Hi,
Word of caution: I reference netfilter in this email, please bear with me. I would like to create a network service that is available on multiple ports on multiple transport protocols. Since opening a lot of ports on the application layer is inefficient, I would prefer to multiplex on the network layer, like this: +----- pf V --> TCP port 1001 -->--+ | --> TCP port 1002 -->--+--> TCP port 1001 | --> TCP port 1003 -->--+ +----- pf V --> UDP port 2001 -->--+ | --> UDP port 2002 -->--+--> UDP port 2001 | --> UDP port 2003 -->--+ [Same possibly for SCTP, DCCP, ...] Additionally I would like to be able to know in the application on which port the connection reached the system originally. I am aware of the following mechanisms that allow what I want to do in netfilter on linux: For TCP: Using a REDIRECT rule with a port range and getsockopt with SO_ORIGINAL_DST. For UDP: Using a TPROXY rule with a port range and recvmsg, then consume ancillary message that is provided For SCTP, DCCP, others: I don't know a way to do that in netfilter. With pf, I don't know what the options are that I have. So, my question is: In pf, is there a transport protocol agnostic way to multiplex ports to an application, enabling the application to know on which port the connection came in? Any advise appreciated. Kind regards, -Alex |
On Tue, May 01, 2018 at 06:18:30PM +0200, Alexander Huemer wrote:
> Word of caution: I reference netfilter in this email, please bear with > me. > > I would like to create a network service that is available on multiple > ports on multiple transport protocols. > Since opening a lot of ports on the application layer is inefficient, I > would prefer to multiplex on the network layer, like this: > > +----- pf > V > > --> TCP port 1001 -->--+ > | > --> TCP port 1002 -->--+--> TCP port 1001 > | > --> TCP port 1003 -->--+ > > +----- pf > V > > --> UDP port 2001 -->--+ > | > --> UDP port 2002 -->--+--> UDP port 2001 > | > --> UDP port 2003 -->--+ > > [Same possibly for SCTP, DCCP, ...] > > Additionally I would like to be able to know in the application on which > port the connection reached the system originally. > > I am aware of the following mechanisms that allow what I want to do in > netfilter on linux: > > For TCP: Using a REDIRECT rule with a port range and getsockopt with > SO_ORIGINAL_DST. > > For UDP: Using a TPROXY rule with a port range and recvmsg, then consume > ancillary message that is provided > > For SCTP, DCCP, others: I don't know a way to do that in netfilter. > > With pf, I don't know what the options are that I have. > > So, my question is: In pf, is there a transport protocol agnostic way to > multiplex ports to an application, enabling the application to know on > which port the connection came in? > > Any advise appreciated. Does anybody here have any ideas how to approach this? Thanks, -Alex |
Free forum by Nabble | Edit this page |