netdev
[Top] [All Lists]

Re: Announce: NetKeeper Firewall For Linux

To: Mikkel Christiansen <mixxel@xxxxxxxxx>
Subject: Re: Announce: NetKeeper Firewall For Linux
From: jamal <hadi@xxxxxxxxxx>
Date: 17 Nov 2003 09:21:58 -0500
Cc: Emmanuel Fleury <fleury@xxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxx>, netfilter-devel@xxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <3FAE9B9B.60007@xxxxxxxxx>
Organization: jamalopolis
References: <1067285612.552.9.camel@xxxxxxxxxxxxxxxxxxxxx> <20031028014223.129933be.davem@xxxxxxxxxx> <1067335655.10628.7.camel@xxxxxxxxxxxxxxxxx> <1068001237.1064.31.camel@xxxxxxxxxxxxxxxx> <1068046114.31636.92.camel@xxxxxxxxxxxxxxxxx> <1068089345.1020.17.camel@xxxxxxxxxxxxxxxx> <1068114376.1532.115.camel@xxxxxxxxxxxxxxxxx> <1068211670.1031.49.camel@xxxxxxxxxxxxxxxx> <3FAE9B9B.60007@xxxxxxxxx>
Reply-to: hadi@xxxxxxxxxx
Sender: netdev-bounce@xxxxxxxxxxx
Hi,

On Sun, 2003-11-09 at 14:55, Mikkel Christiansen wrote:

> >
> Integrate your classifer like any other tc
> >classifier and then you dont have to look at my code unless you really
> >want to.  
> >
> 
> If we integrate it would mean a new/alternative interface
> to tc where you compile the filter/configuratoin before
> uploading.

Why cant you use the same interface that exists today - the one that is
used to load new filter rules?

>  We believe this is a good thing since it allows
> admins to (syntax) check the filter before inserting it.

Sure. It will be nice to have something like that in user space.

> I believe the guys from shorewall sees this as a missing
> feature of iptables.
> 
> Would you consider such an interface for tc good are bad?
> 

Refer to my comment above: I dont think you need anything new. Look at a
simple classifier like fwmark and comment if you need something new.

> >Isnt the state database another classifier and therefore you will be
> >faced with the same challenges for it? 
> >I dont think you wuill get a free ride putting the state lookups
> >somewhere else.
> >
> current scheme cant handle dynamic rules - and it will
> be a while (if ever) before it can.
> 

Please think about that problem - otherwise you get an C in your course
work from me ;-> (F would be too harsh ;->)

> >
> >Couldnt you, knowing the rules already existing check for breakage in
> >user space?
> >
> no - if someone decided to write their own "client/compiler" in
> userspace they could potentially produce a broken IDD - that
> could crash the kernel!
> 

I think it is nice to have a feature that does the verification in
user space before downloading.  
I didnt understand what you mean that someone else writes their own
"client/compiler". Arent you the one in charge of this compiler?
Why would you allow other people to write this compiler?

cheers,
jamal


<Prev in Thread] Current Thread [Next in Thread>