nf_conntrack & NAT
Jozsef Kadlecsik
kadlec at blackhole.kfki.hu
Wed Dec 7 12:22:22 CET 2005
On Tue, 6 Dec 2005, Herve Eychenne wrote:
> On Tue, Dec 06, 2005 at 09:13:21PM +0530, Harald Welte wrote:
>
> > for stuff like redirecting traffic, all you really need is stateless
> > rewriting of the destination address. If people want that, the entire
> > implementation fits in a single ip6tables target. no relation to
> > nf_conntrack at all.
>
> Stateless? And what if you want the response (of the packets which have
> been redirected) to come back with their initial address, as if they
> had not been redirected? (if the client shouldn't know that, if this
> should be transparent to him)
> This is also known as DNAT, for which the state has be stored, right?
>
> So, in one word: if we definitely need DNAT with IPv4 today, why
> wouldn't we need DNAT with IPv6?
IPv6 is not just IPv4 with a larger address space. Definitely there is no
need for DNAT in order to make a server with private address available.
But I can imagine for example to replace the "need" for DNAT with anycast
in IPv6 for load balancing.
Old hacks and workarounds should not be reimplemented blindly.
Best regards,
Jozsef
-
E-mail : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
More information about the netfilter-devel
mailing list