Re: [RFD] iptables: mangle table obsoletes filter table

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Al Boldi wrote:
> Patrick McHardy wrote:
> 
>>Al Boldi wrote:
>>
>>>Well, for example to stop any transient packets being forwarded.  You
>>>could probably hack around this using mark's, but you can't stop the
>>>implied route lookup, unless you stop it in prerouting.
>>
>>This also works fine in FORWARD with a little extra overhead.
>>If you really have to save resources, you should use PREROUTING/raw
>>to also avoid the creation of a connection tracking entry.
> 
> 
> Yes sure, if you use nat.

Conntrack.

> But can you see how forcing people into splitting 
> their rules across tables adds complexity.  And without ipt_REJECT patch, 
> they can't even use REJECT in prerouting, which forces them to do some 
> strange hacks.
> 
> IMHO, we should make things as easily configurable as possible, and as things 
> stand right now, the filter-table is completely useless for 99% of 
> use-cases.


Sure, as I said, patches to remove the arbitary restrictions to
tables are welcome, but please do this for all targets and
matches which allow this, not only REJECT. And if you include a
seperate (tested) patch for the IPv4 and IPv6 REJECT targets
I'll consider it as well.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux