Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Re: Re: wither ipchains?
- Date: Wed, 7 Aug 2002 17:47:00 -0400
- From: Josh Glover <jmglov@example.com>
- Subject: Re: [tlug] Re: Re: wither ipchains?
- References: <20020807034014.22378.qmail@example.com> <Pine.LNX.4.21.0208062249040.18662-100000@example.com> <20020807150810.GA31375@example.com> <20020807203351.GA2322@example.com>
- User-agent: Mutt/1.4i
On Wed, Aug 07, 2002 at 10:33:51PM +0200, Tobias Diedrich quoth, and most verily thus: > Josh Glover wrote: > > > IPFilter to actually filter packets. > > AFAIK IPFilter is from BSD ? I did not think that they were the same thing. Am I mistaken? > > However, as has been the disturbing trend with Linux, more and more is > > creeping from userland (where it belongs) to the kernel. iptables is, > > IMO, one such example. The fact that you have to compile iptables > > "support" into the kernel (or build a module) is a bit ludicrous if > > you ask me. (Which no-one, regrettably, ever seems to remember to do.) > > Well you could certainly implement it in userspace if you use the > ethertap device. You would have to route all traffic over the ethertap > and have a userspace daemon filter the tcp traffic then feed it back > through a second ethertap I'd guess. However that would probably be > quite slow. I think you miss my point. Read on. > > IPFilter *should* be implemented in the kernel, since it actually > > plays with the TCP/IP stack, which is in the kernel. However, iptables > > or whatever you use to write filtering rules should just interact with > > IPFilter by way of kernel calls. No special support necessary. > > The iptables (or ipchains) Kernel modules are the kernel support part of > the filtering infrastructure. (The part actually playing with the > packets) IPFilter should be playing with the packets. I think that the kernel modules are interfaces for the userland programs to IPFilter, which makes very little sense. > The iptables userspace program is used to insert rules into the kernel. Right, through standard calls. I am arguing that iptables should be all userspace, and just #include <sys/ipfilter.h> or whatever. > AFAICS everything that can reasonably moved to userspace already is in > userspace for this part. I disagree strongly, but again, I may have the wrong idea about the design. > > documentation on the design of Linux IPFilter, please post them here, > > Well, you'd have to search for netfilter or iptables :-) Ha ha. Did so. Various permutations of netfilter linux design iptables did very little for me on Google. Well, I may have to go to the source. :( -- Josh Glover <jmglov@example.com> Associate Systems Administrator INCOGEN, Inc.
- Follow-Ups:
- [tlug] Re: Re: Re: wither ipchains?
- From: Tobias Diedrich
- [tlug] Re: Re: Re: wither ipchains?
- References:
- [tlug] Re: wither ipchains?
- From: big0
- Re: [tlug] Re: wither ipchains?
- From: Marc Christensen
- Re: [tlug] Re: wither ipchains?
- From: Josh Glover
- [tlug] Re: Re: wither ipchains?
- From: Tobias Diedrich
- [tlug] Re: wither ipchains?
- Prev by Date: [tlug] Re: Re: wither ipchains?
- Next by Date: RE: [tlug] Hiroshima Linux Users Group, soon coming
- Previous by thread: [tlug] Re: Re: wither ipchains?
- Next by thread: [tlug] Re: Re: Re: wither ipchains?
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |