117a35ce7SGleb Smirnoff.\" Copyright (c) 2005 Gleb Smirnoff <glebius@FreeBSD.org> 217a35ce7SGleb Smirnoff.\" All rights reserved. 317a35ce7SGleb Smirnoff.\" 417a35ce7SGleb Smirnoff.\" Redistribution and use in source and binary forms, with or without 517a35ce7SGleb Smirnoff.\" modification, are permitted provided that the following conditions 617a35ce7SGleb Smirnoff.\" are met: 717a35ce7SGleb Smirnoff.\" 1. Redistributions of source code must retain the above copyright 817a35ce7SGleb Smirnoff.\" notice, this list of conditions and the following disclaimer. 917a35ce7SGleb Smirnoff.\" 2. Redistributions in binary form must reproduce the above copyright 1017a35ce7SGleb Smirnoff.\" notice, this list of conditions and the following disclaimer in the 1117a35ce7SGleb Smirnoff.\" documentation and/or other materials provided with the distribution. 1217a35ce7SGleb Smirnoff.\" 1317a35ce7SGleb Smirnoff.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1417a35ce7SGleb Smirnoff.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1517a35ce7SGleb Smirnoff.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1617a35ce7SGleb Smirnoff.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1717a35ce7SGleb Smirnoff.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 1817a35ce7SGleb Smirnoff.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 1917a35ce7SGleb Smirnoff.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2017a35ce7SGleb Smirnoff.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2117a35ce7SGleb Smirnoff.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2217a35ce7SGleb Smirnoff.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2317a35ce7SGleb Smirnoff.\" SUCH DAMAGE. 2417a35ce7SGleb Smirnoff.\" 2517a35ce7SGleb Smirnoff.\" $FreeBSD$ 2617a35ce7SGleb Smirnoff.\" 2717a35ce7SGleb Smirnoff.Dd May 6, 2005 2817a35ce7SGleb Smirnoff.Dt NG_NAT 4 2917a35ce7SGleb Smirnoff.Os 3017a35ce7SGleb Smirnoff.Sh NAME 3117a35ce7SGleb Smirnoff.Nm ng_nat 32a4be0b3cSRuslan Ermilov.Nd "NAT netgraph node type" 3317a35ce7SGleb Smirnoff.Sh SYNOPSIS 3417a35ce7SGleb Smirnoff.In netgraph/ng_nat.h 3517a35ce7SGleb Smirnoff.Sh DESCRIPTION 3617a35ce7SGleb SmirnoffAn 3717a35ce7SGleb Smirnoff.Nm 3817a35ce7SGleb Smirnoffnode performs network address translation (NAT) of packets 3917a35ce7SGleb Smirnoffpassing through it. 40a4be0b3cSRuslan ErmilovA 41a4be0b3cSRuslan Ermilov.Nm nat 4217a35ce7SGleb Smirnoffnode uses 4317a35ce7SGleb Smirnoff.Xr libalias 3 4417a35ce7SGleb Smirnoffengine for packet aliasing. 45a4be0b3cSRuslan ErmilovAt this moment it supports only the basic functionality of the library. 4617a35ce7SGleb Smirnoff.Sh HOOKS 4717a35ce7SGleb SmirnoffThis node type has two hooks: 48a4be0b3cSRuslan Ermilov.Bl -tag -width indent 49a4be0b3cSRuslan Ermilov.It Va out 50a4be0b3cSRuslan ErmilovPackets received on this hook are considered outgoing and will be 51a4be0b3cSRuslan Ermilovmasqueraded to a configured address. 52a4be0b3cSRuslan Ermilov.It Va in 53a4be0b3cSRuslan ErmilovPackets coming on this hook are considered incoming and will be 5417a35ce7SGleb Smirnoffdealiased. 5517a35ce7SGleb Smirnoff.El 5617a35ce7SGleb Smirnoff.Sh CONTROL MESSAGES 5717a35ce7SGleb SmirnoffThis node type supports the generic control messages, plus the following: 58a4be0b3cSRuslan Ermilov.Bl -tag -width indent 5917a35ce7SGleb Smirnoff.It Dv NGM_NAT_SET_IPADDR Pq Li setaliasaddr 60a4be0b3cSRuslan ErmilovConfigure aliasing address for a node. 61a4be0b3cSRuslan ErmilovAfter both hooks have been connected and aliasing address was configured, 62a4be0b3cSRuslan Ermilova node is ready for aliasing operation. 63e842c540SAlexander Motin.It Dv NGM_NAT_SET_MODE Pq Li setmode 64e842c540SAlexander MotinSet node's operation mode using supplied 65e842c540SAlexander Motin.Vt "struct ng_nat_mode". 