Stateless NAT

Matin Tamizi mtamizi at gmail.com
Thu Jun 9 15:43:18 CEST 2005 

Why can't we create a new target module to support stateless NAT for
NetFilter like the following link suggests?
https://lists.netfilter.org/pipermail/netfilter/2005-February/058950.html

I tried writing a target module, but I'm a bit baffled by how the
target modules work.  The existing target modules don't seem to have
any source to modify the packets.   If this is possible then the
NETMAP module should already do the job.  Assuming the NETMAP target
module does what its description states.

We should also be able to write a stateless NAT program using libipq. 
Even FreeBSD uses a user space program for NAT by using the divert
socket api.  However, I don't how to define any order in the programs
grabbing packets from the QUEUE.  In FreeBSD, instead of queueing the
packet is rerouted to an internal "divert" port which can be binded to
using the standard socket API, but divert socket are more expensive
than the NetFilter QUEUE solution.

I've found another solution to my problem without having to use NAT,
but it would have been nice if I could have used NAT since my solution
is rather contrived.

-Matin

On 6/8/05, codewarrior at cuseeme.de <codewarrior at cuseeme.de> wrote:
> 
> On Jun 8, 2005, at 8:56 AM, Guenter.Sprakties at team4.de wrote:
> >> You don't use netfilter. You use iproute2.
> >>
> >> http://linux-ip.net/html/nat-stateless.html
> > First your right, iproute2 is the best tool managing simple 1:1 NAT.
> > Second, is doesn't work because some guys decided to remove the
> > necessary
> > code out of the kernel.
> > So you HAVE to use netfolter, and I tell you:
> > First again, it didn't work. Second, no one of the guys out there
> > helps
> > you. I tried to get help, but nothing happend.
> > I think, natting is against their religion or something like this.
> > Take an old kernel and use iproute2, the most genial tool in all
> > the net
> > stuff.
> 
> 
> hello guenter,
> 
> thanks you for your answer , so i heard that it is
> not possible to run iproute2 under osx right ?
> 
> i got a script from my ISP
> http://www.xaranet.de/dl/xaranet-tunnel.sh
> 
> but you need iproute2  so there is no way  ?
> 
> 
> regards
> 
> marc
> 
> 
> ********************************************************
> opencuseeme /  peer2peer multiparty conferencing
> ********************************************************
> Marc Manthey
> D - 50672 Cologne
> West Europe
> office: 0049.221.355.80.32
> mobile: 0049.177.341.54.81
> www.let.de
> www.applehelpers.com
> aim://macfreak2004
> macfreak at jabber.org
> 
> 
> 
> 
> 
>

More information about the netfilter mailing list