Howdy, So ingress chain are attached to adapters, but it would be nice if they could be attached to adapter group IDs as well as individual adapters. That way I don't have to instantiate a chain for every adapter, I can just have the one. In the syntax [device] would be [device | "group" number]. In particular I use group 1 for all external interfaces, which includes several ethX interfaces and all the pppX interfaces as well. I keep a "Bad Actor" list and I've been looking at tossing their packets before connection tracking and all that with an ingress chain. Better still would be less than or greater than matching on groups. All this can be done in other rules and other ways, but a simple and fast numeric match just seems so much cleaner. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
