[Cerowrt-devel] preliminary codel and fq_codel support for cerowrt
Dave Taht
dave.taht at gmail.com
Wed May 16 10:52:16 PDT 2012
The problem with most home router firewalls today is that they have a strict
"us" vs "them" concept in them, and are closely tied to what can be
NATed, or not, which limits our internet to tcp and udp.
Recently the concept of 'guest' has been added to many devices,
which doesn't work particularly well.
A problem with "us vs them" and extending this sort of thinking
to ipv6, is that interesting new protocols such as
sctp, hip, rdp, dccp, rsvp esp, gre, ah, skip, ospf, vrrp, isis, manet, shim6,
wesp, and rohc...
are all blocked by default in ipv6, too.
It doesn't need to be this way.
I have hated living in a world of purely tcp on port 80 and 443.
Seeing udp begin to fail in multiple respects - such as dns,dhcp, voice, etc
really bothers me.
So cerowall attempted (I've never finished it) to use pattern matching
in iptables, and device renaming, to make it possible to have a nearly
default free zone (DFZ) for guests, and use a bare minimum of rules,
to pass through...
and the core idea was also be able to pass ALL protocols everywhere,
under ipv6.
The current openwrt firewall solution scales O(n) where n = the number
of interfaces
the cerowall idea scales O(n) where n = the number of different zones.
Firewalling is responsible for a minimum of 11% of the current runtime,
with the current firewall rules, with 6 interfaces in play.
CeroWall did a lot better, while opening up new vistas to play in.
--
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferbloat.net
More information about the Cerowrt-devel
mailing list