---------- Forwarded message ---------- Date: Mon, 12 Jan 2009 21:35:44 From: Marek Kierdelewicz <marek@xxxxxxx> To: jengelh Subject: iptables-1.4.1-1.4.2 change "Warn about use of DROP in nat table" Hello, Is there any particular reason for removing DROP target from nat table? Some people may be using this functionality (like me). Access control for lan clients on my routers is done in PREROUTING chain of nat table in following way (in great simplification): - DNAT to infoHost:infoPort1 tcp packets to port 80 from IP/MAC pair in ipset INFO-GRP1 - RETURN packets from IP/MAC pair in ipset - DNAT tcp packets to port 80 to infoHost:infoPort2 - DROP rest of the packets I know DROPping in nat table isn't perfect (doesn't filterout already established "connections"), but it should be less cpu-intensive as it's done for the first packet of a "connection". Removing DROP from nat table would force me use DROPs in filter table. Wouldn't it be a bit more cpu-intensive? Anyway thanks for the warning :-). Regards, -- Marek Kierdelewicz Kierownik Działu Systemów Sieciowych, KoBa Manager of Network Systems Department, KoBa tel. (85) 7406466; fax. (85) 7406467 e-mail: admin@xxxxxxx -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
