Re: nf_conntrack & NAT - Herve Eychenne

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Herve Eychenne <rv@wallfire.org>
To: Harald Welte <laforge@netfilter.org>,
	Jan Kasprzak <kas@fi.muni.cz>,
	netfilter-devel@lists.netfilter.org,
	Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>
Subject: Re: nf_conntrack & NAT
Date: Tue, 6 Dec 2005 18:31:35 +0100	[thread overview]
Message-ID: <20051206173135.GQ5617@eychenne.org> (raw)
In-Reply-To: <20051206154320.GG4038@rama.exocore.com>

On Tue, Dec 06, 2005 at 09:13:21PM +0530, Harald Welte wrote:

> On Wed, Nov 23, 2005 at 02:24:19PM +0100, Jan Kasprzak wrote:

> > : > > support for IPv6?

> > : > Never ever. You can learn why people don't want to do it from many sources.
> > : > For example, You can use many addresses in IPv6 world. And I don't want people
> > : > get troubles due to NAT traversal issues in IPv6 world.

> > : And what if you want your firewall to transparently redirect some traffic
> > : to another host, for example?

> > 	... or IPVS-based clusters. NAT functionality is definitely
> > wanted (even though full NAT in the IPv6 world is evil :-).

> guys, we have to differentiate here.

> I often stated "nf_conntrack based ipv6 nat only over my dead body".
> This refers to something similar to the current IPv4 NAT code as a
> stateful, fully symmetric, port overloading NAPT attached to the
> connection tracking code.

> for stuff like redirecting traffic, all you really need is stateless
> rewriting of the destination address.  If people want that, the entire
> implementation fits in a single ip6tables target.  no relation to
> nf_conntrack at all.

Stateless?  And what if you want the response (of the packets which have
been redirected) to come back with their initial address, as if they
had not been redirected? (if the client shouldn't know that, if this
should be transparent to him)
This is also known as DNAT, for which the state has be stored, right?

So, in one word: if we definitely need DNAT with IPv4 today, why
wouldn't we need DNAT with IPv6?

> also, IPVS doesn't need any ip_conntrack/iptable_nat today,

I don't know IPVS implementation, but maybe the IPVS-NAT method could
theorically share some code with the current NAT code... (they both
seem to handle the same kind of state table, even if at least the hashing
algorithm could probably be different, I guess)

> why would it need that for ipv6?

 Herve

-- 
 _
(°=  Hervé Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/

next prev parent reply	other threads:[~2005-12-06 17:31 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-11-23 11:30 nf_conntrack & NAT Krzysztof Oledzki
2005-11-23 12:25 ` Yasuyuki KOZAKAI
2005-11-23 13:20   ` Herve Eychenne
2005-11-23 13:24     ` Jan Kasprzak
2005-12-06 15:43       ` Harald Welte
2005-12-06 17:31         ` Herve Eychenne [this message]
2005-12-07  7:05           ` Harald Welte
2005-12-07  7:00             ` Patrick Schaaf
2005-12-07 13:06               ` Harald Welte
2005-12-07  9:41                 ` Patrick Schaaf
2005-12-07 12:02             ` (D)NAT with IPv6 (was "nf_conntrack & NAT") Herve Eychenne
2005-12-07 11:22           ` nf_conntrack & NAT Jozsef Kadlecsik
2005-12-07 14:54             ` (D)NAT with IPv6 (was "nf_conntrack & NAT") Herve Eychenne
2005-12-07 15:09               ` Jozsef Kadlecsik
2005-12-08 11:41                 ` Herve Eychenne
2005-12-08 11:56                   ` Patrick Schaaf
2005-12-09  4:56                     ` Harald Welte
2005-12-09  8:56                       ` Krzysztof Oledzki
2005-12-09  9:16                         ` Patrick Schaaf
2005-12-09  4:57                     ` Harald Welte
2005-12-12 20:42                       ` Balazs Scheidler
2005-12-12 22:56                         ` Alexander Samad
2005-12-13  8:57                           ` Balazs Scheidler
     [not found] ` <200511231225.jANCPmnh018866@toshiba.co.jp>
2005-11-23 13:44   ` nf_conntrack & NAT Krzysztof Oledzki
2005-11-25  4:54     ` Yasuyuki KOZAKAI
2005-11-26 23:52       ` Patrick McHardy
2005-11-27  8:42         ` Balazs Scheidler
  -- strict thread matches above, loose matches on Subject: below --
2006-04-11 10:55 NF_CONNTRACK " syrius.ml

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20051206173135.GQ5617@eychenne.org \
    --to=rv@wallfire.org \
    --cc=kas@fi.muni.cz \
    --cc=laforge@netfilter.org \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=yasuyuki.kozakai@toshiba.co.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.