Patrick McHardy wrote: > Al Boldi wrote: > >>>The problem is that people think they are safe with the filter table, > >>>when in fact they need the prerouting chain to seal things. Right now > >>>this is only possible in the mangle table. > >> > >>Why do they need PREROUTING? > > > > Well, for example to stop any transient packets being forwarded. You > > could probably hack around this using mark's, but you can't stop the > > implied route lookup, unless you stop it in prerouting. > > This also works fine in FORWARD with a little extra overhead. > If you really have to save resources, you should use PREROUTING/raw > to also avoid the creation of a connection tracking entry. Yes sure, if you use nat. But can you see how forcing people into splitting their rules across tables adds complexity. And without ipt_REJECT patch, they can't even use REJECT in prerouting, which forces them to do some strange hacks. IMHO, we should make things as easily configurable as possible, and as things stand right now, the filter-table is completely useless for 99% of use-cases. Thanks! -- Al - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html