Not that I've really been following the thread.
But I think that this sort of functionality should most likely be
developed as a virtual (tun/tap/veth/sit) style tunnel-like device.
You would use ipv4/ipv6 routing in the normal kernel to direct traffic
out this virtual interface, and immediately ipv6/ipv4 traffic would
come back out of it.
This should allow all the rest of the kernel (including connection
tracking) to function normally - although of course every connection
would be registered in an unrelated way twice (once as v4, once as
v6).
I think this has nice 'black box' semantics.
On Wed, May 25, 2011 at 14:59, Pierre Rondou <prondou@xxxxxxxxx> wrote:
> Le 24/05/11 17:55, Eric Dumazet a Ãcrit :
>>
>>>>>
>>>>>
>>>>
>>>> Hi Pierre
>>>>
>>>> 1) Are you sure netfilter is the right place for this IVI feature ?
>>>> Â Â (fact that you had to copy/paste ~1300 lines of code from kernel
>>>> might show that this would be better to use a module hooked into
>>>> forwarding stack ?)
>>>>
>>>>
>>>
>>> I used Xtables to produce my module, fact is that I was (and still am) a
>>> kernel nooby, Xtables seemed to a be good way to produce this code.
>>> I'm not sure to what you're refering about, are you suggesting I should
>>> have developed the module directly into the kernel?
>>>
>>>
>>
>> We all were kernel newbie at very beginning ;)
>>
>
> Sure, unfortunately there is no real book to teach new coders on what they
> should do.
>
>>
>>>>
>>>> 2) How this can integrate a {conntrack enabled} firewall ?
>>>>
>>>>
>>>>
>>>
>>> I can't ... It's a drawback of the module. The fact is that I only have
>>> found a very little documentation about conntrack code, so I dropped the
>>> idea of dealing with it.
>>> But it shouldn't be difficult to update the conntrack for a kernel pro I
>>> guess ;-)
>>>
>>
>> This has to be discussed before even coding ;)
>>
>> One packet going through this gateway has one IPv6 side and one ipv4
>> side. This can be a problem to firewalling (either its ipv4, either its
>> ipv6) and conntracking.
>>
>>
>>
>
> It is a problem that's sure.
> But as stated before, I didn't any suitable conntrack doc :(
> My main thesis goal is to provide a working module, conntrack support would
> be a bonus, but for now, I cannot do it on my own because of a lack of
> conntrack knowledge.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel"
> in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at Âhttp://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
