diff options
author | Federico G. Schwindt <fgsch@cvs.openbsd.org> | 2001-01-17 07:43:34 +0000 |
---|---|---|
committer | Federico G. Schwindt <fgsch@cvs.openbsd.org> | 2001-01-17 07:43:34 +0000 |
commit | a24f4e148be5373e4a47ba586ad3bc84786ec5b0 (patch) | |
tree | 62e031fe76aef71b6a7558e8d2f626f017117cdd /sbin/ipnat/ipnat.5 | |
parent | bb961a694b24081f5b1b1e9bd828a6c0e15be182 (diff) |
nice page to start with; load balancing added here.
Diffstat (limited to 'sbin/ipnat/ipnat.5')
-rw-r--r-- | sbin/ipnat/ipnat.5 | 62 |
1 files changed, 56 insertions, 6 deletions
diff --git a/sbin/ipnat/ipnat.5 b/sbin/ipnat/ipnat.5 index bfca4f99888..aec4db4033e 100644 --- a/sbin/ipnat/ipnat.5 +++ b/sbin/ipnat/ipnat.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipnat.5,v 1.15 2000/04/26 21:04:00 deraadt Exp $ +.\" $OpenBSD: ipnat.5,v 1.16 2001/01/17 07:43:33 fgsch Exp $ .\" .TH IPNAT 5 .SH NAME @@ -10,14 +10,24 @@ The format for files accepted by ipnat is described by the following grammar: ipmap :: = mapblock | redir | map . map ::= mapit ifname ipmask "->" ipmask [ mapport ] . +map ::= mapit ifname fromto "->" ipmask [ mapport ] . mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . redir ::= "rdr" ifname [ fromspec ] ipmask "->" ip [ ports ] [ tcpudp ] . + +dport ::= "port" portnum [ "-" portnum ] . ports ::= "ports" numports | "auto" . mapit ::= "map" | "bimap" . +fromto ::= "from" object "to" object . ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . mapport ::= "portmap" tcpudp portnumber ":" portnumber . +options ::= [ tcpudp ] [ rr ] . + +object = addr [ port-comp | port-range ] . +addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . +port-comp = "port" compare port-num . +port-range = "port" port-num range port-num . -fromspec ::= "from" ip "/" ipmask . +rr ::= "round-robin" . tcpudp ::= "tcp" | "udp" | "tcp/udp" . portnumber ::= number { numbers } | "auto" . ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . @@ -62,10 +72,26 @@ squeeze the addresses to be translated into the destination range. .SH MATCHING .PP For basic NAT and redirection of packets, the address subject to change is used -along with its protocol to check if a packet should be altered. In the case -of redirects, it is also possible to select packets on a source address basis -using the \fBfrom\fP keyword, as well as the manditory destination port. The -packet \fImatching\fP part of the rule is to the left of the "->" in each rule. +along with its protocol to check if a packet should be altered. The packet +\fImatching\fP part of the rule is to the left of the "->" in each rule. +.PP +Matching of packets has now been extended to allow more complex compares. +In place of the address which is to be translated, an IP address and port +number comparison can be made using the same expressions available with +\fBipf\fP. A simple NAT rule could be written as: +.LP +.nf +map de0 10.1.0.0/16 -> 201.2.3.4/32 +.fi +.LP +or as +.LP +.nf +map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32 +.fi +.LP +Only IP address and port numbers can be compared against. This is available +with all NAT rules. .SH TRANSLATION .PP To the right of the "->" is the address and port specificaton which will be @@ -95,6 +121,30 @@ True transparent proxying should be performed using the redirect (\fBrdr\fP) rules directing ports to localhost (127.0.0.1) with the proxy program doing a lookup through \fB/dev/ipnat\fP to determine the real source and address of the connection. +.SH LOAD-BALANCING +.PP +Two options for use with \fBrdr\fP are available to support primitive, +\fIround-robin\fP based load balancing. The first option allows for a +\fBrdr\fP to specify a second destination, as follows: +.LP +.nf +rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp +.fi +.LP +This would send alternate connections to either 203.1.2.3 or 203.1.2.4. +In scenarios where the load is being spread amongst a larger set of +servers, you can use: +.LP +.nf +rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp round-robin +rdr le0 203.1.2.3/32 port 80 -> 203.1.2.5 port 80 tcp round-robin +.fi +.LP +In this case, a connection will be redirected to 203.1.2.3, then 203.1.2.4 +and then 203.1.2.5 before going back to 203.1.2.3. In accomplishing this, +the rule is removed from the top of the list and added to the end, +automatically, as required. This will not effect the display of rules +using "ipnat -l", only the internal application order. .SH EXAMPLES .PP This section deals with the \fBmap\fP command and it's variations. |