suggestion, p-o-m, iplimit for ipv6 protocol

All of lore.kernel.org
 help / color / mirror / Atom feed

* suggestion, p-o-m, iplimit for ipv6 protocol
@ 2003-04-22 20:08 Marek Figielski
  2003-04-27 13:08 ` Harald Welte
  0 siblings, 1 reply; 8+ messages in thread
From: Marek Figielski @ 2003-04-22 20:08 UTC (permalink / raw)
  To: netfilter-devel

I am user of iptables and p-o-m. At the moment there is no netfilter
allowing to limit outgoing connections via ip6 (like iplimit for ipv4). Of
course I know that there is 'limit' for ip6tables, but his practical application is a little
other than ipt 'iplimit'. I think that 'iplimit' from iptables written for
ipv6 protocol (for ip6tables) would be good idea. I hope You'll think about it.

Greetings.
Yours faithfully.

-- 
Marek "Raptorek" Figielski
raptorek<at>cki<dot>net<dot>pl
Network administrator @ rzeczna.pl, vanilla.pl
6Bone handle: RAPI1-6BONE

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: suggestion, p-o-m, iplimit for ipv6 protocol
  2003-04-22 20:08 suggestion, p-o-m, iplimit for ipv6 protocol Marek Figielski
@ 2003-04-27 13:08 ` Harald Welte
  2003-04-30  3:30   ` Tom Marshall
  0 siblings, 1 reply; 8+ messages in thread
From: Harald Welte @ 2003-04-27 13:08 UTC (permalink / raw)
  To: Marek Figielski; +Cc: netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 984 bytes --]

On Tue, Apr 22, 2003 at 10:08:33PM +0200, Marek Figielski wrote:
> 
> I am user of iptables and p-o-m. At the moment there is no netfilter
> allowing to limit outgoing connections via ip6 (like iplimit for ipv4). Of
> course I know that there is 'limit' for ip6tables, but his practical
> application is a little other than ipt 'iplimit'. I think that
> 'iplimit' from iptables written for ipv6 protocol (for ip6tables)
> would be good idea. I hope You'll think about it.

As there is no connection tracking for IPv6, there is no chance of
implementing an 'iplimit' match for ip6_tables :(

sorry,

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: suggestion, p-o-m, iplimit for ipv6 protocol
  2003-04-27 13:08 ` Harald Welte
@ 2003-04-30  3:30   ` Tom Marshall
  2003-04-30 10:57     ` Jozsef Kadlecsik
  0 siblings, 1 reply; 8+ messages in thread
From: Tom Marshall @ 2003-04-30  3:30 UTC (permalink / raw)
  To: Harald Welte, Marek Figielski, netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 916 bytes --]

On Sun, Apr 27, 2003 at 03:08:38PM +0200, Harald Welte wrote:
> On Tue, Apr 22, 2003 at 10:08:33PM +0200, Marek Figielski wrote:
> > 
> > I am user of iptables and p-o-m. At the moment there is no netfilter
> > allowing to limit outgoing connections via ip6 (like iplimit for ipv4). Of
> > course I know that there is 'limit' for ip6tables, but his practical
> > application is a little other than ipt 'iplimit'. I think that
> > 'iplimit' from iptables written for ipv6 protocol (for ip6tables)
> > would be good idea. I hope You'll think about it.
> 
> As there is no connection tracking for IPv6, there is no chance of
> implementing an 'iplimit' match for ip6_tables :(

Sorry for a perhaps naive question, but why is there no IPv6 conntrack?

-- 
Guilty until proven innocent: abusing the legal system in the name of the
war on terror.  http://www.wired.com/news/conflict/0,2100,58326,00.html

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: suggestion, p-o-m, iplimit for ipv6 protocol
  2003-04-30  3:30   ` Tom Marshall
@ 2003-04-30 10:57     ` Jozsef Kadlecsik
  2003-04-30 20:31       ` Martijn Lievaart
  0 siblings, 1 reply; 8+ messages in thread
From: Jozsef Kadlecsik @ 2003-04-30 10:57 UTC (permalink / raw)
  To: Tom Marshall; +Cc: Harald Welte, Marek Figielski, netfilter-devel

On Tue, 29 Apr 2003, Tom Marshall wrote:

> > As there is no connection tracking for IPv6, there is no chance of
> > implementing an 'iplimit' match for ip6_tables :(
>
> Sorry for a perhaps naive question, but why is there no IPv6 conntrack?

A blind porting of the IPv4 conntrack is unacceptable due to the code
duplication.

A blind union with IPv4 conntrack is unacceptable due to the sheer wasting
of memory.

An intelligent unification of IPv4/6 conntrack is possible. That itself is
not so easy and one should keep in mind the relation with NAT, which
makes it at the end complicated and hard.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: suggestion, p-o-m, iplimit for ipv6 protocol
  2003-04-30 10:57     ` Jozsef Kadlecsik
@ 2003-04-30 20:31       ` Martijn Lievaart
  2003-05-05  8:38         ` Jozsef Kadlecsik
  0 siblings, 1 reply; 8+ messages in thread
From: Martijn Lievaart @ 2003-04-30 20:31 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: Tom Marshall, netfilter-devel

Jozsef Kadlecsik wrote:

>On Tue, 29 Apr 2003, Tom Marshall wrote:
>  
>
>>Sorry for a perhaps naive question, but why is there no IPv6 conntrack?
>>    
>>
>
>A blind porting of the IPv4 conntrack is unacceptable due to the code
>duplication.
>
>A blind union with IPv4 conntrack is unacceptable due to the sheer wasting
>of memory.
>
>An intelligent unification of IPv4/6 conntrack is possible. That itself is
>not so easy and one should keep in mind the relation with NAT, which
>makes it at the end complicated and hard.
>
>
>  
>
I understand, but for myself am willing to pay the price of a blind 
port. Has anyone done work in that direction?

TIA,
Martijn Lievaast

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: suggestion, p-o-m, iplimit for ipv6 protocol
  2003-04-30 20:31       ` Martijn Lievaart
@ 2003-05-05  8:38         ` Jozsef Kadlecsik
  2003-05-06 22:38           ` Martijn Lievaart
  0 siblings, 1 reply; 8+ messages in thread
From: Jozsef Kadlecsik @ 2003-05-05  8:38 UTC (permalink / raw)
  To: Martijn Lievaart; +Cc: Tom Marshall, netfilter-devel

On Wed, 30 Apr 2003, Martijn Lievaart wrote:

> >A blind porting of the IPv4 conntrack is unacceptable due to the code
> >duplication.
> >
> I understand, but for myself am willing to pay the price of a blind
> port. Has anyone done work in that direction?

Brad Chapman made such a port quite some time ago. MARC can help you to
find it.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: suggestion, p-o-m, iplimit for ipv6 protocol
  2003-05-05  8:38         ` Jozsef Kadlecsik
@ 2003-05-06 22:38           ` Martijn Lievaart
  2003-05-07  7:44             ` Harald Welte
  0 siblings, 1 reply; 8+ messages in thread
From: Martijn Lievaart @ 2003-05-06 22:38 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: netfilter-devel

Jozsef Kadlecsik wrote:

>On Wed, 30 Apr 2003, Martijn Lievaart wrote:
>
>  
>
>>>A blind porting of the IPv4 conntrack is unacceptable due to the code
>>>duplication.
>>>
>>>      
>>>
>>I understand, but for myself am willing to pay the price of a blind
>>port. Has anyone done work in that direction?
>>    
>>
>
>Brad Chapman made such a port quite some time ago. MARC can help you to
>find it.
>
>  
>

Excuse my ignorance, but what or who is MARC?

TIA,
Martijn Lievaart

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: suggestion, p-o-m, iplimit for ipv6 protocol
  2003-05-06 22:38           ` Martijn Lievaart
@ 2003-05-07  7:44             ` Harald Welte
  0 siblings, 0 replies; 8+ messages in thread
From: Harald Welte @ 2003-05-07  7:44 UTC (permalink / raw)
  To: Martijn Lievaart; +Cc: Jozsef Kadlecsik, netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 774 bytes --]

On Wed, May 07, 2003 at 12:38:25AM +0200, Martijn Lievaart wrote:
> >>I understand, but for myself am willing to pay the price of a blind
> >>port. Has anyone done work in that direction?
> >
> >Brad Chapman made such a port quite some time ago. MARC can help you to
> >find it.
> 
> Excuse my ignorance, but what or who is MARC?

http://marc.theaimsgroup.com/

> TIA,
> Martijn Lievaart

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2003-05-07  7:44 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-04-22 20:08 suggestion, p-o-m, iplimit for ipv6 protocol Marek Figielski
2003-04-27 13:08 ` Harald Welte
2003-04-30  3:30   ` Tom Marshall
2003-04-30 10:57     ` Jozsef Kadlecsik
2003-04-30 20:31       ` Martijn Lievaart
2003-05-05  8:38         ` Jozsef Kadlecsik
2003-05-06 22:38           ` Martijn Lievaart
2003-05-07  7:44             ` Harald Welte

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.