Transport protocol agnostic way to multiplex ports and forward metainfo?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Transport protocol agnostic way to multiplex ports and forward metainfo?

Alexander Huemer
Hi,

Word of caution: I reference netfilter in this email, please bear with
me.

I would like to create a network service that is available on multiple
ports on multiple transport protocols.
Since opening a lot of ports on the application layer is inefficient, I
would prefer to multiplex on the network layer, like this:

                       +----- pf
                       V

--> TCP port 1001 -->--+
                       |
--> TCP port 1002 -->--+--> TCP port 1001
                       |
--> TCP port 1003 -->--+

                       +----- pf
                       V

--> UDP port 2001 -->--+
                       |
--> UDP port 2002 -->--+--> UDP port 2001
                       |
--> UDP port 2003 -->--+

[Same possibly for SCTP, DCCP, ...]

Additionally I would like to be able to know in the application on which
port the connection reached the system originally.

I am aware of the following mechanisms that allow what I want to do in
netfilter on linux:

For TCP: Using a REDIRECT rule with a port range and getsockopt with
         SO_ORIGINAL_DST.

For UDP: Using a TPROXY rule with a port range and recvmsg, then consume
         ancillary message that is provided

For SCTP, DCCP, others: I don't know a way to do that in netfilter.

With pf, I don't know what the options are that I have.

So, my question is: In pf, is there a transport protocol agnostic way to
multiplex ports to an application, enabling the application to know on
which port the connection came in?

Any advise appreciated.

Kind regards,
-Alex



signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Transport protocol agnostic way to multiplex ports and forward metainfo?

Alexander Huemer
On Tue, May 01, 2018 at 06:18:30PM +0200, Alexander Huemer wrote:

> Word of caution: I reference netfilter in this email, please bear with
> me.
>
> I would like to create a network service that is available on multiple
> ports on multiple transport protocols.
> Since opening a lot of ports on the application layer is inefficient, I
> would prefer to multiplex on the network layer, like this:
>
>                        +----- pf
>                        V
>
> --> TCP port 1001 -->--+
>                        |
> --> TCP port 1002 -->--+--> TCP port 1001
>                        |
> --> TCP port 1003 -->--+
>
>                        +----- pf
>                        V
>
> --> UDP port 2001 -->--+
>                        |
> --> UDP port 2002 -->--+--> UDP port 2001
>                        |
> --> UDP port 2003 -->--+
>
> [Same possibly for SCTP, DCCP, ...]
>
> Additionally I would like to be able to know in the application on which
> port the connection reached the system originally.
>
> I am aware of the following mechanisms that allow what I want to do in
> netfilter on linux:
>
> For TCP: Using a REDIRECT rule with a port range and getsockopt with
>          SO_ORIGINAL_DST.
>
> For UDP: Using a TPROXY rule with a port range and recvmsg, then consume
>          ancillary message that is provided
>
> For SCTP, DCCP, others: I don't know a way to do that in netfilter.
>
> With pf, I don't know what the options are that I have.
>
> So, my question is: In pf, is there a transport protocol agnostic way to
> multiplex ports to an application, enabling the application to know on
> which port the connection came in?
>
> Any advise appreciated.
Since I still haven't found a way to do that I'd like to bump the topic.  
Does anybody here have any ideas how to approach this?

Thanks,
-Alex

signature.asc (849 bytes) Download Attachment