Re: interface based conntrack entry

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Leblond <eric@inl.fr>
To: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Cc: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Subject: Re: interface based conntrack entry
Date: Tue, 18 Mar 2008 06:50:09 +0100	[thread overview]
Message-ID: <20080318055008.GA21458@bayen.regit.org> (raw)
In-Reply-To: <47DF11A1.5020401@plouf.fr.eu.org>

[-- Attachment #1: Type: text/plain, Size: 1013 bytes --]

Hi,

On Tuesday, 2008 March 18 at  1:49:37 +0100, Pascal Hambourg wrote:
> Hello,
>
> Eric Leblond a écrit :
>> On Monday, 2008 March 17 at 16:13:45 -0400, Sohan Shetty wrote:
>>>
>>> Here, our box is connected to two distinct networks 192.168.1/24 [...]
>> There is no such patch. A similar question was asked some time ago and
>> if I remember well, the conclusion was the setup was too weird from a 
>> firewall point-of-view.
>
> s/weird/broken by design/
>
> The purpose of prefixes is to identify networks. If you use the same prefix 
> on distinct networks, expect trouble.

No, not really. If you use advanced routing capabability of linux this
setup can be easily achieved and except for filtering will be working
well (with one routing private table per network interface pair).

The correct explanation about the problem of conntrack relatively to
this setup is given by Jan Engelhardt in his mail.

BR,
-- 
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

next prev parent reply	other threads:[~2008-03-18  5:50 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CAC6870A2B8FE846AD24D7E75B05F90A3F1960@moe.nextone.local>
2008-03-17 20:13 ` interface based conntrack entry Sohan Shetty
2008-03-17 23:25   ` Eric Leblond
2008-03-17 23:35     ` Jan Engelhardt
2008-03-18 13:58       ` Benny Amorsen
2008-03-18  0:49     ` Pascal Hambourg
2008-03-18  5:50       ` Eric Leblond [this message]
2008-03-18 11:49   ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080318055008.GA21458@bayen.regit.org \
    --to=eric@inl.fr \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pascal.mail@plouf.fr.eu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.