RE: xt_gateway 20070605 (kernel)

[Amin Azez <azez@ufomechanic.net>]

From: "Jan Engelhardt" <jengelh@computergmbh.de>
Sent: 16/06/07 08:59
Subject: RE: xt_gateway 20070605 (kernel)

=Well, it is as complicated as policy routing
=(e.g. using -j MARK and iproute2's fwmark match)
=
=ip route add 1.3.3.7/32 dev leet0 realm 666
=iptables -t nat -A POSTROUTING -m realm --realm 666 -j 
=SNAT --to whatever.

Yeah, you have to have one realm per snat-ip or better, which is more complicated than just using the gateway ip.

It's true that you can use realm to make an association between gateway and snat address, but why bother if you can use gateway to make an association between gateway and snat address.

To use realm requires fiddling with routing tables (which I can do pleasantly as iproute-save supports xml) but gateway match lets users leave routing to be managed by their network scripts instead of managing it by hand. 

=>Xt_gateway is persisted solely with iptables-save. There is no iproute-save
=>(actually there is, I posted it to the relevant list a few months back but
=>no-one noticed).

=iproute-save would have a problem: it may interfere with
= (a) 'proto kernel' rules

My iproute-restore did not restore proto kernel routes, or flush them prior to a restore.

= (b) rules from the distribution (e.g. =/etc/sysconfig/network/ifroutes)
=    [lesser a problem]

Likewise, scope helped recognize these.

=>I'm not going to try to convince you harder than this. Some directors and
=>shareholders (if they were aware) would probably prefer that you did NOT merge
=>it to the mainline kernel and I also have a duty to them.

=What would they care about how it's done?

They might prefer that anything that made things easier were not available outside of the source CD that we ship with the box. There is no official company policy on this yet, and I prefer it that way.

The gateway match makes things easier for me. All our customers will be using it. I'm happy to share it.

If Patrick judges it to be unneccessary then I don't feel very inclined to argue the point. I agree that authors cannot insist that their contributions be recommended upstream and linux is not so scarce of features that this is remotely necessary.

Like my iptables vlan match and conntrack direction match, account + rate limiting, and probably the same way as my next connroute target all of which are useful to me, I'm disapointed that they won't have wider use, but not frantic.

Sam