Tue, 11 Oct 2005

Netfilter Workshop / Summit

Good weather in Savilla. I imbibed a little too much on the Friday night celebrating the cluefulness of the Australian High Court, so was less effective on the second hacking day than I would have liked.

Some points included:

  1. A solution for Peer-to-peer NAT and BEHAVE: Jesse Peng provided the idea. Basically, a P2PNAT target which keeps a hash table to ensure we don't allocate the same source IP/port to two NAT connections. This allows us to do hairpin NAT (it probably needs to set up an expectation to catch these). Also needs to set a flag so TCP window tracking will allow simultaneous open, and not drop immediately on RST (the latter can happen if the other end firewalls).
  2. Nfsim seems to be attracting more of a following in the core team. Joszef committed window tracking tests! Harald wants netlink support, and also an actual nfsim release. I applied updates for 2.6.14 (thanks to Max Kellerman), and cleaned up the tests a little.
  3. More thinking on the use of a hash trie and progress. There are several benefits for speed and scalability, although the are still fairly sizable tuning questions. Martin Josefsson is playing here.
  4. Possible simplification and scalability improvements on the expectation code. It's more general than it needs to be at the moment.

[/tech] permanent link