66e842c540SAlexander Motin.Bd -literal 67e842c540SAlexander Motinstruct ng_nat_mode { 68e842c540SAlexander Motin uint32_t flags; 69e842c540SAlexander Motin uint32_t mask; 70e842c540SAlexander Motin}; 71e842c540SAlexander Motin/* Supported flags: */ 72e842c540SAlexander Motin#define NG_NAT_LOG 0x01 73e842c540SAlexander Motin#define NG_NAT_DENY_INCOMING 0x02 74e842c540SAlexander Motin#define NG_NAT_SAME_PORTS 0x04 75e842c540SAlexander Motin#define NG_NAT_UNREGISTERED_ONLY 0x10 76e842c540SAlexander Motin#define NG_NAT_RESET_ON_ADDR_CHANGE 0x20 77e842c540SAlexander Motin#define NG_NAT_PROXY_ONLY 0x40 78e842c540SAlexander Motin#define NG_NAT_REVERSE 0x80 79e842c540SAlexander Motin.Ed 80e842c540SAlexander Motin.It Dv NGM_NAT_SET_TARGET Pq Li settarget 81e842c540SAlexander MotinConfigure target address for a node. 82e842c540SAlexander MotinWhen an incoming packet not associated with any pre-existing aliasing 83e842c540SAlexander Motinlink arrives at the host machine, it will be sent to the specified address. 8417a35ce7SGleb Smirnoff.El 8517a35ce7SGleb Smirnoff.Sh SHUTDOWN 8617a35ce7SGleb SmirnoffThis node shuts down upon receipt of a 8717a35ce7SGleb Smirnoff.Dv NGM_SHUTDOWN 8817a35ce7SGleb Smirnoffcontrol message, or when both hooks are disconnected. 8917a35ce7SGleb Smirnoff.Sh EXAMPLES 90a4be0b3cSRuslan ErmilovIn the following example, the packets are injected into a 91a4be0b3cSRuslan Ermilov.Nm nat 92a4be0b3cSRuslan Ermilovnode using the 9317a35ce7SGleb Smirnoff.Xr ng_ipfw 4 9417a35ce7SGleb Smirnoffnode. 9517a35ce7SGleb Smirnoff.Bd -literal -offset indent 9617a35ce7SGleb Smirnoff# Create NAT node 9717a35ce7SGleb Smirnoffngctl mkpeer ipfw: nat 60 out 9817a35ce7SGleb Smirnoffngctl name ipfw:60 nat 9917a35ce7SGleb Smirnoffngctl connect ipfw: nat: 61 in 10017a35ce7SGleb Smirnoffngctl msg nat: setaliasaddr x.y.35.8 10117a35ce7SGleb Smirnoff 10217a35ce7SGleb Smirnoff# Divert traffic into NAT node 10317a35ce7SGleb Smirnoffipfw add 300 netgraph 61 all from any to any in via fxp0 10417a35ce7SGleb Smirnoffipfw add 400 netgraph 60 all from any to any out via fxp0 10517a35ce7SGleb Smirnoff 10617a35ce7SGleb Smirnoff# Let packets continue with after being (de)aliased 10717a35ce7SGleb Smirnoffsysctl net.inet.ip.fw.one_pass=0 10817a35ce7SGleb Smirnoff.Ed 10917a35ce7SGleb Smirnoff.Pp 110a4be0b3cSRuslan ErmilovThe 11117a35ce7SGleb Smirnoff.Nm 112a4be0b3cSRuslan Ermilovnode can be inserted right after the 113a4be0b3cSRuslan Ermilov.Xr ng_iface 4 114a4be0b3cSRuslan Ermilovnode in the graph. 115a4be0b3cSRuslan ErmilovIn the following example, we perform masquerading on a 11617a35ce7SGleb Smirnoffserial line with HDLC encapsulation. 11717a35ce7SGleb Smirnoff.Bd -literal -offset indent 11817a35ce7SGleb Smirnoff/usr/sbin/ngctl -f- <<-SEQ 11917a35ce7SGleb Smirnoff mkpeer cp0: cisco rawdata downstream 12017a35ce7SGleb Smirnoff name cp0:rawdata hdlc 12117a35ce7SGleb Smirnoff mkpeer hdlc: nat inet in 12217a35ce7SGleb Smirnoff name hdlc:inet nat 12317a35ce7SGleb Smirnoff mkpeer nat: iface out inet 12417a35ce7SGleb Smirnoff msg nat: setaliasaddr x.y.8.35 12517a35ce7SGleb SmirnoffSEQ 12617a35ce7SGleb Smirnoffifconfig ng0 x.y.8.35 x.y.8.1 12717a35ce7SGleb Smirnoff.Ed 12817a35ce7SGleb Smirnoff.Sh SEE ALSO 12917a35ce7SGleb Smirnoff.Xr libalias 3 , 13017a35ce7SGleb Smirnoff.Xr ng_ipfw 4 , 131a4be0b3cSRuslan Ermilov.Xr natd 8 , 13217a35ce7SGleb Smirnoff.Xr ngctl 8 13317a35ce7SGleb Smirnoff.Sh HISTORY 13417a35ce7SGleb SmirnoffThe 13517a35ce7SGleb Smirnoff.Nm 13617a35ce7SGleb Smirnoffnode type was implemented in 13717a35ce7SGleb Smirnoff.Fx 6.0 . 13817a35ce7SGleb Smirnoff.Sh AUTHORS 13917a35ce7SGleb Smirnoff.An Gleb Smirnoff Aq glebius@FreeBSD.org 140