On Thursday 2008-07-03 17:51, Krzysztof Oledzki wrote:
>> >
>> > Quick and not good examples, I'd say. The main problem with rp_filter is
>> > that it drops the packets >silently<. The real benefit of such a match is
>> > the possibility to log (and drop) faked packets. If the patch had IPv6
>> > support, one could add that additionally (as far as I know) there's no
>> > rp_filter for IPv6 at all.
>>
>> You know what's been bugging me... why don't we replace the entire
>> routing infrastructure by an xtables "route" table, with something like
>
> Because routing in a firewall is slow and too complicated?
[Citation needed]
I fail to see why Xtables (not just a firewall) should be slower
than the routing table (without routing cache, to make it fair).
Iterating over an IPv4 table compares, at a minimum,
interface name(s), src/dst address and an L4 protocol, plus extra
flags like inversion.
Routing? Well, let's see, it can match src address, src interface,
out interface, dst address, and so on. Sounds pretty much like
the same.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
