absurd/README.md

ABSURD: A bewilderingly silly userspace routing daemon
======================================================

ABSURD is a TCP/IP routing and firewalling tool for performing stateful
firewalling and routing of IP traffic according to configurable rules.

Right now, no code exists, but the idea is as follows:

- The daemon will consist of a core packet switch which listens on a `tun`
  interface and exposes some virtual subnets to the host, whilst providing an
  interface to those subnets via a Unix-domain socket.

- Plug-in applications then connect to the Unix-domain socket and can
  "register" interest in receiving particular subsets of the traffic routed to
  the virtual subnet.  They can also bind to virtual addresses on those
  subnets to be able to initiate communications.

Some possible applications:
- Stateful NAT64 (RFC-6146) and NAT46 (draft-liu-behave-nat46-02), including
  cross-protocol port forwarding.
- DNS64 (RFC-6147)
- PCP (RFC-6887)
- SNI-based routing, so your TLS server's logs show an IPv6 address derived
  from the address of the IPv4 client for auditing purposes, instead of the IP
  address of your SNI proxy server.
- Application-level firewalling (e.g. let your Wordpress blog access Wordpress
  for security updates without having to know every IP they host sites on),
- Deep-packet inspection.

This is obviously not a replacement for netfilter, pf or any other firewall
you care to name.  It's a compliment to it.  Passing packets in and out of
userspace has the distinct downside of performance penalties, thus for high
performance routing, any kernel solution is going to run rings around this.

That said, on small home/business networks, the Internet link is typically
100Mbps or less, and even a Raspberry Pi packs a decent amount of computing
oomph.  Likely, we should be able to keep up with most small Internet
connections.  The aim will be for something that can keep up with ADSLv2 and
similar grade links on modest hardware.