Shulou(Shulou.com)06/03 Report--

Yesterday my colleague asked me how to configure policy routing on Mac. Actually I don't know either! Due to their actual needs, have always wanted to play Mac network features, but the eyes were always dazzled by its appearance dazzle! Today, my colleague asked me this question, and I suddenly had a desire to study it. Fortunately, the computers at home are Mac systems (I am not a fruit fan, but my wife is). After taking my daughter to an early education class on the weekend, I can finally relax and play...

In fact, MacOS gorgeous appearance below, is a tank, its kernel is with academic noble lineage BSD UNIX, and we know, UNIX network powerful, TCP/IP and UNIX relationship, can not help but feel the great Mac, UNIX on the fashionable OL knee endoscope outside, and this is how great a conquest!

My experimental topology is as follows:

iMac simulates a terminal, WiFi is off, Macbook simulates a router, WiFi is on, and two computers are connected by a network cable.

First, I want NAT configured on my Macbook to translate the source address of packets sent from the iMac as an intranet. In this case, I want NAT to be dynamic NAT or something like Linux MAQUERADE. Macbook WiFi interface connected to my home router, so I need to do SNAT from WiFi port en1 out of the packet, similar to Linux-o en1 -j MASQUERADE this, I know that in BSD can be configured in a variety of ways, there is a tool similar to Linux iptables, that is pf, by editing/etc/pf.conf to achieve configuration is the best, because pfctl has a rule syntax detection mechanism, can help you check a lot of errors, The above requirements can be fulfilled by the following configuration:

nat on en1 from 172.16.4.0/24 to any -> en1

Where 172.16.4.0/24 is the address of the segment where the iMac is located, as an intranet, and en1 is the so-called extranet address 192.168.1.108. In fact, en1 and address fields can be written in the form of variables, which is written directly for simplicity. As for the form that can be written as variables, I will compare this with iptables and Cisco systems later. Then run pfctl -e -f /etc/pf.conf and you'll be fine! At this time from the iMac to ping 192.168.1.1 router, it is through, but from the router but can not ping the intranet, this is obviously a one-way conversion, if you want to make a two-way conversion, then you need a one-to-one corresponding conversion, in BSD, this is achieved through binat, mainly in the command, it adds the bi prefix, and bat distinguish, let's take a look at the binat configuration:

binat on en1 from 172.16.4.10 to any -> 172.16.4.30

This establishes a one-to-one mapping relationship, whether initiated from the router or from the iMac initiative, address translation can be achieved, this is my last article spent a lot of effort on Linux to achieve that function, whether it is BSD or Cisco, can easily complete the configuration, but Linux is very difficult, even if RAWNAT also has to configure two rules!!! PF's one-to-one NAT also has match built in, but you can override it with any, and most importantly, it stands alone as a binat, not a configuration option for nat.

NAT has been played, everything I want to try first to succeed in a minimum set, and then slowly expand, the first time I encountered iptables is the same. I've always wondered why iptables doesn't implement one-to-one address translation. Note that Netfilter is just a framework and can do anything you want, so I don't blame Netfilter but iptables. This is a basic requirement ah, imagine a WEB server in the DMZ to provide external services, and it also needs to actively access other external resources, which is very common in the cloud environment, if there is no one-to-one mapping NAT, ip_conntrack alone will consume how many resources ah, and only to convert an address to maintain a flow is not necessary. Any other operating system can easily implement features, why not Linux? Another question is why Mac OS doesn't open up common features, such as adding multiple IPs to a network card. I guess, Windows is a relatively moderate system, it provides to add multiple addresses, but there is no iptables, iproute2 and other powerful tools, even netsh can only be considered a chicken rib, on the contrary, Linux and Mac OS are more extreme, especially Mac OS, it assumes that people who use it are not people who love to toss the network, an OL or a suit wearing sunglasses is not holding chin configuration strategy routing... However, it provides almost a complete BSD command set on the command line. The designer once again assumes that if a Mac buyer is a techie, such as me, then he will always call up the command line first. Once he calls up the command line, everything will be in front of him. In this way, is it necessary to add multiple IPs, which are basically not used, into the GUI? Appreciate Apple people! In this regard, Windows and Linux should learn ah, I will not say heavyweight UNIX(such as AIX, HP-UX), because that thing is generally not exposed to Windows, Linux contact personnel or a lot of Windows, needless to say, Linux is also a popular system, especially after the Android era. A supplement to this paragraph: I have said so much about adding Secondary IP on Mac OS, how to add it? ifconfig enX $ip/$mask alias is enough, the keyword is alias!

This is the most critical time for this article. Which is better, pf configuration or iptables configuration? Of course, this is not a matter of opinion. It can be said without hesitation that iptables is completely defeated! People who have written iptables rule control scripts have a headache, that is, you have to write a rule for each of your ideas, and then the nightmare comes, you always have to pay attention to under what circumstances to delete this rule, but also to ensure that the deletion is clean. Complex business logic often makes this difficult to guarantee, so you have to simplify the business logic to accommodate iptables. Why was this happening?

The root cause is that iptables does not separate the mechanism from the policy at the level of each rule. If the policy is not configurable, the operation atom of the entire iptables rule is the rule itself. For example, you cannot parameterize a match or a target. For example:

iptables -A FORWARD -s 1.1.1.1 -d 2.2.2.2 -p tcp -j DROP

Once this rule is set, if one day the target you control is no longer 2.2.2.2, but 3.3.3.3, then you must delete this rule and add a new rule. You cannot add, delete or change to match pairs. We know that a rule contains a judgment logic, and the specific action must be parameterized, so that it is flexible. For the above example rule, the logic it contains is that TCP packets starting from somewhere and arriving somewhere need to be discarded! That's all. As for what the "somewhere" in the statement is, it needs to be configurable.

BSD PF does this by supporting parametric configuration concepts such as variables, macros, etc. Configuration such as initial NAT configurations, like IP addresses inside, can be defined just like writing a BASH script. The lack of iptables 'rule operation plane is indeed its hard wound, but it cannot be killed with a stick. We know that ipset is one of the efforts to make up for this lack, and the definition of matching IP set is handed over to ipset program. We expect to see many sets, such as protoset, portset, stateset... In this regard, we can see a similar idea in Cisco's NAT configuration, Cisco stripped ACL and NAT, ACL is only responsible for match.

But that's not to say PF doesn't have any shortcomings. Configuration is too complicated, such as configuring policy routing: which network port the access packet comes in from and which network port it goes out from. PF implementation is to introduce a series of hard configuration route-to/reply, according to this logic, each type of configuration needs to introduce a configuration parameter, this method is not appropriate ah, on the contrary, Linux does a good job, through the mark mechanism to implement policy routing, based on the flow nf-mark can mark a flow, it is easy to configure policy routing through the ip rule fwmark, policy routing itself is not responsible for a piece of iptables, iptables just mark, as for how to use this mark, it does not care, Policy routing is a separate implementation in Linux and has nothing to do with Netfilter. PF is different. In fact, it also has a tag mechanism similar to mark. I think the way to introduce configuration parameters for routing is not good. PF, in addition to supporting match parameterization, the rest seems to be really messy, almost everything can be achieved with PF, NAT is just an action parallel to PASS, BLOCK, in addition, like what agent, all have corresponding configuration parameters, I think these can be separated by tag.

Before I met PF, I always regarded iptables as a treasure. In fact, it really is! PF is attractive because of the maintainability of its configuration. If you have a Mac, then you really have a UNIX that you can mess with, whatever you want, and BSD UNIX has great networking capabilities.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.