On Mon, Feb 27, 2012 at 01:18:58PM +0900, Darren Willis wrote: > > 1) In the last Netfilter workshop, we decided that we're targeting > > towards explicit helper configuration via iptables, ie. something > > like: > > > > ip6tables -I OUTPUT -t raw -s $SRC -d $DST \ > > -p udp --dport 547 -j CT --helper dhcpv6 > > > > According to your report, this is exactly what distributors don't > > want to do. > > Interesting. Well, my impression is that distributions don't wan't to > add rules, but if they can't avoid it, they'll just have to cope. > Is this changeover coming in the immediate future? Yes. I'd like to send a patch for RFC to the mailing list any time soon. I'll include you in the CC. > > 2) The helper infrastructure is allowing us to filter broadcast > > traffic but I think that it's been designed for a different purpose. > > I know, we don't have any better by now. But in the meanwhile, we're > > adding specific helpers to support each broadcast protocol. > > Agreed, while I think for now this helper is fine, I think it'd be > nice to have a more generic multicast/broadcast helper, although it'd > still need to have specific protocols baked into it to work (maybe > netbios, dhcpv6, mDNS, LLMNR, SSDP, neighbour discovery, other > things). This is exactly what scares me. I don't like the idea of bloating the kernel with lots of helpers for each single protocol. I'm currently working on one user-space helper infrastructure. We can use that infrastructure to implement this helper and many others. I've got the patch in one branch of my kernel tree, it's still experimental stuff, but I expect to have it done soon. Would you be OK with we make this (and other helpers that will surely follow up) in user-space? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
