Enable creating nodes behind NATs and/or firewalls #1299
Comments
mxinden
changed the title
|
Updated to "NATs and/or firewalls" in title and issue. Hope you don't mind @BigLep. A first iteration could add firewall support only. |
|
Testing all variants of NATs (according the classification in RFC4787) is rather difficult on Linux's Netfilter as the Netfilter SNAT/DNAT & Masquerade targets are tightly coupled with Netfilters conntrack sub-system. And since conntrack is strictly connection based (5-tuple) it seems a bit difficult to configure e.g. a Full-cone NAT with it as conntrack will only classify ingress packets to the same related connection if the tuple matches. I am not 100% certain that my understanding is here correct. But after an evening of research I did not manage to setup the various NAT-types using Netfilter alone. Using a different data-plane like VPP or OVS might be a work-around. I also thought about implementing my own NAT userspace daemon which configures Netfilter NAT rules based on conntrack events. After all, I am using Gont to build test network topologies using Go and Linux's network namespaces. |
|
Furthermore, there are some third-part Netfilter extensions which implement a full-cone NAT: And also NAT implementations implemented in BPF like Cilium is doing it. |
Done Criteria
It's possible to create a test-plan where two-or-more nodes can be behind two-or-more NATs and/or firewalls.
Why Important
This is needed in order to validate project flare (hole-punching) in libp2p (e.g., libp2p/go-libp2p#1039 ). Without this, it's difficult for libp2p to have confidence it won't regress on this functionality. libp2p consumers like IPFS, Lotus, etc. want to have confidence that the functionality will continue to work once it's enabled by default.
User/Customer
First/primary customer is the libp2p team working on hole-punching.
Notes
The text was updated successfully, but these errors were encountered: