Please dont' let this deviate to a flame war. I just said there are use cases, nothing more, nothing less. This is software. There are lots of ways to archive the same goal. Every solution has its pro and cons, its not always black and white. On 28.11.2011 23:03, Amos Jeffries wrote:
I'm going to dare to call FUD on those statements... * Load Balancing - what is preventing your routing rules or packet marking using the same criteria as the NAT changer? nothing. Load balancing works perfectly fine without NAT.
Nothing, you archive the same in a different way. However keep in mind that not all computers out there run Linux. Its quite simple to setup NAT rules, they work with every OS. On the other hand, balancing by changing MAC address or IPv6inIPv6 Tunnels can be a headache, getting this going with Windows, Mac, Solaris and so on. Issues with DAD and source address selection doesn't make it easier. Have a look at net/netfilter/ipvs/ip_vs_xmit.c. There is a reason, why NAT for IPv6 is already in the Kernel since three years.
* outgoing packet control - packets will happily leave the "wrong" interface after NAT unless you add routing and firewall controls separate to NAT. Packet control works *better* without NAT erasing original IP information resulting in mistakenly NAT'ed packets go out the wrong interface.
I fully agree. NAT can not replace your firewall rules. However with NAT you could get some kind of anonymity. Think of Tor: If your server/client operates with private IP addresses, your public IP address is still masked after a security breach.
I have long been of the opinion that all NAT really offers is the ability to easily and cleanly multi-home several global public prefixes from a unified PI space. This is a very important aspect for some networks, even with plentiful IPv6 addresses.
Also in my opinion the most important reason for NAT. Cheers Ulrich -- Ulrich Weber | ulrich.weber@xxxxxxxxxx | Senior Software Engineer Astaro - a Sophos company | Amalienbadstr 41 | 76227 Karlsruhe | Germany Phone +49-721-25516-0 | Fax –200 | www.astaro.com -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
