commit ec850656033ada18d8b9ba9a9085a011616c25e4 Author: Stuart Longland Date: Thu Sep 27 21:58:19 2018 +1000 Initial check-in. diff --git a/COPYING b/COPYING new file mode 100644 index 0000000..601b5f5 --- /dev/null +++ b/COPYING @@ -0,0 +1,2 @@ +GNU General Public License, version 2 or any later version. +See GPL-2 or GPL-3 for the full text of these licenses. diff --git a/README.md b/README.md new file mode 100644 index 0000000..d5a5369 --- /dev/null +++ b/README.md @@ -0,0 +1,39 @@ +ABSURD: A bewilderingly silly userspace routing daemon +====================================================== + +ABSURD is a TCP/IP routing and firewalling tool for performing stateful +firewalling and routing of IP traffic according to configurable rules. + +Right now, no code exists, but the idea is as follows: + +- The daemon will consist of a core packet switch which listens on a `tun` + interface and exposes some virtual subnets to the host, whilst providing an + interface to those subnets via a Unix-domain socket. + +- Plug-in applications then connect to the Unix-domain socket and can + "register" interest in receiving particular subsets of the traffic routed to + the virtual subnet. They can also bind to virtual addresses on those + subnets to be able to initiate communications. + +Some possible applications: +- Stateful NAT64 (RFC-6146) and NAT46 (draft-liu-behave-nat46-02), including + cross-protocol port forwarding. +- DNS64 (RFC-6147) +- PCP (RFC-6887) +- SNI-based routing, so your TLS server's logs show an IPv6 address derived + from the address of the IPv4 client for auditing purposes, instead of the IP + address of your SNI proxy server. +- Application-level firewalling (e.g. let your Wordpress blog access Wordpress + for security updates without having to know every IP they host sites on), +- Deep-packet inspection. + +This is obviously not a replacement for netfilter, pf or any other firewall +you care to name. It's a compliment to it. Passing packets in and out of +userspace has the distinct downside of performance penalties, thus for high +performance routing, any kernel solution is going to run rings around this. + +That said, on small home/business networks, the Internet link is typically +100Mbps or less, and even a Raspberry Pi packs a decent amount of computing +oomph. Likely, we should be able to keep up with most small Internet +connections. The aim will be for something that can keep up with ADSLv2 and +similar grade links on modest hardware.