Le mardi 24 mai 2011 Ã 17:46 +0200, Pierre Rondou a Ãcrit : > Le 24/05/11 16:56, Eric Dumazet a Ãcrit : > > Le jeudi 05 mai 2011 Ã 03:18 +0200, Pierre Rondou a Ãcrit : > > > >> Hello everybody, > >> > >> I'm currently a student at the University of LiÃge. As part of my master > >> thesis, I have to develop a Linux kernel module for IVI ( > >> http://datatracker.ietf.org/doc/rfc6219/ ). > >> > >> I now consider my module as finished (i.e, all functionalities are > >> implemented) and publish it. > >> > >> It is available on sourceforge: > >> > >> http://sourceforge.net/projects/nativi/ > >> > >> Feel free to test it and report to me any bug, bad implementation, > >> error, ... > >> > >> If you believe that this module can be included is the Linux Kernel or > >> in the Xtables-addons framework, I'll be glad and will help you in this > >> task. > >> > >> > >> I have tested my module inside the Xtables-addons framework (version > >> 1.32) on a debian squeeze (6.0.1) linux with a 2.6.32-5 kernel (i686). > >> > >> Because of the lack of "EXPORT_SYMBOL" in the kernel, I had to > >> copy-paste several functions from the kernel into the > >> nativi_kernel_code.c file in order to use some features already > >> available in the kernel (ip_finish_output, ip6_output, icmp_send). > >> > >> Documentation is provided in the source code, if you have any question > >> don't hesitate to ask me. > >> > >> > > Hi Pierre > > > > 1) Are you sure netfilter is the right place for this IVI feature ? > > (fact that you had to copy/paste ~1300 lines of code from kernel > > might show that this would be better to use a module hooked into > > forwarding stack ?) > > > I used Xtables to produce my module, fact is that I was (and still am) a > kernel nooby, Xtables seemed to a be good way to produce this code. > I'm not sure to what you're refering about, are you suggesting I should > have developed the module directly into the kernel? > We all were kernel newbie at very beginning ;) > > 2) How this can integrate a {conntrack enabled} firewall ? > > > > > > I can't ... It's a drawback of the module. The fact is that I only have > found a very little documentation about conntrack code, so I dropped the > idea of dealing with it. > But it shouldn't be difficult to update the conntrack for a kernel pro I > guess ;-) This has to be discussed before even coding ;) One packet going through this gateway has one IPv6 side and one ipv4 side. This can be a problem to firewalling (either its ipv4, either its ipv6) and conntracking. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
