As a disinterested third party*, I think Jan is voicing stronger arguments, and that Pablo may need to enhance his debating skills. N * Disinterested in that I don't have a bone to pick in this debate. I do have a few netfilter thoughts, though, concerning general usability enhancements to the facility: 32 bit connmarks can be rather limiting (64 bits would be far more adequate), integrated IPv4/IPv6 (it'd be nice to be able to specify both addresses for a node in a single rule, for dual-stacked nodes), and a way to explicitly include related conns in a rule (after establishment, there seems to be no way to associate a related conn with the rule that allowed it in the first place). -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
