On Friday 2012-01-20 01:23, Pablo Neira Ayuso wrote: >> +#ifndef _NET_NETFILTER_XTABLES2_H >> +#define _NET_NETFILTER_XTABLES2_H 1 >> + >> +#define XTABLES2_VTAG "Xtables2 A8" > >I don't want to center the discussion on naming, but I'd prefer if we >stick to xtables without version 2 and A8 (what does it mean A8, btw?). Architecture no. 8 (it's in the technical PDFs posted last time). I just had to enumerate the different implementation proposals that we have had over time. >At some point the old xtables infrastructure will be removed, then >we'll have lots of references to xt2 in the tree. That can be renamed afterwards when xt1 is gone. Right now I feel it is a reasonable separation method, and the '2' is not present in any static part of the kernel-user interface. >> index 32bff6d..5b3d9ca 100644 >> --- a/net/netfilter/Kconfig >> +++ b/net/netfilter/Kconfig >> @@ -321,7 +321,13 @@ config NETFILTER_XTABLES >> This is required if you intend to use any of ip_tables, >> ip6_tables or arp_tables. >> >> -if NETFILTER_XTABLES >> +config NETFILTER_XTABLES2 >> + tristate "Netfilter Xtables2 packet filtering" >> + ---help--- >> + Xtables2 is a rework of the internal architecture of Xtables. >> + It supersedes iptables, ip6tables, arptables and ebtables. > >My idea is that this does not supersede any of these tools. Right, the wording is chosen little weirdly, since no kernel interface (except maybe sysfs) can replace a userspace tool to do the talking. >Instead, these tools should be ported to the netlink interface. >I prefer if users don't notice any change regarding tools in the >short term. I have it all worked out :) they won't notice. >I still think there's valuable work in Patrick's nftables. IMO, the >scope of this work should be limited to providing the netlink >interface for iptables (ip6tables, arptables, and so on), not modifying >the command line tool syntax (which is a different discussion, don't >get me wrong I'm not telling that revisiting the syntax is bad, but >it's a different discussion and I don't want to mix things). I concur, this is already underway in exactly the way you say it. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
