* netfilter IPv6 support
@ 2004-08-26 18:52 Thomas Zehetbauer
2004-08-26 20:00 ` David S. Miller
2004-08-26 20:25 ` Jeff Garzik
0 siblings, 2 replies; 9+ messages in thread
From: Thomas Zehetbauer @ 2004-08-26 18:52 UTC (permalink / raw)
To: Kernel Mailing List
[-- Attachment #1: Type: text/plain, Size: 458 bytes --]
Although linux was one of the first to support IPv6 it seems to me that
netfilter support has almost stuck. There is still not even a REJECT
target not to mention stateful filtering for IPv6.
Tom
--
T h o m a s Z e h e t b a u e r ( TZ251 )
PGP encrypted mail preferred - KeyID 96FFCB89
finger thomasz@hostmaster.org for key
The horizon of many people is a circle with a radius of zero.
They call this their point of view.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 481 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: netfilter IPv6 support
2004-08-26 18:52 netfilter IPv6 support Thomas Zehetbauer
@ 2004-08-26 20:00 ` David S. Miller
2004-08-26 21:25 ` Thomas Zehetbauer
2004-08-26 20:25 ` Jeff Garzik
1 sibling, 1 reply; 9+ messages in thread
From: David S. Miller @ 2004-08-26 20:00 UTC (permalink / raw)
To: Thomas Zehetbauer; +Cc: linux-kernel, netfilter-devel
On Thu, 26 Aug 2004 20:52:47 +0200
Thomas Zehetbauer <thomasz@hostmaster.org> wrote:
> Although linux was one of the first to support IPv6 it seems to me that
> netfilter support has almost stuck. There is still not even a REJECT
> target not to mention stateful filtering for IPv6.
Why not ask the netfilter development lists such questions?
Stateful netfilter is not there because it's a total waste
to completely duplicate all of the connection tracking et al.
code into ipv6 counterparts when %80 of the code is roughly
the same. People are working on a consolidation of these
things so that there is no code duplication but it is a lot
of work and there are bigger fires to put out at the moment.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: netfilter IPv6 support
2004-08-26 20:00 ` David S. Miller
@ 2004-08-26 21:25 ` Thomas Zehetbauer
2004-08-26 22:05 ` Willy Tarreau
0 siblings, 1 reply; 9+ messages in thread
From: Thomas Zehetbauer @ 2004-08-26 21:25 UTC (permalink / raw)
To: linux-kernel; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 872 bytes --]
On Don, 2004-08-26 at 13:00 -0700, David S. Miller wrote:
> Stateful netfilter is not there because it's a total waste
> to completely duplicate all of the connection tracking et al.
> code into ipv6 counterparts when %80 of the code is roughly
> the same. People are working on a consolidation of these
> things so that there is no code duplication but it is a lot
> of work and there are bigger fires to put out at the moment.
Of course it's a waste to duplicate the code but as far as I remember
the status of netfilter for IPv6 has not changed for almost a year. As
said there is still not even the basic REJECT target available.
Tom
--
T h o m a s Z e h e t b a u e r ( TZ251 )
PGP encrypted mail preferred - KeyID 96FFCB89
finger thomasz@hostmaster.org for key
The three Rs of Microsoft support: Retry, Reboot, Reinstall.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 481 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: netfilter IPv6 support
2004-08-26 21:25 ` Thomas Zehetbauer
@ 2004-08-26 22:05 ` Willy Tarreau
2004-08-27 10:02 ` Thomas Zehetbauer
0 siblings, 1 reply; 9+ messages in thread
From: Willy Tarreau @ 2004-08-26 22:05 UTC (permalink / raw)
To: Thomas Zehetbauer; +Cc: linux-kernel, netfilter-devel
On Thu, Aug 26, 2004 at 11:25:10PM +0200, Thomas Zehetbauer wrote:
> On Don, 2004-08-26 at 13:00 -0700, David S. Miller wrote:
> > Stateful netfilter is not there because it's a total waste
> > to completely duplicate all of the connection tracking et al.
> > code into ipv6 counterparts when %80 of the code is roughly
> > the same. People are working on a consolidation of these
> > things so that there is no code duplication but it is a lot
> > of work and there are bigger fires to put out at the moment.
>
> Of course it's a waste to duplicate the code but as far as I remember
> the status of netfilter for IPv6 has not changed for almost a year. As
> said there is still not even the basic REJECT target available.
These features are available in patch-o-matic-ng. They're not in mainline
because the netfilter team only pushes well tested and non-intrusive changes.
But there are lots of people using features from patch-o-matic in production.
You can get those here :
ftp://ftp.netfilter.org/pub/patch-o-matic-ng/
Please also take a look at the mailing list archives since it's an area
which is currently moving :
http://marc.theaimsgroup.com/?l=netfilter-devel
Regards,
Willy
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: netfilter IPv6 support
2004-08-26 18:52 netfilter IPv6 support Thomas Zehetbauer
2004-08-26 20:00 ` David S. Miller
@ 2004-08-26 20:25 ` Jeff Garzik
2004-08-26 21:06 ` David S. Miller
1 sibling, 1 reply; 9+ messages in thread
From: Jeff Garzik @ 2004-08-26 20:25 UTC (permalink / raw)
To: Thomas Zehetbauer; +Cc: Kernel Mailing List
Thomas Zehetbauer wrote:
> Although linux was one of the first to support IPv6 it seems to me that
> netfilter support has almost stuck. There is still not even a REJECT
> target not to mention stateful filtering for IPv6.
google found for me an ip6_conntrack module, but... some people make a
credible argument that stateful filtering doesn't scale beyond small
networks and small amounts of connections. As Andi puts it, there is no
infinite hash.
Jeff
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: netfilter IPv6 support
2004-08-26 20:25 ` Jeff Garzik
@ 2004-08-26 21:06 ` David S. Miller
2004-08-26 21:11 ` Jeff Garzik
0 siblings, 1 reply; 9+ messages in thread
From: David S. Miller @ 2004-08-26 21:06 UTC (permalink / raw)
To: Jeff Garzik; +Cc: thomasz, linux-kernel
On Thu, 26 Aug 2004 16:25:36 -0400
Jeff Garzik <jgarzik@pobox.com> wrote:
> As Andi puts it, there is no infinite hash.
Using hash tables would be the problem :-)
Longest matching prefix lookup algorithms are a well researched area.
One we have not taken advantage of much at all. This is more than
evident in our routing and netfilter code and I'm working to do
something about it. :-)
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: netfilter IPv6 support
2004-08-26 21:06 ` David S. Miller
@ 2004-08-26 21:11 ` Jeff Garzik
2004-08-27 10:02 ` Thomas Zehetbauer
0 siblings, 1 reply; 9+ messages in thread
From: Jeff Garzik @ 2004-08-26 21:11 UTC (permalink / raw)
To: David S. Miller; +Cc: thomasz, linux-kernel
On Thu, Aug 26, 2004 at 02:06:37PM -0700, David S. Miller wrote:
> On Thu, 26 Aug 2004 16:25:36 -0400
> Jeff Garzik <jgarzik@pobox.com> wrote:
>
> > As Andi puts it, there is no infinite hash.
>
> Using hash tables would be the problem :-)
>
> Longest matching prefix lookup algorithms are a well researched area.
> One we have not taken advantage of much at all. This is more than
> evident in our routing and netfilter code and I'm working to do
> something about it. :-)
Well, I interpreted Andi's statement as a more general complaint about
the overhead of per-connection resources involved in stateful
firewalling.
For example, a NAT box behind which 32,000 hosts sit, or something like
that :)
Jeff
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2004-08-27 10:02 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-26 18:52 netfilter IPv6 support Thomas Zehetbauer
2004-08-26 20:00 ` David S. Miller
2004-08-26 21:25 ` Thomas Zehetbauer
2004-08-26 22:05 ` Willy Tarreau
2004-08-27 10:02 ` Thomas Zehetbauer
2004-08-26 20:25 ` Jeff Garzik
2004-08-26 21:06 ` David S. Miller
2004-08-26 21:11 ` Jeff Garzik
2004-08-27 10:02 ` Thomas Zehetbauer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox