Free Software programmer
rusty@rustcorp.com.au
Subscribe
Subscribe to a syndicated
feed of my weblog, brought to you by the wonders of
RSS.
This blog existed before my current employment, and obviously reflects my own opinions and not theirs.
This work is licensed under a Creative Commons Attribution 2.1 Australia License.
Categories of this blog:
IP issues
Technical issues
Personal issues
Restaurants
Older issues:
All 2008 posts
All 2007 posts
All 2006 posts
All 2005 posts
All 2004 posts
Older posts
Fri, 10 Sep 2004
Yay! Working on netfilter code again. Some decisions made at the
netfilter summit to simplify the code. In particular, we've decided
to (try to) get rid of some complex code in the core. Firstly, it's
time to remove the ipfwadm and ipchains backwards compatibility code.
I had to provide a special interface half-way into the NAT and
connection tracking code for these layers: getting rid of that will
allow various cleanups. Secondly, NAT mapping to multiple ranges is a
very rarely-used feature which complicates the code. It can be
simulated with a random match which chooses different NAT rules for
each connection, anyway, and it makes the core more complicated.
Finally, for local Destination NAT, if we send the packet out a
different interface, we also do Source NAT to match the interface
address. This has always been questionable, and means that we now
have multiple NATs on a single hook. Changing this is likely to break
some setups, but many people do not enable local NAT anyway.
[/tech] permanent link
[/tech] permanent link
