How do I view active mappings in libalias (ipfw_nat)

[Rudy]

I am using ipfw_nat and have some mappings. How do I see all the active mappings? I can see the config with like this:

# ifpw nat show config
ipfw nat 1 config ip 8.8.8.210 log deny_in same_ports unreg_only reset
ipfw nat 211 config redirect_addr 10.50.1.211 8.8.8.211
ipfw nat 212 config redirect_addr 10.50.1.212 8.8.8.212
ipfw nat 213 config redirect_addr 10.50.1.213 8.8.8.213

but I want to see all the sessions -- especially for nat 1 which translates all the non-one-to-one mappings.

 

[Rudy]

Also, I am new to ipfw_nat -- how do I tune? With ipnat, I am used to tuning the maximum number of nat sessions with ipf_nattable_max=100000.

 

[phoenix]

From the ipfw(8) man page (untested) (the first is specific to one NAT instance, the second shows info for a range of NAT instances):
# ipfw nat <instance number> show
# ipfw nat 1-214 show

 

[Rudy]

Sorry phoenix, that that command only show the summary info:
# nat 1: icmp=0, udp=213, tcp=1090, sctp=0, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=1303

Anyone out there actually using ipfw_nat on a production system with > 100 users on the internal interface?

 

[Rudy]

feature requested

Kicking around the ipfw_nat mailing list, I see others have had this request (back in good old 2010).

I guess there is no tool -- currently. Please respond to this post if there is a way!

 

[Rudy]

Hacking the ipfw code is not my strong suit

I skimmed over the ipfw and libalias source code. I didn't see a 'dump all the current mappings' function; however, it doesn't look impossible to modify... need something like this in /usr/src/sys/netinet/libalias/alias_db.c:

static void
ShowAliasData(struct libalias *la)
{
        struct alias_link *lnk;
        int i, ttl;

        LIBALIAS_LOCK_ASSERT(la);
        for (i = 0; i < LINK_TABLE_OUT_SIZE; i++) {
                LIST_FOREACH(lnk, &la->linkTableOut[i], list_out) {
                        ttl = lnk->expire_time - (la->timeStamp - lnk->timestamp);
                        AliasLog(la->logDesc,
                         "src=%s:%u, dst=%s:%u, proto=%s, ttl=%d",
                        lnk->src_addr.s_addr, lnk->src_port,
                        lnk->dst_addr.s_addr, lnk->dst_port,
                        lnk->link_type,
                        lnk->timestamp
                        );

                }
        }
}

Now, I just need to find how to make it an option in the binary,
/usr/src/sbin/ipfw/nat.c

--- nat.c.orig  2012-04-23 20:12:50.000000000 -0700
+++ nat.c       2012-04-23 20:25:08.000000000 -0700
@@ -916,7 +916,7 @@
 {
        struct cfg_nat *n;
        struct cfg_redir *e;
-       int cmd, i, nbytes, do_cfg, do_rule, frule, lrule, nalloc, size;
+       int cmd, i, nbytes, do_cfg, do_table, do_rule, frule, lrule, nalloc, size;
        int nat_cnt, redir_cnt, r;
        uint8_t *data, *p;
        char *endptr;
@@ -939,6 +939,11 @@
                        cmd = IP_FW_NAT_GET_CONFIG, do_cfg = 1;
                        continue;
                }
+               do_table = 0;
+               if (!strncmp(av[0], "table", strlen(av[0]))) {
+                       cmd = IP_FW_NAT_GET_TABLE, do_table = 1;
+                       continue;
+               }
                /* Convert command line rule #. */
                frule = lrule = strtoul(av[0], &endptr, 10);
                if (*endptr == '-')
@@ -972,6 +977,9 @@
                                    sizeof(struct cfg_spool);
                        }
                }
+       else if (do_table) {
+               // need to code dumping of current nat tables...
+                err(EX_USAGE, "not yet implimented");
        } else {
                for (i = 0; 1; i += LIBALIAS_BUF_SIZE + sizeof(int)) {
                        p = &data[i];