On Fri, Nov 08, 2002 at 06:22:00AM -0500, jamal wrote:
> > netfilter, yeah, sure, 'could have', but please.
>
> apology if i sounded like one of those adolescent netfilter dangerous
> fools who show up with "mama, look what i can do with a packet now that
> ive read netfilter docs"
No, you don't sound such, sorry for reacting the way i did.
> > 'Make it a netfilter module' is generally what people say when
> > they are confronted with a feature they don't like.
>
> My angle was to avoid being intrusive to the tcp code.
> you might get a fish sent to you in .nl in an armani suit;->
Sorry but I don't like fish nor armani suits :-)
> > There was a thread about this in private mail round April this year,
> > in which some good points were raised.
>
> There are some good points; however, whats the app for this feature?
My specific application is a proxy application that replaces the
in-kernel IP masquerading functionality, using a wildcard REDIRECT
rule plus SO_ORIGINAL_DST. The main reason I'm doing it in userspace
is because downstream bandwidth limiting becomes a whole lot easier
this way than doing it in-kernel -- it would need complicated state
tracking and nonobvious window field manipulations if done there.
The applications that Bert and Marc named sound sane too. There's
just a whole lot of things this thing can be used for.
cheers,
Lennert
|