[Cerowrt-devel] [Cake] conntrack and ipv6
Jonathan Morton
chromatix99 at gmail.com
Sun Jul 3 03:44:06 EDT 2016
> On 3 Jul, 2016, at 09:16, David Lang <david at lang.hm> wrote:
>
>> It is generally my hope that ipv6 nat will not be widely deployed.
>>
>> Firewalls will be stateful instead, and thus there would be no need to
>> access the conntrack information for ipv6 in cake.
>
> well, conntrack is the way that the firewall handles it's state. Conntrack also has features to let you sync it's state from one system to it's backup so that failover maintains the state.
Yes, but the point is that in a stateful firewall (as opposed to NAT) no changes to IP addresses occur while traversing the router. Cake can therefore see the correct addresses without probing conntrack data.
There's still a huge number of people on IPv4 NAT though.
- Jonathan Morton
More information about the Cerowrt-devel
mailing list