No subject

Unknown Unknown
Sat Jan 22 04:42:18 PST 2011

y=ZG at>
From: Francois Tigeot <ftigeot at>
Subject: Re: Time to let go of ipfilter
Date: Sat, 22 Jan 2011 13:40:21 +0100
List-Post: <mailto:kernel at>
List-Subscribe: <mailto:kernel-request at>
List-Unsubscribe: <mailto:kernel-request at>
List-Help: <mailto:kernel-request at>
List-Owner: <mailto:owner-kernel at>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
References: <AANLkTimjM2J4nQ9-Nuv3Z88pEdsbp8jYkKcUht=FwEuY at> <AANLkTind5QG_bZA+uhrT5BQqYmyNLsjq6YrzVWXLVWOm at> <201101211602.p0LG2mRv009793 at> <20110121193033.1B25919D496 at> <201101212217.p0LMH0P7017513 at> <72c983e5e708847d211383d03dbff6a0.squirrel at> <AANLkTiku-VxZQzRDo1Bd5M-bpYgHKWkrKiKkeVa3Nube at> <20110122082312.GA990 at> <AANLkTik=S5O1DA78ObwEJ-paiUTdV5vEUM7LOym1
y=ZG at>
In-Reply-To: <AANLkTik=S5O1DA78ObwEJ-paiUTdV5vEUM7LOym1y=ZG at>
Sender: kernel-errors at
Errors-To: kernel-errors at
Lines: 38
X-Trace: 1295700310 888
Xref: dragonfly.kernel:14844

On Sat, Jan 22, 2011 at 08:04:17PM +1100, Edward O'Callaghan wrote:
> more my point, +1
> to EOL'ing older solutions that are no longer maintained or scalable.
> One of the things that I myself consider a 'feature' of Dragonfly is
> less old junk running in kernel space (both important on a security
> and stability stand point) and a less bulky userland.

Can't agree more.

Speaking of future packet filtering improvements, we also need NAT64

Traditional NAT maps IP adresses between two IPv4 spaces; we may call
it NAT44 (IPv4 to IPv4).
NAT64 maps IPv4 addresses to an IPv6 space. It allows you to run an
IPv6 only network and still have access to legacy IPv4 resources.

It works in combination with a special DNS64 resolver which translates
A records to AAAA. AFAIK, DNS64 support is implemented in new versions
of most of the leading DNS daemons (Bind, Unbound, etc...).

DNS64/NAT64 is already used by some ISPs. I tested Andrews & Arnold's
gateway for a brief time; it worked flawlessly:

This technology allows you to shut down IPv4 on your network today and
still be operational.
There are patches for OpenBSD 4.6 pf here:

Some links on this subject:

Francois Tigeot

More information about the Kernel mailing list