L2 NAT

L2 NAT

[ivan]

Hi All,

I need to connect three devices via ethernet, through a switch, to the
same tftp server. The problem is that these devices have the same IPs,
i.e. 192.168.0.181, and when I address to or get data from one of
them, I can't tell which device I'm actually talking to. The devices
are three items of the same product, and their IP cannot be changed.

I have implemented a perl script that changes the ARP table in tftp
server side, but I need a stronger solution.

I was thinking on developing a sort of L2 NAT which could change the
IP source address of a package according to its MAC address, and put
it in the middle of the tftp server and the devices.

Using the current iptables command can I set up this?? or  I need to
develop my own kernel module???

If you have any idea please let me know.


Thanks.

Re: L2 NAT

[Grant Taylor]

On 11/14/2008 10:34 AM, ivan wrote:
> I need to connect three devices via ethernet, through a switch, to 
> the same tftp server. The problem is that these devices have the same 
> IPs, i.e. 192.168.0.181, and when I address to or get data from one 
> of them, I can't tell which device I'm actually talking to. The 
> devices are three items of the same product, and their IP cannot be 
> changed.

Do the devices ever initiate connections to your server or just respond 
to connections that the server initiates?

If it is your server initiating connections, you might be able to 
statically set arp entries for each device on it's own bogus IP.  By 
doing this you should be able to talk to each bogus IP and have the 
ethernet frames go to the proper device.  If the IP stack / software on 
each device is simple enough, you can probably talk to it with the 
incorrect destination IP.  Though I'm not 100% sure what the returning 
packet would be like.  But it is a direction to look.

> I have implemented a perl script that changes the ARP table in tftp 
> server side, but I need a stronger solution.

*nod*

> I was thinking on developing a sort of L2 NAT which could change the 
> IP source address of a package according to its MAC address, and put 
> it in the middle of the tftp server and the devices.

You might be able to use Bridge NetFilter extensions on a box between 
the three devices and the server to be able to NAT the IPs of the traffic.

You could choose what source IP to SNAT traffic to based on the source 
MAC address.  If you send the new ethernet frame out with the original 
source MAC address your server will have the proper MAC address and a 
spoofed IP to know where the packet came from.

Your server will have to reply to a MAC address, probably the real MAC 
address of the device but with a spoofed IP.  So the bridge will have to 
DNAT the traffic based on the destination MAC address.

This should take care of packets leaving the devices going to the server.

You will need to watch for ARP queries from the network for the spoofed 
IPs of the devices and have the bridge send the ARP reply with the 
correct MAC addresses and the spoofed IPs.

> Using the current iptables command can I set up this?? or  I need to 
> develop my own kernel module???

I think you might be able to pull it off with a combination of IPTables 
and EBTables.

> If you have any idea please let me know.

See what you think of the above ideas.



Grant. . . .

L2 NAT

[ivan]

Hi,

After having a lot of help of Grant Taylor in order to analyze if I
was able to achieve my idea using the available iptables features, and
getting as result the fact that I had to develop my own kernel module.
I'm writing to this list because my question is related to the linux
kernel programing.

I would like to pass parameters to the kernel module in run time from
user space. These parameters could be IP address and MAC. Somebody
know how I can do this??

I was thinking about passing this parameters thorough a sysctl syscall
or using /proc filesystem, but I beleave that this is not the correct
way.

Also I was taking a look to iptables source code and analyzing the
source code of iptables and libiptc lib, but I could not find any clue
how to these ones change the kernel parameters.

Could you pleas help me???

thanks!

Re: L2 NAT

[James King]

On Wed, Dec 3, 2008 at 9:22 AM, ivan <lagigliaivan@gmail.com> wrote:
> I would like to pass parameters to the kernel module in run time from
> user space. These parameters could be IP address and MAC. Somebody
> know how I can do this??

Use the module_param functions (you probably want the string variant).
 See http://tldp.org/LDP/lkmpg/2.6/html/x323.html for examples.

> I was thinking about passing this parameters thorough a sysctl syscall
> or using /proc filesystem, but I beleave that this is not the correct
> way.

Depends on if you need to be able to modify it after the module has
already been loaded.  If not, a module parameter should suffice.


HTH,
James

Re: L2 NAT

[ivan]

James,

Thanks for your soon reply!

I think that your answer is a good approach, but I would like to
pass/modify the module parameters while this one is running. I believe
this way allows to the user more flexibility to add/configure the
module behavior.

Please, let me know if you have any idea.

Thanks again.

ivan.




On Wed, Dec 3, 2008 at 11:01 PM, James King <t.james.king@gmail.com> wrote:
> On Wed, Dec 3, 2008 at 9:22 AM, ivan <lagigliaivan@gmail.com> wrote:
>> I would like to pass parameters to the kernel module in run time from
>> user space. These parameters could be IP address and MAC. Somebody
>> know how I can do this??
>
> Use the module_param functions (you probably want the string variant).
>  See http://tldp.org/LDP/lkmpg/2.6/html/x323.html for examples.
>
>> I was thinking about passing this parameters thorough a sysctl syscall
>> or using /proc filesystem, but I beleave that this is not the correct
>> way.
>
> Depends on if you need to be able to modify it after the module has
> already been loaded.  If not, a module parameter should suffice.
>
>
> HTH,
> James
>

Re: L2 NAT

[John Haxby]

ivan wrote:
> I think that your answer is a good approach, but I would like to
> pass/modify the module parameters while this one is running. I believe
> this way allows to the user more flexibility to add/configure the
> module behavior.
>   

You can do that with module parameters, they appears as files in 
/sys/module/<module-name>/parameters and, given the right permissions, 
you can modify them as you see fit.

jch

Re: L2 NAT

[ivan]

Thanks jch,

I will try doing this!
My module works changing the IP address of a package according to its
MAC address, so I would like to add diferents <MAC-IP> couples while
the module is running.

Thanks!!

On Thu, Dec 4, 2008 at 12:38 PM, John Haxby <john.haxby@oracle.com> wrote:
> ivan wrote:
>>
>> I think that your answer is a good approach, but I would like to
>> pass/modify the module parameters while this one is running. I believe
>> this way allows to the user more flexibility to add/configure the
>> module behavior.
>>
>
> You can do that with module parameters, they appears as files in
> /sys/module/<module-name>/parameters and, given the right permissions, you
> can modify them as you see fit.
>
> jch
>