Re: Combine ipv4 and ipv6 in a set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jan 30, 2024 at 05:00:50PM +0000, Slavko wrote:
> Dňa 30. januára 2024 15:17:32 UTC používateľ Kerin Millar <kfm@xxxxxxxxxxxxx> napísal:
> 
> >Granted, one cannot create a set that is typed in such a way that an element can be either an IPv4 or IPv6 address/interval. 
> 
> Nowadays IPv6 becomes more and more common. While allmost all
> can stay on IP(v4) only host, not all can use IPv6 only host (yet, as many
> services are still IPv4 only). In other words, many will have dual stack,
> to can access (or be accessible for) all and they will need dual stack FW,
> and IMO will need it for many years.

The correct way to do it would be to develop/install for IPv6 only TODAY
and use a transition technology (NAT64/DNS64 for example for client
access, and reverse proxies for services) to support IPv4 as a legacy
protocol.

> Having separate support for IPv4 and IPv6 was acceptable at time, when
> ip6tables was born, but nowadays IMO firewall cannot be named modern,
> if any of its part separates that. And any argument (memory, complexity,
> etc) against it is pointles, as dual stacks are (and will be) here.

I find it ok to have separated rule set for IPv4 and IPv6. They are
different protocols in the first place. But it should be possible to
hide this separation from the person writing the rules, making it
possible to have a definition for a dual-stack host, creating dual-stack
rules without even noticing that.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux