On Thu, 3 Jul 2008, Jan Engelhardt wrote: > You know what's been bugging me... why don't we replace the entire > routing infrastructure by an xtables "route" table, with something like > > # rp_filter > iptables -t route -A ROUTING -m route ! --route-src-exists -j DROP > > # policy routing > iptables -t route -A ROUTING -m statistic --mode nth --every 2 > -j ROUTE --dev eth0 > > # ipsec (vaguely) > iptables -t route -A OUTPUT -s 192.168.1.0/24 -d 192.168.2.0/24 > -j IPSEC --mode tunnel --right-side 82.83.84.85 > > That would get rid of the tons of different-kind tables (xt tables, > routing tables, routing rules, xfrm policy and xfrm subs) and > put it into one thing people understand reasonably well. The nf-hipac people also suggested it long time ago. One can find a lot of smaller and bigger missing pieces, like a new table, new hook, if we'd associate a 'routing table' to a 'chain in the iptables route table', then we'd need a default policy support (i.e. default route) for the user defined chains too, etc. If iptables were converted to netlink, that'd be a huge step toward such a goal. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
