So i've been implementing some new features in ipfilter, whether or not they make it a 5.0, I'm not sure...maybe a few people can
let me know what they think about that..
So what are these new features?
There are 3 new commands for ipnat.conf:
rewrite - change both source and address fields for incoming or outgoing packets
encap - encapsulated the packet in a new IP header (this will be compatible, I hope, with IPENCAP tunnels elsewhere0
divert - encapsulate the packet into an IP+UDP packet
To help people use these, I've rewritten the ipnat.conf man page.
A divert rule looks like this:
divert in on le0 proto udp from any to any port = 53 -> src 127.0.0.1,54 dst 127.0.0.1,5300;
note the ";" on the end of the line. To the left of the "->" is the original packet to be matched, on the right, the IP/UDP header
to create and put in front of the packet. Reply packets from that socket will have the IP+UDP headers removed when they get back to
IPFilter. I'm hoping this will provide cross-platform "divert" functionality but it needs more widespread testing than what I've
been able to achieve.
encap is pretty much the same as divert, minus the port numbers to the right of "->".
Rewrites have a subset of the combined functionality of rdr/map rules. As an example of how the man page has been rewritten, I've included the contents of it for this new command below.
You can now use ipmon.conf to as the place to specify how log records are sent to syslog (facility & priority) rather than needing to do it in filter rules.
As part of the "keep state" options, you can now specify a rule group to which ICMP replies can be filtered by - "... keep state(icmp-head icmprules)"
It is also now possible to position stateful filtering checks, inbound and outbound nat lookups. If this is done, the traditional checks are no longer performed. This is done as follows:
call now fr_checkstate in on le0 from any to any
call now fr_ipfnatin in on ppp0 all
call now fr_ipfnatout out on bge0 from bge0/32 to any
Oh, being 5.0.0, it is a development version, there's nothing release quality about it (well, you might argue that for others too .. >:->), this is just to get some feedback from people on features and enable some people to try/test a few things out beyond my limited scope. Perhaps most importantly, most of my work to date has been limited to using NetBSD.
It can be downloaded from ip_fil5.0.0.tar.gz.
MD5 (/home/darrenr/ip_fil5.0.0.tar.gz) = 7798797c1929cb55c182d3088f40b0b5
REWRITING SOURCE AND DESTINATION
Whilst the above two commands provide a lot of flexibility in changing
addressing fields in packets, often it can be of benefit to translate
both source and destination at the same time or to change the source
address on input or the destination address on output. Doing all of
these things can be accomplished using rewrite NAT rules.
A rewrite rule requires the same level of packet matching as before,
protocol and source/destination information but in addition allows
either in or out to be specified like this:
rewrite in on ppp0 proto tcp from any to any port = 80 ->
src 0/0 dst 127.0.0.1,3128;
rewrite out on ppp0 from any to any ->
src 0/32 dst 10.1.1.0/24;
On the RHS we can specify both new source and destination information
to place into the packet being sent out. As with other rules used in
ipnat.conf, there are shortcuts syntaxes available to use the original
address information (0/0) and the address associated with the network
interface (0/32.) For TCP and UDP, both address and port information
can be changed. At present it is only possible to specify either a
range of port numbers to be used (X-Y) or a single port number (=X) as
rewrite in on le0 proto tcp from any to any port = 80 ->
src 0/0,2000-20000 dst 127.0.0.1,port = 3128;
There are four fields that are stepped through in enumerating the num-
ber space available for creating a new destination:
If one of these happens to be a static then it will be skipped
and the next one incremented. As an example:
rewrite out on le0 proto tcp from any to any port = 80 ->
src 184.108.40.206/8,5000-5999 dst 220.127.116.11/24,6000-6999;
The translated packets would be:
1st src=18.104.22.168,5000 dst=22.214.171.124,6000
2nd src=126.96.36.199,5000 dst=188.8.131.52,6000
3rd src=184.108.40.206,5001 dst=220.127.116.11,6000
4th src=18.104.22.168,5001 dst=22.214.171.124,6000
5th src=126.96.36.199,5001 dst=188.8.131.52,6001
6th src=184.108.40.206,5001 dst=220.127.116.11,6001
and so on.
As with map rules, it is possible to specify a range of addresses by
including the word range before the addresses:
rewrite from any to any port = 80 ->
src 18.104.22.168 - 22.214.171.124 dst 126.96.36.199 - 188.8.131.52;