Bug 197916
Summary: | FutureFeature policy match | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | xoleron |
Component: | kernel | Assignee: | Daniel Riek <riek> |
Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | jbaron, jwest, oliver, tao |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-06-07 05:28:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Steffen Mann
2006-07-07 11:54:26 UTC
Target Milestone RHEL4.5 Why is this feature or bug fix required?: Client is a large Telecom (T-Systems) they currently run following setup: 2xRHEL vpn -> client site (client requires that T-Systems only uses assigned trusted addresses However as IPSec is involved also they need to translate theis addreses with SNAT amd DNAT Additionally both VPN-GW are in a Trusted Net that requires NAT-Traversal What is the impact (customer impact, revenue impact) of NOT providing this feature or bug fix? Potentially they would loose a lot of client that would go for a RHEL solution. Is a workaround available? Well, yes, use two physical boxes and route the traffic in between them, this comes in as additional cost HW & SW. iptables from Version 1.3.5 onwards integrates 'Policy-Match', kernel also requires a patch from Patrick McHardy that's already in upstream in kernel2.6.16 as well as in FC5 in 2.6.15. Description for policy to be found here: http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-policy At first this has to make it into the kernel, second the header file has to get integrated into glibc-kernheaders, then it can be enabled in iptables. Assigning to kernel for now. Please assign to glibc-kernheaders afterwards and if it is done for these packages, reassign to iptables. any update on this bug? Adding fdechery to the cc list as the manager of the disabled user xoleron who reported this bug |