Bug 197916 - FutureFeature policy match
Summary: FutureFeature policy match
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Riek
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-07-07 11:54 UTC by xoleron
Modified: 2010-06-07 05:28 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-07 05:28:42 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Steffen Mann 2006-07-07 11:54:26 UTC
Description of problem:
Customer and customers customers, wish to have 'policy match' available for
iptables.

Internal Prio3
Customer Prio2

Comment 1 Steffen Mann 2006-07-07 12:09:45 UTC
Target Milestone RHEL4.5

Why is this feature or bug fix required?:

Client is a large Telecom (T-Systems) 
they currently run following setup:
2xRHEL vpn -> client site (client requires that T-Systems only uses assigned
trusted addresses

However as IPSec is involved also they need to translate theis addreses with
SNAT amd DNAT

Additionally both VPN-GW are in a Trusted Net that requires NAT-Traversal 


What is the impact (customer impact, revenue impact) of NOT providing this
feature or bug fix?
Potentially they would loose a lot of client that would go for a RHEL solution.
Is a workaround available? Well, yes, use two physical boxes and route the
traffic in between them, this comes in as additional cost HW & SW.

iptables from Version 1.3.5 onwards integrates 'Policy-Match', kernel also
requires a patch from Patrick McHardy that's already in upstream in kernel2.6.16
as well as in FC5 in 2.6.15.
Description for policy to be found here:

http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-policy




Comment 2 Thomas Woerner 2006-07-07 18:41:41 UTC
At first this has to make it into the kernel, second the header file has to get
integrated into glibc-kernheaders, then it can be enabled in iptables.

Assigning to kernel for now. 

Please assign to glibc-kernheaders afterwards and if it is done for these
packages, reassign to iptables.

Comment 4 Oliver Schulze L. 2007-07-12 14:23:17 UTC
any update on this bug?

Comment 6 Red Hat Bugzilla 2008-07-30 06:16:13 UTC
Adding fdechery to the cc list as the manager of the disabled user xoleron who reported this bug


Note You need to log in before you can comment on or make changes to this bug.