Re: nf_conntrack & NAT - Patrick Schaaf

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Schaaf <bof@bof.de>
To: Harald Welte <laforge@netfilter.org>,
	Herve Eychenne <rv@wallfire.org>, Jan Kasprzak <kas@fi.muni.cz>,
	netfilter-devel@lists.netfilter.org,
	Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>
Subject: Re: nf_conntrack & NAT
Date: Wed, 7 Dec 2005 08:00:39 +0100	[thread overview]
Message-ID: <20051207070039.GC474@oknodo.bof.de> (raw)
In-Reply-To: <20051207070517.GA4361@rama.exocore.com>

> > Stateless?  And what if you want the response (of the packets which have
> > been redirected) to come back with their initial address, as if they
> > had not been redirected? (if the client shouldn't know that, if this
> > should be transparent to him)
> 
> then you need a static snat target that does this for all reply packets.

How do you expect to match those reply targets?

Be aware that REDIRECT does not mean REDIRECT-always-for-the-same
source-and-destination-pair. Such thinking would be too restrictive.

For example, I use ipset bitmaps to determine, at conntrack-NEW-time,
whether some connection should be REDIRECTed, or not. This decision,
once made, should stay stable for the same connection, even if the
ipset bitmap is modified wrt to another new connection between the
same partners.

So I at least need conntracking, and some way to _mark_ connections,
if the connection does not store a NAT decision itself. Or my usage
won't be supported for IPv6. (not a problem at the moment, but who
knows)

> stateful IPv6 NAT only over my dead body.  Do you know that NAT is the
> single most destructive way that ever happened to todays internet?  That
> it is the number one reason why VoIP doesn't really take off as much as
> it could?  The number one reason for various non-deterministic breakage
> all over the place? 

All known. All completely nonapplicable for REDIRECT.

best regards
  Patrick

next prev parent reply	other threads:[~2005-12-07  7:00 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-11-23 11:30 nf_conntrack & NAT Krzysztof Oledzki
2005-11-23 12:25 ` Yasuyuki KOZAKAI
2005-11-23 13:20   ` Herve Eychenne
2005-11-23 13:24     ` Jan Kasprzak
2005-12-06 15:43       ` Harald Welte
2005-12-06 17:31         ` Herve Eychenne
2005-12-07  7:05           ` Harald Welte
2005-12-07  7:00             ` Patrick Schaaf [this message]
2005-12-07 13:06               ` Harald Welte
2005-12-07  9:41                 ` Patrick Schaaf
2005-12-07 12:02             ` (D)NAT with IPv6 (was "nf_conntrack & NAT") Herve Eychenne
2005-12-07 11:22           ` nf_conntrack & NAT Jozsef Kadlecsik
2005-12-07 14:54             ` (D)NAT with IPv6 (was "nf_conntrack & NAT") Herve Eychenne
2005-12-07 15:09               ` Jozsef Kadlecsik
2005-12-08 11:41                 ` Herve Eychenne
2005-12-08 11:56                   ` Patrick Schaaf
2005-12-09  4:56                     ` Harald Welte
2005-12-09  8:56                       ` Krzysztof Oledzki
2005-12-09  9:16                         ` Patrick Schaaf
2005-12-09  4:57                     ` Harald Welte
2005-12-12 20:42                       ` Balazs Scheidler
2005-12-12 22:56                         ` Alexander Samad
2005-12-13  8:57                           ` Balazs Scheidler
     [not found] ` <200511231225.jANCPmnh018866@toshiba.co.jp>
2005-11-23 13:44   ` nf_conntrack & NAT Krzysztof Oledzki
2005-11-25  4:54     ` Yasuyuki KOZAKAI
2005-11-26 23:52       ` Patrick McHardy
2005-11-27  8:42         ` Balazs Scheidler
  -- strict thread matches above, loose matches on Subject: below --
2006-04-11 10:55 NF_CONNTRACK " syrius.ml

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20051207070039.GC474@oknodo.bof.de \
    --to=bof@bof.de \
    --cc=kas@fi.muni.cz \
    --cc=laforge@netfilter.org \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=rv@wallfire.org \
    --cc=yasuyuki.kozakai@toshiba.co.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.