Trying to use NETMAP for 1-1 NAT

Trying to use NETMAP for 1-1 NAT

[Nick Taylor]

I am posting a newbie question here, so I hope for your patience with me.
We have had an unsolved problem which is driving us crazy for quite a
while, and I stumbled upon the NETMAP patch, which seems to do exactly
what we require.  Unfortunately, I haven't been able to use the module,
and I'm hoping someone on the list can point me in the right direction.
Thanks in advance for your help.

We have a remote office with a T1 line, which is quite expensive for us to
maintain, and saturates frequently.  We wish to increase the bandwidth
available to us, and our remote office is close enough to use DSL over
bare copper which our telco will provision for us, so the problem is
multiplexing over the various DSL modems.  If someone has a clever scheme
for this already, I would love to hear about it, I could obviate the need
for the NETMAP module.  However, the following details what I want to do,
and where in the process I stopped...

Many, many netblocks are routed from our main office to the remote
office.  The DSL modems we use, however, are only capable of storing 8
routes, so we figured we could 1:1 NAT each of the subnets of interest into
a large private space, send it across the DSL modems, and 1:1 NAT it back
to the real IP addresses at the other end.  The other option we thought of
was to use the modems as bridges, but it seems this would require a
seperate (physical) interface in the linux box at each end for each modem.
While this solution would work right now, it doesn't scale well.

So, enter NETMAP...

I downloaded linux-2.4.25.tar.gz from ftp.kernel.org, and after a few
attempts got a kernel that worked for everything else I needed.  I got the
patch-o-matic as per the instructions in
http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO.html
.

I patched my kernel with NETMAP, turned it on in make menuconfig, did:
make dep && make bzImage && make modules && make modules_install
cp arch/i386/boot/bzImage /boot/vmlinux-2.4.25-patched
lilo
reboot


Then I played with:
iptables -t nat -A POSTROUTING -s 192.168.33.0/24 -j NETMAP --to \
   192.168.44.0/24

which gives the error:
iptables v1.2.7a: Unknown arg `--to'

so, I try:
iptables -t nat -A POSTROUTING -s 192.168.33.0/24 -j NETMAP
iptables v1.2.7a: Couldn't load target
`NETMAP':/usr/lib/iptables/libipt_NETMAP.so: cannot open shared object file: No such file or directory

Right...
find / -regex '.*NETMAP.*' -print
...
/lib/modules/2.4.25/kernel/net/ipv4/netfilter/ipt_NETMAP.o
...

Okay, so it's a kernel module, not a shared object, and that's what I
expected...  so, maybe I need to modprobe it?  That has exactly the
same results.  Maybe the userspace tool needs an update?  Following
instructions again found in
http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO.html,
I do:
cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login
cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic co netfilter/userspace
cvs server: warning: new-born netfilter/userspace has disappeared

Uh, oh!  Now I am stuck.  Is there a new location I should be looking for
the userspace?  Is updating the userspace the right thing to be doing?  Is
this patch "not right" on 2.4.25?  Anyone have any other suggestions what
I should do?

Thanks for your help!

Re: Trying to use NETMAP for 1-1 NAT

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 3905 bytes --]

Okay, my answer is not really a netfiler answer, but why not run an
IPSEC tunnel between each site and then route over the ipsec tunnel.

If you want to aggregate the head end you could use an equaliser devices
to pull 2 or more xDSL lines together.

As you stated you will need an interaface per ADSL modem in bridge mode.


