From: Pierre Rondou <prondou@gmail.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: behave@ietf.org, v6ops@ietf.org, netfilter-devel@vger.kernel.org,
guy.leduc@ulg.ac.be, evyncke@cisco.com,
Cyril Soldani <cyril.soldani@ulg.ac.be>
Subject: Re: Netfilter Module for NAT IVI available
Date: Wed, 25 May 2011 14:59:46 +0200 [thread overview]
Message-ID: <4DDCFD42.3010708@gmail.com> (raw)
In-Reply-To: <1306252554.3026.66.camel@edumazet-laptop>
Le 24/05/11 17:55, Eric Dumazet a écrit :
>
>>>>
>>>>
>>> Hi Pierre
>>>
>>> 1) Are you sure netfilter is the right place for this IVI feature ?
>>> (fact that you had to copy/paste ~1300 lines of code from kernel
>>> might show that this would be better to use a module hooked into
>>> forwarding stack ?)
>>>
>>>
>> I used Xtables to produce my module, fact is that I was (and still am) a
>> kernel nooby, Xtables seemed to a be good way to produce this code.
>> I'm not sure to what you're refering about, are you suggesting I should
>> have developed the module directly into the kernel?
>>
>>
> We all were kernel newbie at very beginning ;)
>
Sure, unfortunately there is no real book to teach new coders on what
they should do.
>
>>> 2) How this can integrate a {conntrack enabled} firewall ?
>>>
>>>
>>>
>> I can't ... It's a drawback of the module. The fact is that I only have
>> found a very little documentation about conntrack code, so I dropped the
>> idea of dealing with it.
>> But it shouldn't be difficult to update the conntrack for a kernel pro I
>> guess ;-)
>>
> This has to be discussed before even coding ;)
>
> One packet going through this gateway has one IPv6 side and one ipv4
> side. This can be a problem to firewalling (either its ipv4, either its
> ipv6) and conntracking.
>
>
>
It is a problem that's sure.
But as stated before, I didn't any suitable conntrack doc :(
My main thesis goal is to provide a working module, conntrack support
would be a bonus, but for now, I cannot do it on my own because of a
lack of conntrack knowledge.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2011-05-25 12:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-05 1:18 Netfilter Module for NAT IVI available Pierre Rondou
2011-05-24 14:56 ` Eric Dumazet
2011-05-24 15:46 ` Pierre Rondou
2011-05-24 15:55 ` Eric Dumazet
2011-05-25 12:59 ` Pierre Rondou [this message]
2011-05-25 13:09 ` Maciej Żenczykowski
2011-05-25 13:16 ` Eric Dumazet
2011-05-25 13:34 ` Pierre Rondou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DDCFD42.3010708@gmail.com \
--to=prondou@gmail.com \
--cc=behave@ietf.org \
--cc=cyril.soldani@ulg.ac.be \
--cc=eric.dumazet@gmail.com \
--cc=evyncke@cisco.com \
--cc=guy.leduc@ulg.ac.be \
--cc=netfilter-devel@vger.kernel.org \
--cc=v6ops@ietf.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).