Static NAT Ranges?

Static NAT Ranges?

[Larry Stephan]

Hi All-

I have worked both with netfilter (from ipfwadm through iptables) and with
some commercial firewall packages.  I must say that netfilter is a remarkably
capable system.  However, one feature which appears to be lacking is a
convenient way to NAT address ranges statically: that is, for a given range
of addresses, the NATted address would always differ from the original
address by the same fixed amount. This is handy for fixing certain routing
problems, as well as for changing ranges of address that may cause a
conflict to more acceptable ranges, a not infrequent problem when different
organizations establish dedicated network links.  I have attempted to find
something like this on the netfilter web site, but (perhaps I missed
something) I found nothing.

I was thinking that a --static option to SNAT and DNAT might do the trick.
For example, (line broken because it doesn't fit well):

iptables -s 5.6.7.0/25 -t nat -A POSTROUTING 
-o eth0 -j SNAT --static --to 1.2.3.64

would map 5.6.7.1 to 1.2.3.65, 5.6.7.2 to 1.2.3.66,...,5.6.7.126 to 1.2.3.190

Of course this can be done with individual entries, but the above could save
several hundred entries in the tables.  Does an equivalent capability exist?
Is is easy enough that you might wish to add it?  I am afraid I haven't the
time to get up to speed and contribute - at least not for a few years.
However, your efforts are greatly appreciated.


Another, but I suppose much harder, enhancement would be support of address
ranges in the matching code. This is also a useful feature I have seen on
some commercial packages.  (It is quite amazing what strange manipulations
become necessary when one is not free to re-assign addresses in a reasonable
manner.)  Maybe I can contribute this one sometime down the road.

Thank you for your software, your time, and your consideration,

Larry

Larry Stephan          "Sometimes I think the surest sign there's intelligent
jlarry@delanet.com        life in space is that they haven't contacted us."
                            Bill Watterson - "Calvin and Hobbes"

Re: Static NAT Ranges?

[Hervé Eychenne]

On Fri, Jan 24, 2003 at 11:39:58PM -0500, Larry Stephan wrote:

 Hi,

> I have worked both with netfilter (from ipfwadm through iptables) and with
> some commercial firewall packages.  I must say that netfilter is a remarkably
> capable system.  However, one feature which appears to be lacking is a
> convenient way to NAT address ranges statically: that is, for a given range
> of addresses, the NATted address would always differ from the original
> address by the same fixed amount. This is handy for fixing certain routing
> problems, as well as for changing ranges of address that may cause a
> conflict to more acceptable ranges, a not infrequent problem when different
> organizations establish dedicated network links.  I have attempted to find
> something like this on the netfilter web site, but (perhaps I missed
> something) I found nothing.
> 
> I was thinking that a --static option to SNAT and DNAT might do the trick.
> For example, (line broken because it doesn't fit well):
> 
> iptables -s 5.6.7.0/25 -t nat -A POSTROUTING 
> -o eth0 -j SNAT --static --to 1.2.3.64
> 
> would map 5.6.7.1 to 1.2.3.65, 5.6.7.2 to 1.2.3.66,...,5.6.7.126 to 1.2.3.190

I suppose you are looking for the NETMAP target, available in p-o-m.

Now I have a question for the coreteam... why not consider the
inclusion of NETMAP in upstream kernel?
It seems to me that this functionnality is quite standard, and I think
it has proved to be stable now, don't you think?
I have been using it in production systems for quite a long time now
without any problem.  Why keep it experimental?

 Herve

-- 
 _
(°=  Hervé Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/