On Sun, Mar 14, 2004 at 10:57:18PM -0500, Nick Taylor wrote:
> I am posting a newbie question here, so I hope for your patience with me.
> We have had an unsolved problem which is driving us crazy for quite a
> while, and I stumbled upon the NETMAP patch, which seems to do exactly
> what we require.  Unfortunately, I haven't been able to use the module,
> and I'm hoping someone on the list can point me in the right direction.
> Thanks in advance for your help.
> 
> We have a remote office with a T1 line, which is quite expensive for us to
> maintain, and saturates frequently.  We wish to increase the bandwidth
> available to us, and our remote office is close enough to use DSL over
> bare copper which our telco will provision for us, so the problem is
> multiplexing over the various DSL modems.  If someone has a clever scheme
> for this already, I would love to hear about it, I could obviate the need
> for the NETMAP module.  However, the following details what I want to do,
> and where in the process I stopped...
> 
> Many, many netblocks are routed from our main office to the remote
> office.  The DSL modems we use, however, are only capable of storing 8
> routes, so we figured we could 1:1 NAT each of the subnets of interest into
> a large private space, send it across the DSL modems, and 1:1 NAT it back
> to the real IP addresses at the other end.  The other option we thought of
> was to use the modems as bridges, but it seems this would require a
> seperate (physical) interface in the linux box at each end for each modem.
> While this solution would work right now, it doesn't scale well.
> 
> So, enter NETMAP...
> 
> I downloaded linux-2.4.25.tar.gz from ftp.kernel.org, and after a few
> attempts got a kernel that worked for everything else I needed.  I got the
> patch-o-matic as per the instructions in
> http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO.html
> .
> 
> I patched my kernel with NETMAP, turned it on in make menuconfig, did:
> make dep && make bzImage && make modules && make modules_install
> cp arch/i386/boot/bzImage /boot/vmlinux-2.4.25-patched
> lilo
> reboot
> 
> 
> Then I played with:
> iptables -t nat -A POSTROUTING -s 192.168.33.0/24 -j NETMAP --to \
>    192.168.44.0/24
> 
> which gives the error:
> iptables v1.2.7a: Unknown arg `--to'
> 
> so, I try:
> iptables -t nat -A POSTROUTING -s 192.168.33.0/24 -j NETMAP
> iptables v1.2.7a: Couldn't load target
> `NETMAP':/usr/lib/iptables/libipt_NETMAP.so: cannot open shared object file: No such file or directory
> 
> Right...
> find / -regex '.*NETMAP.*' -print
> ...
> /lib/modules/2.4.25/kernel/net/ipv4/netfilter/ipt_NETMAP.o
> ...
> 
> Okay, so it's a kernel module, not a shared object, and that's what I
> expected...  so, maybe I need to modprobe it?  That has exactly the
> same results.  Maybe the userspace tool needs an update?  Following
> instructions again found in
> http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO.html,
> I do:
> cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login
> cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic co netfilter/userspace
> cvs server: warning: new-born netfilter/userspace has disappeared
> 
> Uh, oh!  Now I am stuck.  Is there a new location I should be looking for
> the userspace?  Is updating the userspace the right thing to be doing?  Is
> this patch "not right" on 2.4.25?  Anyone have any other suggestions what
> I should do?
> 
> Thanks for your help!
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Trying to use NETMAP for 1-1 NAT

[Philip Craig]

Nick Taylor wrote:
> so, I try:
> iptables -t nat -A POSTROUTING -s 192.168.33.0/24 -j NETMAP
> iptables v1.2.7a: Couldn't load target
> `NETMAP':/usr/lib/iptables/libipt_NETMAP.so: cannot open shared object file: No such file or directory

You just need to rebuild your iptables userspace.  The NETMAP extension
is only included if userspace is built against a kernel that supports it.
There's no need to get the latest iptables userspace from CVS.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

Re: Trying to use NETMAP for 1-1 NAT

[Antony Stone]

On Monday 15 March 2004 4:13 am, Alexander Samad wrote:

> Okay, my answer is not really a netfiler answer, but why not run an
> IPSEC tunnel between each site and then route over the ipsec tunnel.

Even simpler to setup, and maybe adequate for the task, would be a plain IP in 
IP tunnel (see http://lartc.org for details).   It doesn't have the security 
of an IPsec tunnel, but then neither does the nat solution which Nick is 
trying to get working in the first place.

