Hi,
I'm looking at a solution to redirect traffic using IPFW and Kernel NAT (libalias) so I can reproduce the behavior of the following iptable rule:
I was thinking (from my reading of "man ipfw(8)") that I could use the following:
This, unfortunately, doesn't work, while the following works perfectly well for a specific IP address:
From the code (https://svnweb.freebsd.org/base/head/sys/netpfil/ipfw/ip_fw_nat.c?view=markup) I can see this comment:
I understand that this might not already be implemented. That would explain the strange behavior I face with packets being dropped during the NAT process. Could anyone confirm ?
If so, what would be the best option ? I thinking about reverting to natd, but I'm afraid the performances will suffer from this.
Thanks in advance for your help.
Regards
I'm looking at a solution to redirect traffic using IPFW and Kernel NAT (libalias) so I can reproduce the behavior of the following iptable rule:
Code:
iptables -t nat -A PREROUTING ! -d 127.0.0.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
I was thinking (from my reading of "man ipfw(8)") that I could use the following:
Code:
ipfw nat 1 config log reset redirect_addr 127.0.0.1 0.0.0.0
ipfw add 1 nat 1 log udp from any to not 127.0.0.1 dst-port 53 in via em0
ipfw add 2 nat 1 log udp from 127.0.0.1 53 to not 127.0.0.1 out via em0
ipfw add 3 allow ip from any to any
This, unfortunately, doesn't work, while the following works perfectly well for a specific IP address:
Code:
ipfw nat 1 config log reset redirect_addr 127.0.0.1 8.8.8.8
ipfw add 1 nat 1 log udp from any to not 127.0.0.1 dst-port 53 in via em0
ipfw add 2 nat 1 log udp from 127.0.0.1 53 to not 127.0.0.1 out via em0
ipfw add 3 allow ip from any to any
From the code (https://svnweb.freebsd.org/base/head/sys/netpfil/ipfw/ip_fw_nat.c?view=markup) I can see this comment:
Code:
520 /*
521 * XXX - what if this rule doesn't nat any ip and just
522 * redirect?
523 * do we set aliasaddress to 0.0.0.0?
524 */
I understand that this might not already be implemented. That would explain the strange behavior I face with packets being dropped during the NAT process. Could anyone confirm ?
If so, what would be the best option ? I thinking about reverting to natd, but I'm afraid the performances will suffer from this.
Thanks in advance for your help.
Regards