Hi,
Word of caution: I reference netfilter in this email, please bear with
me.
I would like to create a network service that is available on multiple
ports on multiple transport protocols.
Since opening a lot of ports on the application layer is inefficient, I
would prefer to multiplex on the network layer, like this:
+----- pf
V
--> TCP port 1001 -->--+
|
--> TCP port 1002 -->--+--> TCP port 1001
|
--> TCP port 1003 -->--+
+----- pf
V
--> UDP port 2001 -->--+
|
--> UDP port 2002 -->--+--> UDP port 2001
|
--> UDP port 2003 -->--+
[Same possibly for SCTP, DCCP, ...]
Additionally I would like to be able to know in the application on which
port the connection reached the system originally.
I am aware of the following mechanisms that allow what I want to do in
netfilter on linux:
For TCP: Using a REDIRECT rule with a port range and getsockopt with
SO_ORIGINAL_DST.
For UDP: Using a TPROXY rule with a port range and recvmsg, then consume
ancillary message that is provided
For SCTP, DCCP, others: I don't know a way to do that in netfilter.
With pf, I don't know what the options are that I have.
So, my question is: In pf, is there a transport protocol agnostic way to
multiplex ports to an application, enabling the application to know on
which port the connection came in?
Any advise appreciated.
Kind regards,
-Alex
Locked
signature.asc (836 bytes)