Please test: http://antigreen.org/vadim/freebsd/ng_nat/ (I've ran for a
week on a production 6.2 router without any problems).

This is a patched version of ng_nat(4) for FreeBSD 6.x, providing support
for all libalias(3) features, especially port redirections (before this
moment ng_nat(4) has supported only the basic functionality of the

To compile kernel module:

$ make

To load it into the running kernel:

$ kldload ./ng_nat.ko

To view the man page documenting new messages:

$ tbl ng_nat.4 | nroff -man | more

There is also included a convenient rcNG-style boot script, ng_nat.sh,
which allows to easily configure ng_nat(4) nodes and ipfw(8) from
It is based on a Eugene Grosbein's version and heavily modified by me.

Example for two nodes from /etc/rc.conf:

ng_nat_nodes="simple full" # list of node names

# Simple example - all we need is only three lines
ng_nat_simple_interface="em1" # take IP addr from "em1"
ng_nat_simple_cookies="50 51" # ipfw's "netgraph" arguments, "in" then
ng_nat_simple_ipfw_rules="80 90" # ipfw rule numbers to create, "in" then

# More complex example, in which we need custom ipfw(8) rules for several
# selected networks (default rule will catch all) and setup some
ng_nat_full_interface="" # external alias address
ng_nat_full_cookies="60 61"

# for custom rules these numbers are used only for deletion on shutdown;
# these can duplicate and be more than two
ng_nat_full_ipfw_rules="172 172 182"

# Actual custom rules - if not defined, rules are created automatically
ng_nat_full_ipfw_rule0="172 netgraph 60 ip from to any out
xmit em0"
ng_nat_full_ipfw_rule1="172 netgraph 60 ip from to any out
xmit em0"
ng_nat_full_ipfw_rule2="182 netgraph 61 ip from any to in recv em0"

# Set natd(8)-like flags for node (if not specified, node uses
# Available flags are: log, deny_incoming, same_ports, unregistered_only,
# proxy_only, reverse, reset_on_addr_change. The last is new and means that
# after aliasing address change internal table should be cleared (breaks
# current connections like node restart).
ng_nat_full_set_mode="same_ports unregistered_only"

# Set target address for any unspecified incoming traffic, like "natd -t"

# Set up several redirection rules, each can have an optional description
# string of up to 63 chars in length. DNS hostnames are disallowed.

# natd(8) -redirect_port
ng_nat_full_redirect_port0="tcp 222"
ng_nat_full_redirect_port1="udp 3300-3399"
ng_nat_full_redirect_port1_description="For P2P and VoIP apps"

# -redirect_proto and -redirect_address (including LSNAT) can be
# specified the same way, if needed, as long as -proxy_rule.

The script also supports additional command-line keywords, along with
"start" and "stop" ones. They include "redirect_port", "redirect_proto" and
"redirect_address", along with "list_redirects". The format is:

$ /path/to/ng_nat.sh [arguments]


$ /etc/rc.d/ng_nat.sh redirect_port full tcp 8080

This allows to add redirections "on the fly" without need to restart entire
node breaking current connections.

The "list_redirects" keyword prints table of all redirects (no matter what
type) in a pretty human-readable format. This can be used to obtain ID of
specific redirection to make it dynamic or delete it "on the fly":

$ ngctl msg full: redirectdelete 3 # delete redirection with ID
number 3

Enjoy! ;-)

WBR, Vadim Goncharov
freebsd-stable@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"