OoO En ce début d'après-midi ensoleillé du jeudi 09 avril 2009, vers
15:27, Eray Aslan <erayaslan@xxxxxxxxx> disait :
>> At least it violates the concept of filtering in the filter table.
> Yes. Correct place to filter in in the filter table. But if you insist
> on doing the "wrong" thing, who is to interfere?
Well, it depends what "wrong" is. When dropping in filter table, you
leave an entry in the conntrack. If you try to drop to avoid some kind
of DOS, this is an unwanted effect. When you drop in PREROUTING in the
nat table, there is no entry in the conntrack. This is really convenient
with matches like "hashlimit".
This loss of functionality should be better explained. Maybe this is the
prelude of some simplification in Netfilter?
--
Choose a data representation that makes the program simple.
- The Elements of Programming Style (Kernighan & Plauger)
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
