Initial check-in.
This commit is contained in:
commit
ec85065603
GPG Key ID:
6AA32EFB18079BAA
2
COPYING
Normal file
2
COPYING
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
GNU General Public License, version 2 or any later version.
|
||||||
|
See GPL-2 or GPL-3 for the full text of these licenses.
|
||||||
39
README.md
Normal file
39
README.md
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
ABSURD: A bewilderingly silly userspace routing daemon
|
||||||
|
======================================================
|
||||||
|
|
||||||
|
ABSURD is a TCP/IP routing and firewalling tool for performing stateful
|
||||||
|
firewalling and routing of IP traffic according to configurable rules.
|
||||||
|
|
||||||
|
Right now, no code exists, but the idea is as follows:
|
||||||
|
|
||||||
|
- The daemon will consist of a core packet switch which listens on a `tun`
|
||||||
|
interface and exposes some virtual subnets to the host, whilst providing an
|
||||||
|
interface to those subnets via a Unix-domain socket.
|
||||||
|
|
||||||
|
- Plug-in applications then connect to the Unix-domain socket and can
|
||||||
|
"register" interest in receiving particular subsets of the traffic routed to
|
||||||
|
the virtual subnet. They can also bind to virtual addresses on those
|
||||||
|
subnets to be able to initiate communications.
|
||||||
|
|
||||||
|
Some possible applications:
|
||||||
|
- Stateful NAT64 (RFC-6146) and NAT46 (draft-liu-behave-nat46-02), including
|
||||||
|
cross-protocol port forwarding.
|
||||||
|
- DNS64 (RFC-6147)
|
||||||
|
- PCP (RFC-6887)
|
||||||
|
- SNI-based routing, so your TLS server's logs show an IPv6 address derived
|
||||||
|
from the address of the IPv4 client for auditing purposes, instead of the IP
|
||||||
|
address of your SNI proxy server.
|
||||||
|
- Application-level firewalling (e.g. let your Wordpress blog access Wordpress
|
||||||
|
for security updates without having to know every IP they host sites on),
|
||||||
|
- Deep-packet inspection.
|
||||||
|
|
||||||
|
This is obviously not a replacement for netfilter, pf or any other firewall
|
||||||
|
you care to name. It's a compliment to it. Passing packets in and out of
|
||||||
|
userspace has the distinct downside of performance penalties, thus for high
|
||||||
|
performance routing, any kernel solution is going to run rings around this.
|
||||||
|
|
||||||
|
That said, on small home/business networks, the Internet link is typically
|
||||||
|
100Mbps or less, and even a Raspberry Pi packs a decent amount of computing
|
||||||
|
oomph. Likely, we should be able to keep up with most small Internet
|
||||||
|
connections. The aim will be for something that can keep up with ADSLv2 and
|
||||||
|
similar grade links on modest hardware.
|
||||||
Loading…
Reference in New Issue
Block a user