ABSURD: A bewilderingly silly userspace routing daemon

ABSURD is a TCP/IP routing and firewalling tool for performing stateful firewalling and routing of IP traffic according to configurable rules.

Right now, no code exists, but the idea is as follows:

• The daemon will consist of a core packet switch which listens on a tun interface and exposes some virtual subnets to the host, whilst providing an interface to those subnets via a Unix-domain socket.

• Plug-in applications then connect to the Unix-domain socket and can "register" interest in receiving particular subsets of the traffic routed to the virtual subnet. They can also bind to virtual addresses on those subnets to be able to initiate communications.

Some possible applications:

• Stateful NAT64 (RFC-6146) and NAT46 (draft-liu-behave-nat46-02), including cross-protocol port forwarding.
• DNS64 (RFC-6147)
• PCP (RFC-6887)
• SNI-based routing, so your TLS server's logs show an IPv6 address derived from the address of the IPv4 client for auditing purposes, instead of the IP address of your SNI proxy server.
• Application-level firewalling (e.g. let your Wordpress blog access Wordpress for security updates without having to know every IP they host sites on),
• Deep-packet inspection.

This is obviously not a replacement for netfilter, pf or any other firewall you care to name. It's a compliment to it. Passing packets in and out of userspace has the distinct downside of performance penalties, thus for high performance routing, any kernel solution is going to run rings around this.

That said, on small home/business networks, the Internet link is typically 100Mbps or less, and even a Raspberry Pi packs a decent amount of computing oomph. Likely, we should be able to keep up with most small Internet connections. The aim will be for something that can keep up with ADSLv2 and similar grade links on modest hardware.