Harald Welte's blog

Harald's Web
gnumonks.org
hmw-consulting.de
sysmocom.de

Projects
OpenBSC
OsmocomBB
OsmocomTETRA
deDECTed.org
gpl-violations.org
gpl-devices.org
OpenMoko
gnufiish
OpenEZX
OpenBeacon
OpenPCD
librfid
openmrtd
opentom.org
netfilter/iptables

Categories

Root (1072)
- ccc (26)
- dect (2)
- electronics (19)
- gsm (123)
  - osmocom-bb (7)
- knf (4)
- linux (697)
  - a780 (39)
  - conferences (127)
  - cyberjack (4)
  - gnuradio (5)
  - gpl-violations (138)
  - gspc (6)
  - mobile (29)
  - mrtd (35)
  - netfilter (117)
  - openmoko (52)
  - opentom (7)
  - samsung (1)
  - via (23)
- misc (18)
- osmocom (7)
- personal (111)
  - bollywood (17)
  - taiwan (3)
- photography (9)
- politics (30)
  - swpat (3)
- tetra (3)

Archives

2012 (18)
- May (1)
- April (2)
- March (8)
- February (1)
- January (6)
2011 (47)
- December (2)
- November (3)
- October (3)
- September (3)
- August (1)
- July (5)
- June (9)
- May (5)
- April (6)
- March (3)
- February (2)
- January (5)
2010 (96)
2009 (146)
2008 (106)
2007 (53)
2006 (154)
2005 (248)
2004 (198)
2003 (5)
2002 (1)

Other Bloggers
David Burgess
Zecke
Dieter Spaar
Michael Lauer
Stefan Schmidt
Rusty Russell
David Miller
Martin Pool
Jeremy Kerr
Tim Pritlove (German)
fukami (German)
fefe (German)
Bradley M. Kuhn
Lawrence Lessig
Kalyan Varma

Aggregators
kernelplanet.org
planet.netfilter.org
planet.openezx.org
planet.openmoko.org
planet.foss.in

identi.ca
twitter
flattr
Linked in
Xing

Articles on this blog/journal are licensed under a Creative Commons Attribution-NoDerivs 2.5 License.

Contact/Impressum

Tue, 27 Jan 2004

Trying to make 2.6.x IPsec and conntrack/nat work

Spent some time thinking about how to possibly solve the long standing problem with conntrack/NAT and the 2.6.x in-kernel AH/ESP implementation.
The recent discussion on netfilter-devel was quite productive, although most of my ideas turned out to be without technical possibility :(
For example, iptables cannot attach the same CHAIN to multiple HOOKS. That would be so neat. Would somebody remind me that that has to go into pkttables?
Anyway, I've now written a surprisingly small (but still ugly) patch that should do about 60% of the solution upon which we agreed on the mailing-list.
Unfortunately, I don't have the time to set up a full IPsec test bed right now, so I have to rely on others to test it..

[ /linux/netfilter | permanent link ]

Ulogd is becoming a flow accounting subsystem

Some nice Russian guy wrote a patch to add BSD like ipacct flow accounting to ulogd. This is something I had on my wish list for quite some time.

He has written an OUTPUT plugin that does all the flow accounting and file-writing itself. However, I have an idea of how this could be implemented in a more generic way: Implement flow accounting as interpreter, and return a pointer to a struct flowinfovia a new ulog_iret_t. This way any output plugin could reference flow information for the current flow.

[ /linux/netfilter | permanent link ]

Why do people have to make winter holidays?

I tried to get a train reservation on Friday/Saturday between Berlin and Nuernberg. All the trains, even the night trains (sleeper trains) on Friday or Saturday morning are fully booked out.

Apparently winter holidays in Berlin are starting and everybody is heading south to Bavaria and Austria for winter 'sports'. Kind of annoying that you cannot even get a single ticket five days in advance.

[ /personal | permanent link ]

More work on the fail-over code

Currently Astaro is paying me for my development on the netfilter conntrack fail-over code. That's what I'm supposed to be working on, at the least... I should stop reading my email in the morning, because otherwise my whole day will be filled with other stuff that just results from reading emails.

