Christopher Chan wrote:
ip src/dest is used for routing decisions by the kernel. The IP state
machine (check the RFC or any decent TCP/IP textbook) is really quite
simple. But iptables sticks its nose into the center of that state
machine and can mangle addresses to change how packets flow through
the machine, or just simplely yank packets right out of the machine
with a simple NO (drop).
So in my mind's eye of the IP state machine (my MSU CPS 410 prof was
death on state machines; turn in a perfectly executing assignment
without one and there went half your grade. See HIP for its state
machine) is dictated by iptables as to what it is allowed to route.
That just means iptables can influence routing by manipulating packet
headers. Routing is still controlled by the kernel.
We are playing with words here, and english tends to be too rich in
interpretation. I work on standards. I let one regional joke left in an
RFC: 2410, the Null ESP cipher. There we joke about the null cipher
having a key length of zero. A very America joke for at the time we were
killing aspects of the ITAR control on crypto export. But a few years
later, over at my day job at ICSAlabs, we are trying to figure out why
this one firewall product for TW is not working with the others. The
connections are terminated in the ISAKMP negotiation. We dig down and
find that there is an ISAKMO ESP-NULL proposal with a key payload with a
value of zero. No one else is accepting this and rejects the whole
ISAKMP exchange per the ISAKMP RFC. We then find a few other IPsec
implementations coming out like this and all the authors are people
following on, just reading the RFCs and NOT getting the joke. There are
some MAD developers as they have to change their code,and some blushing
IETFers as we realize we have to maintain the lore of the RFC
development as there are other RFCs with zingers in them.
Over at the IEEE 802, we are voting ballots on wording that can be
interpreted on way with the Webster dictionary and another with the
Oxford dictionary.
So I am right about iptables controlling routing and you are right about
iptables NOT controlling routing, only influencing it. What does
'control' mean in this context? IEEE is really big on state machines and
truly covers the transfer of 'control' from one layer to another. Look
at the MLME in 802.11. Look at the 802.1X machines. So since I have to
live this control architecture and work in live debates about what layer
is controling what, I have a particular language set.
BTW, should we table this debate? Webster says that means stopping,
'taking the subject off the table.' Oxford says that means to start,
'placing the subject on the table.' Boy did we have some moments back in
the mid-90s with the ISO crowd descended on the IETF. Also can we reach
a concensus here? Webster will accept a majority, Oxford wants complete
agreement. (Or at least that is what these sources said back in the
mid-90s when we lived Bernard Shaw's line of: 'Two nations separated by
a common language')
:)
Now I have to hop over to the Asterisk list to figure why with one
firewall the INVITE properly redirects the RTP to the RTP server, and
the with the other firewall this is not in the INVITE so the RTP flow
does not..... ARGH!!!!!
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
