Re: Scaling Max IP address limitation
From: Kyle Moffett
Date: Sun Jun 24 2007 - 17:51:53 EST
On Jun 24, 2007, at 15:58:54, Jan Engelhardt wrote:
On Jun 24 2007 15:08, Kyle Moffett wrote:
Do you really need that many IP addresses? When somebody finally
gets around to implementing REDIRECT support for ip6tables then
you could just redirect them all to the same port on the local
system.
The way I see it, it's: "if someone gets around to implement *IPv6
NAT*" (which, if its designers were asked, is contrary to the idea
of ipv6).
I totally agree. On the other hand, you need REDIRECT for things
like transparent proxies which by definition aren't visible as
anything other than a router or bridge.
Having routing table operations, IPsec transformations, etc just
be another step in the firewall rules would also be useful. It
would be handy to be able to "-j ROUTE", then "-j IPSEC", then "-j
ROUTE" again, to re-route the now-encapsulated IPsec packets to
their proper destination.
Absolutely...
That would also eliminate the sort-of-hacky problems with
destination network interface in the bridging code:
Where's the hack? iptables operates on what it sees, and it sees
br0. The physdev match is justified IMO.
The problem is this:
I want to be able to filter bridged network traffic *both* based on
the IP layer *and* the physical device it's going to be routed out.
Due to fundamental problems with a statically-ordered architecture,
it's impossible to get both, see commit
68df071a201f06b08cdc07111c6d4af918e64edd (found here: http://
lists.netfilter.org/pipermail/netfilter-devel/2006-December/
026388.html). Basically if you want such cross-layer hooks, right
now your *ONLY* choice is to use marks with 2 drawbacks: (1) There
are a very small number of marks which must be carefully allocated by
your firewall-setup script (2) Marks are inherently extremely
fragile for passing data between layers.
"-j BRIDGE" might be another step in the process, and conceivably
you could have independent bridge MAC tables too.
Whether a packet goes out a bridge (was that the intention of -j
BRIDGE?) is determined by the routing table, which, in most cases,
is just a matter of destination address.
No, the intent of "-j BRIDGE" would be _after_ "-j ROUTE" and some
kind of "-j ARP", to actually compute which physical port a given
packet should go.
That would also appear to get rid of the need for all tables other
than
"filter" and all predefined chains other than "INPUT" and
"OUTPUT". Default
rules would be these:
nettables -A INPUT -j CONNTRACK
nettables -A INPUT -j LOCALMATCH
nettables -A INPUT --for-this-host -j ACCEPT
nettables -A INPUT -j OUTPUT
I'd prefer if Linux outputted its packets by default :)
Well the problem is this: Do you want the packet accepted locally or
forwarded. If forwarded, how do you want it routed, and which
physical port do you want it to go out? Without a statically-coded
ordering for all those things there is no way to say what the
"default" is. You would need some way to switch between iptables/
ip6tables (for compatibility) and pkttables/nettables (for advanced
functionality).
But this idea may have its benefit: by not restricting rules to
certain positions like currently, throughput could be achieved.
"Evil packets" f.e. could be dropped really early. (Well, you could
also drop them early _today_, but a DROP in the mangle table will
everyone make their eyes roll
It does give you a million more ways to shoot yourself in the foot.
Some things would have constraints like "output device must be
set" (BRIDGE/ARP, for example). If you accidentally stuck non-
constrained things in the wrong order you could get totally-non-IP-
compliant behavior. On the other hand, it does give you many choices
about IPsec before or after ROUTING (or after one routing step and
before another), etc.
Cheers,
Kyle Moffett
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/