I think an IP tunnel would be a 'cleaner' network arrangement than lots of nat 
around the place, but the choice is yours, of course.

Regards,

Antony.

> On Sun, Mar 14, 2004 at 10:57:18PM -0500, Nick Taylor wrote:
> > I am posting a newbie question here, so I hope for your patience with me.
> > We have had an unsolved problem which is driving us crazy for quite a
> > while, and I stumbled upon the NETMAP patch, which seems to do exactly
> > what we require.  Unfortunately, I haven't been able to use the module,
> > and I'm hoping someone on the list can point me in the right direction.
> > Thanks in advance for your help.
> >
> > We have a remote office with a T1 line, which is quite expensive for us
> > to maintain, and saturates frequently.  We wish to increase the bandwidth
> > available to us, and our remote office is close enough to use DSL over
> > bare copper which our telco will provision for us, so the problem is
> > multiplexing over the various DSL modems.  If someone has a clever scheme
> > for this already, I would love to hear about it, I could obviate the need
> > for the NETMAP module.  However, the following details what I want to do,
> > and where in the process I stopped...
> >
> > Many, many netblocks are routed from our main office to the remote
> > office.  The DSL modems we use, however, are only capable of storing 8
> > routes, so we figured we could 1:1 NAT each of the subnets of interest
> > into a large private space, send it across the DSL modems, and 1:1 NAT it
> > back to the real IP addresses at the other end.  The other option we
> > thought of was to use the modems as bridges, but it seems this would
> > require a seperate (physical) interface in the linux box at each end for
> > each modem. While this solution would work right now, it doesn't scale
> > well.
> >
> > So, enter NETMAP...
> >
> > I downloaded linux-2.4.25.tar.gz from ftp.kernel.org, and after a few
> > attempts got a kernel that worked for everything else I needed.  I got
> > the patch-o-matic as per the instructions in
> > http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO.
> >html .
> >
> > I patched my kernel with NETMAP, turned it on in make menuconfig, did:
> > make dep && make bzImage && make modules && make modules_install
> > cp arch/i386/boot/bzImage /boot/vmlinux-2.4.25-patched
> > lilo
> > reboot
> >
> >
> > Then I played with:
> > iptables -t nat -A POSTROUTING -s 192.168.33.0/24 -j NETMAP --to \
> >    192.168.44.0/24
> >
> > which gives the error:
> > iptables v1.2.7a: Unknown arg `--to'
> >
> > so, I try:
> > iptables -t nat -A POSTROUTING -s 192.168.33.0/24 -j NETMAP
> > iptables v1.2.7a: Couldn't load target
> > `NETMAP':/usr/lib/iptables/libipt_NETMAP.so: cannot open shared object
> > file: No such file or directory
> >
> > Right...
> > find / -regex '.*NETMAP.*' -print
> > ...
> > /lib/modules/2.4.25/kernel/net/ipv4/netfilter/ipt_NETMAP.o
> > ...
> >
> > Okay, so it's a kernel module, not a shared object, and that's what I
> > expected...  so, maybe I need to modprobe it?  That has exactly the
> > same results.  Maybe the userspace tool needs an update?  Following
> > instructions again found in
> > http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO.
> >html, I do:
> > cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login
> > cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic co
> > netfilter/userspace cvs server: warning: new-born netfilter/userspace has
> > disappeared
> >
> > Uh, oh!  Now I am stuck.  Is there a new location I should be looking for
> > the userspace?  Is updating the userspace the right thing to be doing? 
> > Is this patch "not right" on 2.4.25?  Anyone have any other suggestions
> > what I should do?
> >
> > Thanks for your help!

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Trying to use NETMAP for 1-1 NAT

[Nick Taylor]

On Mon, 15 Mar 2004, Antony Stone wrote:
> Even simpler to setup, and maybe adequate for the task, would be a plain IP in
> IP tunnel (see http://lartc.org for details).   It doesn't have the security
> of an IPsec tunnel, but then neither does the nat solution which Nick is
> trying to get working in the first place.
>
> I think an IP tunnel would be a 'cleaner' network arrangement than lots of nat
> around the place, but the choice is yours, of course.
>
> Regards,
>
> Antony.
>
We already have VPN connections traveling all over the place, with
endpoints on opposite sides of the DSL modems.  While everything should
"just work" tunnel-in-tunnel, I would rather not incur the MTU cost of an
additional tunnel, when I can store the needed data in the destination IP
address, and still get around the route limit in the modem.

I compiled the iptables userspace I already had against my shiney new
patched kernel, and low and behold NETMAP works.  If anyone is interested
I can post more info on my crazy hack once it's completed.

Thanks to everyone who responded to me!

> > On Sun, Mar 14, 2004 at 10:57:18PM -0500, Nick Taylor wrote:
> > > I am posting a newbie question here, so I hope for your patience with me.
> > > ...
> > > Many, many netblocks are routed from our main office to the remote
> > > office.  The DSL modems we use, however, are only capable of storing 8
> > > routes, so we figured we could 1:1 NAT each of the subnets of interest
> > > into a large private space, send it across the DSL modems, and 1:1 NAT it
> > > back to the real IP addresses at the other end.  The other option we
> > > thought of was to use the modems as bridges, but it seems this would
> > > require a seperate (physical) interface in the linux box at each end for
> > > each modem. While this solution would work right now, it doesn't scale
> > > well.
> > >
> > > So, enter NETMAP...
> > >
> > > ...

patch-o-matic and modules

[Ming-Ching Tiew]

I have a question about kernel and patch-o-matic.

Assuming that I have a kernel 'vmlinuz' before applying 
patch-o-matic.

Then I go ahead to apply patch-o-matic patches, a few I 
have applied, say TTL and CONNMARK. Then I go ahead to 
recompile a new kernel but those new netfilter features I specify 
them as modules. Then I compile the new modules. In this 
example, I would get ipt_TTL.o and ipt_CONNMARK.o as result.

My question is what is the impact of using this ipt_CONNMARK.o
or ipt_TTL.o with the kernel 'vmlinuz' prior to applying patch-o-matic ? 
I tried loading it, it does not seem to have any problem. I got loaded.
There is also no error in the iptables commands.

It is safe to using the new modules with the old kernel ? Or must I only
use it with the new kernel ? 









 

Re: patch-o-matic and modules

[Frederic de Villamil]

Hi Ming-Ching!

On Tue, 16 Mar 2004, Ming-Ching Tiew wrote:

>
> I have a question about kernel and patch-o-matic.
>
> Assuming that I have a kernel 'vmlinuz' before applying
> patch-o-matic.
>
> Then I go ahead to apply patch-o-matic patches, a few I
> have applied, say TTL and CONNMARK. Then I go ahead to
> recompile a new kernel but those new netfilter features I specify
> them as modules. Then I compile the new modules. In this
> example, I would get ipt_TTL.o and ipt_CONNMARK.o as result.
>
> My question is what is the impact of using this ipt_CONNMARK.o
> or ipt_TTL.o with the kernel 'vmlinuz' prior to applying patch-o-matic ?
> I tried loading it, it does not seem to have any problem. I got loaded.
> There is also no error in the iptables commands.
>
> It is safe to using the new modules with the old kernel ? Or must I only
> use it with the new kernel ?
>

Hello,
as long as your  old kernel is the same version as  the new modules, I
don't see  why you should  encounter any trouble.  One of the  aims in
using modules with kernel is the possibility to compile new modules if
you add some new hardware, or  if you patch the modules source without
having to recompile the whole stuff.

regards
Frederic.
--
Frederic de Villamil
http://www.seclab.jp