Jesper’s IPTables::libiptc is a perl module which allow you to modify Netfilter rules from Perl. He’s the maintener and this is available on CPAN. It currently supports up-to iptables 1.4.10 (version 0.51 of IPTables::libiptc).
It dynamically load xtables.so and libiptc.so to access to iptables feature. It is fast as it does not suffer of iptables limitation (which is running modification one by one). Performance are quite good: it takes only 16 sec to generate and implement a 80000 rules ruleset (which is quite good compare to the 42h hours that would be take by direct iptables calls)
Jesper would like to have a complete iptables lib to access to all function and in particular to the do_command() function. One interesting things for him would be to have access to the test command.
Pablo don’t want the team to guarantee the libiptc will not break API or ABI. As it is already exported, it is not possible to make it private again. As the part Jesper is interested in is linked with user command, there should not be API break. Thus exporting the function seems OK.
Next work, Jesper wish to do is to publish a wrapper module IPTables::Interface and moving this to CPAN maybe inside the IPTables::libiptc module.
hash_func(src,dst) = hash_func(dst, src)and it must be very fast to avoid slowdown of the conntrack. If this point is fixed, then it will be possible to get rid of the second tuple for all non NATed connection tracking entries.
- Dynamic IPv6 prefixes: some ISP decide to not give fixed address to people
- Server load balancing, DMZ
- Uplink Balancing (multi-homing): this is one of the most important reason. IPv6 client can handle multiple addresses but you may want not having your user to choose their internet output.
- No IPv6 NAT
- NAT66 ip6tables target (with or without conntrack dependency)
- Make nf_nat protocol independant and move to net/netfilter (let admin decide if they want 1:1 or n:1)
- Any other solutions?
- developped layer-7 filter in userspace
- filter is passed to a tool that generates byte-code
- it loads the byte-code to the kernel via nfnetlink
- The kernel does the classification
- nfgrep match can then be used to select or mark the flow
"nf_conntrack: table full, dropping, packet"is not correct because packet have just no state relatively to conntrack. Usually they get blocked by invalid rules but an adapted ruleset could let them go through.
nf_conntrack_tcp_timeout_syn_sentwhen being under attack. This could made the bad entries to disappear faster.