Red Hat Bugzilla – Bug 197916
FutureFeature policy match
Last modified: 2010-06-07 01:28:42 EDT
Description of problem: Customer and customers customers, wish to have 'policy match' available for iptables. Internal Prio3 Customer Prio2
Target Milestone RHEL4.5 Why is this feature or bug fix required?: Client is a large Telecom (T-Systems) they currently run following setup: 2xRHEL vpn -> client site (client requires that T-Systems only uses assigned trusted addresses However as IPSec is involved also they need to translate theis addreses with SNAT amd DNAT Additionally both VPN-GW are in a Trusted Net that requires NAT-Traversal What is the impact (customer impact, revenue impact) of NOT providing this feature or bug fix? Potentially they would loose a lot of client that would go for a RHEL solution. Is a workaround available? Well, yes, use two physical boxes and route the traffic in between them, this comes in as additional cost HW & SW. iptables from Version 1.3.5 onwards integrates 'Policy-Match', kernel also requires a patch from Patrick McHardy that's already in upstream in kernel2.6.16 as well as in FC5 in 2.6.15. Description for policy to be found here: http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-policy
At first this has to make it into the kernel, second the header file has to get integrated into glibc-kernheaders, then it can be enabled in iptables. Assigning to kernel for now. Please assign to glibc-kernheaders afterwards and if it is done for these packages, reassign to iptables.
any update on this bug?
Adding fdechery@redhat.com to the cc list as the manager of the disabled user xoleron@redhat.com who reported this bug