[tlug] Re: Re: wither ipchains?

[Tobias Diedrich <td@example.com>]

Josh Glover wrote:

> IPFilter to actually filter packets.

AFAIK IPFilter is from BSD ?

> However, as has been the disturbing trend with Linux, more and more is
> creeping from userland (where it belongs) to the kernel. iptables is,
> IMO, one such example. The fact that you have to compile iptables
> "support" into the kernel (or build a module) is a bit ludicrous if
> you ask me. (Which no-one, regrettably, ever seems to remember to do.)

Well you could certainly implement it in userspace if you use the
ethertap device. You would have to route all traffic over the ethertap
and have a userspace daemon filter the tcp traffic then feed it back
through a second ethertap I'd guess. However that would probably be
quite slow.

> IPFilter *should* be implemented in the kernel, since it actually
> plays with the TCP/IP stack, which is in the kernel. However, iptables
> or whatever you use to write filtering rules should just interact with
> IPFilter by way of kernel calls. No special support necessary.

The iptables (or ipchains) Kernel modules are the kernel support part of
the filtering infrastructure. (The part actually playing with the
packets)

The iptables userspace program is used to insert rules into the kernel.

AFAICS everything that can reasonably moved to userspace already is in
userspace for this part.

> documentation on the design of Linux IPFilter, please post them here,

Well, you'd have to search for netfilter or iptables :-)

-- 
Tobias								PGP: 0x9AC7E0BC
This mail is made of 100% recycled bits
Now playing: Southern All Stars - kibounowadachi