open
+ # else, the ipifc will be unbound as none of it's files are being read
+ <>/net/ipifc/clone {
+ x=`{read};
+ echo $x;
+ {
+ echo bind pkt;
+ echo iprouting 1;
+ echo add 192.168.1.1 /120 192.168.1.2
+ }> /net/ipifc/$x/ctl
+ <>/net.alt/ipifc/clone {
+ y=`{read};
+ echo $y;
+ {
+ echo bind netdev /net/ipifc/$x/data ;
+ echo iprouting 1;
+ echo add 192.168.1.2 /120 192.168.1.1
+ }> /net.alt/ipifc/$y/ctl
+ echo add 192.168.89.0 /120 192.168.1.2 > /net/iproute
+ echo add 0.0.0.0 /96 192.168.1.1 > /net.alt/iproute
+ }
+ }
+ echo nat add 192.168.89.0 /120 192.168.88.2 > /net/ipifc/0/ctl
+ echo route after bind packet
+ cat /net/iproute
+ echo route after bind packet
+ cat /net.alt/iproute
+
+-------------------
+TODO below does not work yet:
+
+same ip stack
+-------------
+/net/ipifc/0/ ip=192.168.88.2/96 gateway=192.168.88.1
+ bind ether /net/ether0
+/net/ipifc/1/ ip=192.168.88.2/96 gateway=192.168.88.1
+ bind ether /net/ether1
+
+x=`{cat /net/ipifc/clone}
+echo bind ether /net/ether1 >/net/ipifc/$x/cl
+echo iprouting 1 > /net/ipifc/$x/ctl
+echo add 192.168.88.2 255.255.255.0 >/net/ipifc/$x/ctl
+echo nat add 192.168.89.2 255.255.255.0 192.168.88.2 > /net/ipifc/$x/ctl
+
+connect a physical machine to /net/ether1
+ set static ip to 192.168.89.2 and gateway to 192.168.88.2
+ ping from this machine
+
+cannot ping 192.168.89.2 or 192.168.88.2 from the client machine
+
+another approach
+echo remove 192.168.89.1 255.255.255.0 >/net.alt/ipifc/0/ctl
+echo unbind >/net.alt/ipifc/0/ctl
+unmount '#l1' /net.alt
+unmount '#I1' /net.alt
+
+x=`{cat /net/ipifc/clone}
+echo bind ether /net/ether1 >/net/ipifc/$x/cl
+echo iprouting 1 > /net/ipifc/$x/ctl
+echo add 0.0.0.0 255.255.255.0 192.168.88.2 >/net/ipifc/$x/ctl
+echo nat add 192.168.89.0 255.255.255.0 192.168.88.2 > /net/ipifc/$x/ctl
+
+connect a physical machine to /net/ether1
+ set static ip to 192.168.89.2 and gateway to 192.168.88.2
+ ping from this machine
+
+cannot ping 192.168.89.2 or 192.168.88.2 from the client machine
+