On Wed, 8 May 2013 13:32:57 +0200 (CEST) Jan Engelhardt <jengelh@xxxxxxx> wrote: > >Also, shouldn't xt_RAWNAT depend on nf_defrag_ipv4 module? > > Dunno. Being a module for really "raw" nf_conntrack-less static NAT, I > feel no reason to make it hard-depend on nf_defrag, and instead leave it > up to the user whether or not to load nf_defrag. > > I would tend to just ignore the fragment case for now, like many other > modules. Comments against? > Yes, I think it's a better idea. The only argument against may be a security hole if someone relies on xt_RAWNAT and doesn't use nf_defrag. Though it's a poor argument imho. > With nf_nat having gained IPv6 support, I also feel less inclined to > keep xt_RAWNAT around. > nf_nat depends on conntrack and conntrack brings a huge overhead to such a simple task like NAT. xt_RAWNAT simply solves NAT problem, it definitely has to stay. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
