[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    Re: [Proposal] ip_conntrack_tuple extension for advanced matching
From:       Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006 () gmx ! net>
Date:       2006-09-26 14:45:22
Message-ID: 45193D02.1010509 () gmx ! net
[Download RAW message or body]

Patrick McHardy wrote:
> Carl-Daniel Hailfinger wrote:
>> Martijn Lievaart wrote:
>>
>>> <citaat van="Patrick McHardy">
>>>
>>>> Pablo Neira Ayuso wrote:
>>>>
>>>>> Carl-Daniel Hailfinger wrote:
>>>>>
>>>>>
>>>>>> Would a patch for adding such a feature be accepted into mainline?
>>>>> IHMO, your numering schema is not convenient. I would not accept such
>>>>> patch since I can't see any other utility apart from supporting your
>>>>> setting.
>>>> Me neither, the network setup is obviously broken. Its also a bit harder
>>>> than just extending the conntrack keys, you need also need to take care
>>>> of NAT unique tuple generation, expectations and ICMP error tracking.
>>>> That still leaves a few corner cases, but nothing terribly important.
>>> This would be possible with multiple network stacks (aka virtual routers),
>>> something I've been thinking about but is way beyond my capabilities.
>>
>> IIRC that has already been implemented by Extreme Networks in their
>> Linux-based routers. The only problem is that I can't find any source
>> code from them. Will inquire further.
> 
> OpenVZ might help. I think it virtualizes the conntrack table etc., so
> you could use one virtual instance for each interface and NETMAP them
> to seperate networks.

Thanks! I'll look at that code.


Regards,
Carl-Daniel

[prev in list] [next in list] [prev in thread] [next in thread]