From: Pierre Rondou <prondou@gmail.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: behave@ietf.org, v6ops@ietf.org, netfilter-devel@vger.kernel.org,
guy.leduc@ulg.ac.be, evyncke@cisco.com,
Cyril Soldani <cyril.soldani@ulg.ac.be>
Subject: Re: Netfilter Module for NAT IVI available
Date: Wed, 25 May 2011 14:59:46 +0200 [thread overview]
Message-ID: <4DDCFD42.3010708@gmail.com> (raw)
In-Reply-To: <1306252554.3026.66.camel@edumazet-laptop>
Le 24/05/11 17:55, Eric Dumazet a écrit :
>
>>>>
>>>>
>>> Hi Pierre
>>>
>>> 1) Are you sure netfilter is the right place for this IVI feature ?
>>> (fact that you had to copy/paste ~1300 lines of code from kernel
>>> might show that this would be better to use a module hooked into
>>> forwarding stack ?)
>>>
>>>
>> I used Xtables to produce my module, fact is that I was (and still am) a
>> kernel nooby, Xtables seemed to a be good way to produce this code.
>> I'm not sure to what you're refering about, are you suggesting I should
>> have developed the module directly into the kernel?
>>
>>
> We all were kernel newbie at very beginning ;)
>
Sure, unfortunately there is no real book to teach new coders on what
they should do.
>
>>> 2) How this can integrate a {conntrack enabled} firewall ?
>>>
>>>
>>>
>> I can't ... It's a drawback of the module. The fact is that I only have
>> found a very little documentation about conntrack code, so I dropped the
>> idea of dealing with it.
>> But it shouldn't be difficult to update the conntrack for a kernel pro I
>> guess ;-)
>>
> This has to be discussed before even coding ;)
>
> One packet going through this gateway has one IPv6 side and one ipv4
> side. This can be a problem to firewalling (either its ipv4, either its
> ipv6) and conntracking.
>
>
>
It is a problem that's sure.
But as stated before, I didn't any suitable conntrack doc :(
My main thesis goal is to provide a working module, conntrack support
would be a bonus, but for now, I cannot do it on my own because of a
lack of conntrack knowledge.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2011-05-25 12:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-05 1:18 Netfilter Module for NAT IVI available Pierre Rondou
2011-05-24 14:56 ` Eric Dumazet
2011-05-24 15:46 ` Pierre Rondou
2011-05-24 15:55 ` Eric Dumazet
2011-05-25 12:59 ` Pierre Rondou [this message]
2011-05-25 13:09 ` Maciej Żenczykowski
2011-05-25 13:16 ` Eric Dumazet
2011-05-25 13:34 ` Pierre Rondou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DDCFD42.3010708@gmail.com \
--to=prondou@gmail.com \
--cc=behave@ietf.org \
--cc=cyril.soldani@ulg.ac.be \
--cc=eric.dumazet@gmail.com \
--cc=evyncke@cisco.com \
--cc=guy.leduc@ulg.ac.be \
--cc=netfilter-devel@vger.kernel.org \
--cc=v6ops@ietf.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.