I haven't started a new thread here in ages, and this is something I've been toying with for a while. With the recent announcement of a feature-freeze on iptables 1.2.8, this seemed a reasonable time to start this thread. (targeting later releases, obviously, and hoping to spark some constructive discussion :^) I was curious to hear what people might have as a 'wishlist' for iptables/netfilter capabilities. Every once in a while something comes up here that simply doesn't seem to have a good solution. My hope is that many of our personal wishes may already be possible, and by voicing them someone who has a solution may post it. And for any that don't presently have an answer, perhaps someone will be inspired to create one. Personally I have four: 1 - revamped LOG entry format, especially cleaning up MAC. 2 - completely separate netfilter logging from kernel log streams. (not just redirecting infrequently-used kernel streams, but actual dedicated netfilter streams) 3 - Ability to match "original DestinationIP" of a DNATted packet in subsequent chains. Useful with a single physical interface but multiple IPs bound to it. 4 - addition of support for a REM field in rules. Would do nothing whatsoever except print the specified REMark text at the end of the rule in -L listings. Something like: iptables -A INPUT -p tcp --dport 22 -s a.b.c.d -j ACCEPT -REM JoelSSH So that a -L listing could be easier & quicker to decipher sometimes. It would also allow "iptables -L -v -n | grep Joel" to list only rules, in all chains, with "Joel" in the comment. j