Anyway, the fail-over has been progressing, slowly but steadily. I should expect some working code any day now.

Thanks again to [ /linux/netfilter | permanent link ]

Harald Welte's blog

	RSS Harald's Web gnumonks.org hmw-consulting.de sysmocom.de Projects OpenBSC OsmocomBB OsmocomTETRA deDECTed.org gpl-violations.org gpl-devices.org OpenMoko gnufiish OpenEZX OpenBeacon OpenPCD librfid openmrtd opentom.org netfilter/iptables Categories Root (1072) ccc (26) dect (2) electronics (19) gsm (123) osmocom-bb (7) knf (4) linux (697) a780 (39) conferences (127) cyberjack (4) gnuradio (5) gpl-violations (138) gspc (6) mobile (29) mrtd (35) netfilter (117) openmoko (52) opentom (7) samsung (1) via (23) misc (18) osmocom (7) personal (111) bollywood (17) taiwan (3) photography (9) politics (30) swpat (3) tetra (3) Archives 2012 (18) May (1) April (2) March (8) February (1) January (6) 2011 (47) December (2) November (3) October (3) September (3) August (1) July (5) June (9) May (5) April (6) March (3) February (2) January (5) 2010 (96) 2009 (146) 2008 (106) 2007 (53) 2006 (154) 2005 (248) 2004 (198) 2003 (5) 2002 (1) Other Bloggers David Burgess Zecke Dieter Spaar Michael Lauer Stefan Schmidt Rusty Russell David Miller Martin Pool Jeremy Kerr Tim Pritlove (German) fukami (German) fefe (German) Bradley M. Kuhn Lawrence Lessig Kalyan Varma Aggregators kernelplanet.org planet.netfilter.org planet.openezx.org planet.openmoko.org planet.foss.in identi.ca twitter flattr Linked in Xing Articles on this blog/journal are licensed under a Creative Commons Attribution-NoDerivs 2.5 License. Contact/Impressum	Tue, 27 Jan 2004 Trying to make 2.6.x IPsec and conntrack/nat work Spent some time thinking about how to possibly solve the long standing problem with conntrack/NAT and the 2.6.x in-kernel AH/ESP implementation. The recent discussion on netfilter-devel was quite productive, although most of my ideas turned out to be without technical possibility :( For example, iptables cannot attach the same CHAIN to multiple HOOKS. That would be so neat. Would somebody remind me that that has to go into pkttables? Anyway, I've now written a surprisingly small (but still ugly) patch that should do about 60% of the solution upon which we agreed on the mailing-list. Unfortunately, I don't have the time to set up a full IPsec test bed right now, so I have to rely on others to test it.. [ /linux/netfilter \| permanent link ] Ulogd is becoming a flow accounting subsystem Some nice Russian guy wrote a patch to add BSD like ipacct flow accounting to ulogd. This is something I had on my wish list for quite some time. He has written an OUTPUT plugin that does all the flow accounting and file-writing itself. However, I have an idea of how this could be implemented in a more generic way: Implement flow accounting as interpreter, and return a pointer to a struct flowinfovia a new ulog_iret_t. This way any output plugin could reference flow information for the current flow. [ /linux/netfilter \| permanent link ] Why do people have to make winter holidays? I tried to get a train reservation on Friday/Saturday between Berlin and Nuernberg. All the trains, even the night trains (sleeper trains) on Friday or Saturday morning are fully booked out. Apparently winter holidays in Berlin are starting and everybody is heading south to Bavaria and Austria for winter 'sports'. Kind of annoying that you cannot even get a single ticket five days in advance. [ /personal \| permanent link ] More work on the fail-over code Currently Astaro is paying me for my development on the netfilter conntrack fail-over code. That's what I'm supposed to be working on, at the least... I should stop reading my email in the morning, because otherwise my whole day will be filled with other stuff that just results from reading emails. Anyway, the fail-over has been progressing, slowly but steadily. I should expect some working code any day now. Thanks again to [ /linux/netfilter \| permanent link ]