|
See the header of this Forum, I made some changes reflecting the arrival of the latest version.
Unfortunately I could not test it. I could load and delete NAT rules, but I couldn't do any real address translation. I didn't change much in the code, though, so I don't expect many (or any) problems, but you never know.
What has changed:
- Now fully integrated in the kernel. So far: module was extra; now: 'make zImage modules modules_install' is all (after applying the patch to the kernel, of course)
- installation choice: module or statically compiled into the kernel
- module is kerneld-aware (no more manual insmod/rmmod)
- removed virtual server support, since it was a quick hack. I wanted to have a clean and readable code again.
- Moved ALWAYS_DEFRAGMENT kernel code in front of the NAT call in ip_input.c
I don't know if there are unwanted side effects, maybe security relevant ones: The code that drops some packets (e.g. too short comes later now. It is very hard to decide which shall come first (accounting, defragmentation, NAT, security code for dropping wrong packets), because logically I'd like to have NAT first, but the dropping-packets code should possibly come first, but _after_ accounting (accounting shall include all packets), accounting should see NATed addresses, for NAT the defragmentation code is necessary when ports shall be translated, and here we go again - we have a circle that's impossible to break easily. I'm waiting for suggestions.
- Note: it's the same ipnatadm, so the manpage includes the virtual server stuff. I didn't see any reason to remove it, but it won't work with this NAT code, of course.
Future plans: stability and reliability come first; Re-use the masquerading modules for application specific packet rewriting (e.g. ftp) somehow; integrate virtual server support _cleanly_; same with virtual routes; short: everything described in the paper.
BTW, a corrected version of the NAT paper (I included Dan Lasley's grammar suggestions, no new contents) will replace the original versions soon (must be done by someone who has login-access to this webserver).
|
New version (static NAT only)
