Evgeniy Polyakov wrote:
On Tue, Jul 01, 2008 at 04:16:28PM +0200, Patrick McHardy (kaber@xxxxxxxxx) wrote:
I truely hope it will be since I'm working (slowly, as time permits)
on the *tables successor that will implement things like this in
userspace. Every module we add that adds more complicated logic in
the kernel will make adding an iptables compat layer harder.
It still is very tempting to implement such things as iptables modules.
For example I consider to create tunnel-like device and iptables target
to implement ip-over-dns tunnel, and I need iptables extension since I
only control single machine outside of my ISP which is not firewalled.
Having new way of writing iptables extensions requires to update
existing machines, which is not possible frequently
(like existing enterprise (r) (c) (tm) solutions...)
Yes, I only mean for matching purposes. Target functionality
can usually not be reached through combination.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
