On Mon, 28 Nov 2011 20:25:48 +0000, Ulrich Weber wrote:
Am 28.11.11 18:14 schrieb "Stephen Clark" unter:
Probabably a dumb question but are these patches for natting ipv6 to
ipv6 or ipv4 to ipv6?
These patches are for natting IPv6 addresses behind whole IPv6
subnets
or just behind one IPv6 address.
This is useful for multiple Internet uplinks, where you want full
control
on the router what connections are sent over which interface. Or its
quite
easy to setup Load Balancing rules or create a DMZ. There a lots of
use
casesŠ
I'm going to dare to call FUD on those statements...
* Load Balancing - what is preventing your routing rules or packet
marking using the same criteria as the NAT changer? nothing. Load
balancing works perfectly fine without NAT.
* outgoing packet control - packets will happily leave the "wrong"
interface after NAT unless you add routing and firewall controls
separate to NAT. Packet control works *better* without NAT erasing
original IP information resulting in mistakenly NAT'ed packets go out
the wrong interface.
I have long been of the opinion that all NAT really offers is the
ability to easily and cleanly multi-home several global public prefixes
from a unified PI space. This is a very important aspect for some
networks, even with plentiful IPv6 addresses.
Claims and use of NAT as a security, load balancing, and routing
control is where most of the nasty side effects and behaviours are
streaming in from.
AYJ
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
