[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200710121618.51046.a1426z@gawab.com>
Date: Fri, 12 Oct 2007 16:18:51 +0300
From: Al Boldi <a1426z@...ab.com>
To: Patrick McHardy <kaber@...sh.net>
Cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [RFD] iptables: mangle table obsoletes filter table
Patrick McHardy wrote:
> Al Boldi wrote:
> >>>The problem is that people think they are safe with the filter table,
> >>>when in fact they need the prerouting chain to seal things. Right now
> >>>this is only possible in the mangle table.
> >>
> >>Why do they need PREROUTING?
> >
> > Well, for example to stop any transient packets being forwarded. You
> > could probably hack around this using mark's, but you can't stop the
> > implied route lookup, unless you stop it in prerouting.
>
> This also works fine in FORWARD with a little extra overhead.
> If you really have to save resources, you should use PREROUTING/raw
> to also avoid the creation of a connection tracking entry.
Yes sure, if you use nat. But can you see how forcing people into splitting
their rules across tables adds complexity. And without ipt_REJECT patch,
they can't even use REJECT in prerouting, which forces them to do some
strange hacks.
IMHO, we should make things as easily configurable as possible, and as things
stand right now, the filter-table is completely useless for 99% of
use-cases.
Thanks!
--
Al
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists