IPFW内核级NAT来了？

虾球桑

# IPFIREWALL enables support for IP firewall construction, in
# conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE sends
# logged packets to the system logger.  IPFIREWALL_VERBOSE_LIMIT
# limits the number of times a matching entry can be logged.
#
# WARNING:  IPFIREWALL defaults to a policy of "deny ip from any to any"
# and if you do not add other rules during startup to allow access,
# YOU WILL LOCK YOURSELF OUT.  It is suggested that you set firewall_type=open
# in /etc/rc.conf when first enabling this feature, then refining the
# firewall rules in /etc/rc.firewall after you've tested that the new kernel
# feature works properly.
#
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
# allow everything.  Use with care, if a cracker can crash your
# firewall machine, they can get to your protected machines.  However,
# if you are using it as an as-needed filter for specific problems as
# they arise, then this may be for you.  Changing the default to 'allow'
# means that you won't get stuck if the kernel and /sbin/ipfw binary get
# out of sync.
#
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert''.  It
# depends on IPFIREWALL if compiled into the kernel.
#
# IPFIREWALL_FORWARD enables changing of the packet destination either
# to do some sort of policy routing or transparent proxying.  Used by
# ``ipfw forward''. All  redirections apply to locally generated
# packets too.  Because of this great care is required when
# crafting the ruleset.
#
# IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires
# LIBALIAS. To build an ipfw kld with nat support enabled, add
# "CFLAGS+= -DIPFIREWALL_NAT" to your make.conf.
#
options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #enable logging to syslogd(
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
options         IPFIREWALL_FORWARD      #packet destination changes
options         IPFIREWALL_NAT          #ipfw kernel nat support
options         IPDIVERT                #divert sockets

无意中在7.0 RC3的NOTES中发现的

注意，这个选项需要LIBALIAS的支持，和在/etc/make.conf中添加如下内容：
CFLAGS+= -DIPFIREWALL_NAT

我这边没编译过去，有兴趣的朋友尝试一下吧

[ 本帖最后由 虾球桑 于 2008-2-26 04:32 编辑 ]

lsstarboy

好消息，近几天试试效果。

lin_wang

原来IPFW没有内核级的NAT
一直是被别人当作IPFW没有Linux的IPTABLES强的把柄

现在看他们还怎么说！

namsamdo

zz：http://www.freebsdchina.org/forum/topic_40533.html

一、内核加入以下内容并编译内核：
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options IPFIREWALL_NAT
options LIBALIAS


二、在/etc/rc.conf中加入以下内容：
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_nat_interface="bge1"
firewall_type="/etc/ipfw.conf"

说明：bge1是接外网的网卡


三、ipfw.conf（试验用）：
add 00100 allow all from any to any via lo0
add 00110 deny all from any to 127.0.0.0/8
add 00120 deny all from 127.0.0.0/8 to any
add 00200 deny all from any to any ipoptions rr
add 00210 deny all from any to any ipoptions ts
add 00220 deny all from any to any ipoptions ssrr
add 00230 deny all from any to any ipoptions lsrr
add 00240 deny tcp from any to any in tcpflags syn,fin

add 00300 nat 10 all from any to any via bge1
nat 10 config if bge1

nat 50 config redirect_port tcp 192.168.1.1:80 80
nat 60 config redirect_port tcp 192.168.1.1:21 21

add 01030 allow all from 192.168.0.0/16 to any
add 01040 allow all from any to 192.168.0.0/16

add 04000 deny all from any to any

四、试用感言
在FreeBSD上作NAT，小流量(100兆以下)，用户数少情况下(2000左右)，IPFW、IPFILTER和PF区别不大，但是大流量，用户数多(3000以上)的情况下，IPFW和IPFILTER占用CPU较多（50%以上），流量也被打下来不少，启用POLLING后会有所改善。在三款防火墙中，表现最好的当属PF，占用CPU较少（30%左右），但流量到150兆左右就上不去了，用户再多一些(5000左右)，开始迟滞，出现掉线，吞吐量下降。

最后，感谢delphij的帮助，并希望大侠出援手解决吞吐量上不去的问题，谢谢！

bestwc

话说我是才刚知道原来以前的ipfw不是内核级的NAT...

但我在应用中也没发现什么问题，也许是500用户压力不大的问题吧。