**This is automatically generated documentation.** Edit after the "[[#COMMENTS|COMMENTS]]" heading; changes to the main body will be lost. ====== IPRewriter Element Documentation ====== ===== NAME ===== **IPRewriter** -- Click element; rewrites TCP/UDP packets' addresses and ports ===== SYNOPSIS ===== IPRewriter(INPUTSPEC1, ..., INPUTSPECn [, //keywords//]) **Ports**: 1 or more inputs, 1-256 outputs\\ **Processing**: push\\ **Package**: tcpudp (core)\\ ===== DESCRIPTION ===== Rewrites the source address, source port, destination address, and/or destination port on TCP and UDP packets, along with their checksums. IPRewriter implements the functionality of a network address/port translator (NAPT). See also [[IPAddrRewriter]] and [[IPAddrPairRewriter]], which implement Basic NAT, and [[TCPRewriter]], which implements NAPT plus sequence number changes for TCP packets. IPRewriter maintains a //mapping table// that records how packets are rewritten. The mapping table is indexed by //flow identifier//, the quintuple of source address, source port, destination address, destination port, and IP protocol (TCP or UDP). Each mapping contains a new flow identifier and an output port. Input packets with the indexed flow identifier are rewritten to use the new flow identifier, then emitted on the output port. A mapping is written as follows: (SA, SP, DA, DP, PROTO) => (SA', SP', DA', DP') [OUTPUT] When IPRewriter receives a packet, it first looks up that packet in the mapping table by flow identifier. If the table contains a mapping for the input packet, then the packet is rewritten according to the mapping and emitted on the specified output port. If there was no mapping, the packet is handled by the INPUTSPEC corresponding to the input port on which the packet arrived. (There are as many input ports as INPUTSPECs.) Most INPUTSPECs install new mappings, so that future packets from the same TCP or UDP flow are handled by the mapping table rather than some INPUTSPEC. The six forms of INPUTSPEC handle input packets as follows: ? **'drop' or 'discard'** ! Discards input packets. ? **'pass OUTPUT'** ! Sends input packets to output port OUTPUT. No mappings are installed. ? **'keep FOUTPUT ROUTPUT'** ! Installs mappings that preserve the input packet's flow ID. Specifically, given an input packet with flow ID (SA, SP, DA, DP, PROTO), two mappings are installed: (SA, SP, DA, DP, PROTO) => (SA, SP, DA, DP) [FOUTPUT] (DA, DP, SA, SP, PROTO) => (DA, DP, SA, SP) [ROUTPUT] Thus, the input packet is emitted on output port FOUTPUT unchanged, and packets from the reply flow are emitted on output port ROUTPUT unchanged. ? **'pattern SADDR SPORT DADDR DPORT FOUTPUT ROUTPUT'** ! Creates a mapping according to the given pattern, 'SADDR SPORT DADDR DPORT'. Any pattern field may be a dash '-', in which case the packet's corresponding field is left unchanged. For instance, the pattern '1.0.0.1 20 - -' will rewrite input packets' source address and port, but leave its destination address and port unchanged. SPORT may be a port range 'L-H'; IPRewriter will choose a source port in that range so that the resulting mappings don't conflict with any existing mappings. If no source port is available, the packet is dropped. Normally source ports are chosen randomly within the range. To allocate source ports sequentially (which can make testing easier), append a pound sign to the range, as in '1024-65535#'. Say a packet with flow ID (SA, SP, DA, DP, PROTO) is received, and the corresponding new flow ID is (SA', SP', DA', DP'). Then two mappings are installed: (SA, SP, DA, DP, PROTO) => (SA', SP', DA', DP') [FOUTPUT] (DA', DP', SA', SP', PROTO) => (DA, DP, SA, SP) [ROUTPUT] Thus, the input packet is rewritten and sent to FOUTPUT, and packets from the reply flow are rewritten to look like part of the original flow and sent to ROUTPUT. ? **'pattern PATNAME FOUTPUT ROUTPUT'** ! Like 'pattern' above, but refers to named patterns defined by an [[IPRewriterPatterns]] element. ? **'ELEMENTNAME'** ! Creates mappings according to instructions from the element ELEMENTNAME. This element must implement the IPMapper interface. One example mapper is [[RoundRobinIPMapper]]. IPRewriter has no mappings when first initialized. Input packets must have their IP header annotations set. Non-TCP and UDP packets, and second and subsequent fragments, are dropped unless they arrive on a 'pass' input port. IPRewriter changes IP packet data and, optionally, destination IP address annotations; see the DST_ANNO keyword argument below. Keyword arguments determine how often stale mappings should be removed. ? **TCP_TIMEOUT //time//** ! Time out TCP connections every //time// seconds. Default is 24 hours. ? **TCP_DONE_TIMEOUT //time//** ! Time out completed TCP connections every //time// seconds. Default is 30 seconds. FIN and RST flags mark TCP connections as complete. ? **UDP_TIMEOUT //time//** ! Time out UDP connections every //time// seconds. Default is 1 minute. ? **REAP_TCP //time//** ! Reap timed-out TCP connections every //time// seconds. If no packets corresponding to a given mapping have been seen for TCP_TIMEOUT, remove the mapping as stale. Default is 1 hour. ? **REAP_TCP_DONE //time//** ! Reap timed-out completed TCP connections every //time// seconds. Default is 10 seconds. ? **REAP_UDP //time//** ! Reap timed-out UDP connections every //time// seconds. Default is 10 seconds. ? **DST_ANNO** ! Boolean. If true, then set the destination IP address annotation on passing packets to the rewritten destination address. Default is true. ===== ELEMENT HANDLERS ===== ? **tcp_mappings (read-only)** ! Returns a human-readable description of the IPRewriter's current set of TCP mappings. ? **udp_mappings (read-only)** ! Returns a human-readable description of the IPRewriter's current set of UDP mappings. ? **tcp_done_mappings (read-only)** ! Returns a human-readable description of the IPRewriter's current set of mappings for completed TCP sessions. ===== SEE ALSO ===== [[TCPRewriter]], [[IPAddrRewriter]], [[IPAddrPairRewriter]], [[IPRewriterPatterns]], [[RoundRobinIPMapper]], [[FTPPortMapper]], [[ICMPRewriter]], [[ICMPPingRewriter]] Generated by 'click-elem2man' from '../elements/tcpudp/iprewriter.hh' on 24/May/2007. ===== COMMENTS =====