Bug #311
Detecting NAT and firewall rules on an interface is a PITA
Description
If there is any one place where I have shot myself in the foot hundreds of times this year alone, it’s on NAT. I keep plugging things into other things and missing a firewall rule or forgetting to turn off nat, and boom, any routing protocol daemon will get confused by this.Merely ‘remembering’ as the idjit admin involved that interface X is natted is not good enough, at least, not for this idjit.
it would be good if there was a kernel event that a routing daemon could subscribe to, a query, a sysfs file, some sort of API that says ‘yes, virginia, this interface is natted for ipv4’ or ‘natted for ipv6’, and god help you if you announce any routes over it.
Similarly, being able to detect if a major firewall rule was in place, preventing forwarding in particular, would also help.
While you can do this via scripting, or maybe by linking to the iptables library, that’s painfully slow, and there is no ‘event’ per se’ that I know of. Maybe there is, who knows?
this was also sort of discussed on homenet, and when the NAT patches for ipv6 came around, I kind of lost it…
History
Cerowrt Project
Recent Updates
Find us elsewhere
#bufferbloat on Twitter
Google+ group
Archived Bufferbloat pages from the Wayback Machine
Sponsors
Comcast Research Innovation FundNlnet Foundation
Shuttleworth Foundation
GoFundMe
Bufferbloat Related Projects
OpenWrt ProjectCongestion Control Blog
Flent Network Test Suite
Sqm-Scripts
The Cake shaper
AQMs in BSD
IETF AQM WG
CeroWrt (where it all started)
Network Performance Related Resources
Jim Gettys' Blog - The chairman of the Fjord
Toke's Blog - Karlstad University's work on bloat
Voip Users Conference - Weekly Videoconference mostly about voip
Candelatech - A wifi testing company that "gets it".