At 03:54 AM 10/21/2006, Vladimir Grebenschikov wrote: > 1. use PF for nat - it does aliasing in kernel space
True, but it doesn't let me translate the packets and then continue processing within the firewall -- which is necessary if you want to catch unregistered destination addresses BEFORE translation and then unregistered source addresses AFTER translation. > 2. use in-kernel libalias implementation > (I guess man-page for ng_nat(4) will help) Same problem. I don't know how I could send packets through a Netgraph node in the middle of processing by IPFW and then bring them back at the next rule. I suppose that one solution might be, for lack of a better term, a "kernel divert socket," which would pass packets through a kernel module rather than a user process. (This could actually be used to speed up many things for which the current "userland" divert sockets are now used.) It would then be possible to make a "nat.ko" module, and either provide a utility to control it or roll that functionality into ipfw(8). --Brett _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
