diff options
author | darrenr <darrenr@FreeBSD.org> | 2000-05-24 02:14:22 +0000 |
---|---|---|
committer | darrenr <darrenr@FreeBSD.org> | 2000-05-24 02:14:22 +0000 |
commit | dda6755c7b3b3b5d3e9111b7d0c39a7d8b5f3e12 (patch) | |
tree | 8658a81b1c1fcbbbec3b1df568cc198dd98d44ee /contrib/ipfilter/man/ipnat.5 | |
parent | 1fa4f6782a7e92a232e56892d8bce7920d49292e (diff) | |
download | FreeBSD-src-dda6755c7b3b3b5d3e9111b7d0c39a7d8b5f3e12.zip FreeBSD-src-dda6755c7b3b3b5d3e9111b7d0c39a7d8b5f3e12.tar.gz |
Import IP Filter 3.4.4 into FreeBSD-current
Diffstat (limited to 'contrib/ipfilter/man/ipnat.5')
-rw-r--r-- | contrib/ipfilter/man/ipnat.5 | 64 |
1 files changed, 57 insertions, 7 deletions
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index e15fa0d..ec53059 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -8,14 +8,24 @@ The format for files accepted by ipnat is described by the following grammar: ipmap :: = mapblock | redir | map . map ::= mapit ifname ipmask "->" ipmask [ mapport ] . +map ::= mapit ifname fromto "->" ipmask [ mapport ] . mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . -redir ::= "rdr" ifname [ fromspec ] ipmask "->" ip [ ports ] [ tcpudp ] . +redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options . + +dport ::= "port" portnum [ "-" portnum ] . ports ::= "ports" numports | "auto" . mapit ::= "map" | "bimap" . +fromto ::= "from" object "to" object . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . mapport ::= "portmap" tcpudp portnumber ":" portnumber . +options ::= [ tcpudp ] [ rr ] . + +object = addr [ port-comp | port-range ] . +addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . +port-comp = "port" compare port-num . +port-range = "port" port-num range port-num . -fromspec ::= "from" ip "/" ipmask . +rr ::= "round-robin" . tcpudp ::= "tcp" | "udp" | "tcp/udp" . portnumber ::= number { numbers } | "auto" . ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . @@ -40,7 +50,7 @@ When remapping TCP and UDP packets, it is also possible to change the source port number. Either TCP or UDP or both can be selected by each rule, with a range of port numbers to remap into given as \fBport-number:port-number\fP. .SH COMMANDS -There are found commands recognised by IP Filter's NAT code: +There are four commands recognised by IP Filter's NAT code: .TP .B map that is used for mapping one address or network to another in an unregulated @@ -60,10 +70,26 @@ squeeze the addresses to be translated into the destination range. .SH MATCHING .PP For basic NAT and redirection of packets, the address subject to change is used -along with its protocol to check if a packet should be altered. In the case -of redirects, it is also possible to select packets on a source address basis -using the \fBfrom\fP keyword, as well as the manditory destination port. The -packet \fImatching\fP part of the rule is to the left of the "->" in each rule. +along with its protocol to check if a packet should be altered. The packet +\fImatching\fP part of the rule is to the left of the "->" in each rule. +.PP +Matching of packets has now been extended to allow more complex compares. +In place of the address which is to be translated, an IP address and port +number comparison can be made using the same expressions available with +\fBipf\fP. A simple NAT rule could be written as: +.LP +.nf +map de0 10.1.0.0/16 -> 201.2.3.4/32 +.fi +.LP +or as +.LP +.nf +map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32 +.fi +.LP +Only IP address and port numbers can be compared against. This is available +with all NAT rules. .SH TRANSLATION .PP To the right of the "->" is the address and port specificaton which will be @@ -93,6 +119,30 @@ True transparent proxying should be performed using the redirect (\fBrdr\fP) rules directing ports to localhost (127.0.0.1) with the proxy program doing a lookup through \fB/dev/ipnat\fP to determine the real source and address of the connection. +.SH LOAD-BALANCING +.PP +Two options for use with \fBrdr\fP are available to support primitive, +\fIround-robin\fP based load balancing. The first option allows for a +\fBrdr\fP to specify a second destination, as follows: +.LP +.nf +rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp +.fi +.LP +This would send alternate connections to either 203.1.2.3 or 203.1.2.4. +In scenarios where the load is being spread amongst a larger set of +servers, you can use: +.LP +.nf +rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp round-robin +rdr le0 203.1.2.3/32 port 80 -> 203.1.2.5 port 80 tcp round-robin +.fi +.LP +In this case, a connection will be redirected to 203.1.2.3, then 203.1.2.4 +and then 203.1.2.5 before going back to 203.1.2.3. In accomplishing this, +the rule is removed from the top of the list and added to the end, +automatically, as required. This will not effect the display of rules +using "ipnat -l", only the internal application order. .SH EXAMPLES .PP This section deals with the \fBmap\fP command and it's variations. |