Down with the mangle table! :-)

[Henrik Nordstrom]

Jozsef Kadlecsik wrote:

> I believe until there is no agreement achieved on the topic, nothing
> should be done.

There is a whole bunch of arguments

may need mangle before conntrack (see discussion on NOTRACK)
may need mangle after conntrack (see CONNMARK)
may need filter before SNAT
In theory, mangle may be needed both before and after conntrack (combination of
NOTRACK and CONNMARK).
In the past it has also been argued that some wants to filter packets before
conntrack, and my personal view is that such an argument is perfectly valid.

And recently, a similar argument was made for NAT vs routing, where one wants
to build NAT rules (including DNAT) based on information collected in routing.

This discussion on mangle/nat/priorities/configurability aims at finding a
suitable solution that allows for advanced configurations needing the above,
and possibly other cenarious not yet considered.

I agree that implementing a configurable mangle table is a bit premature. There
is much more to this than only the priorities and hooks of mangle.

--
Henrik Nordstrom
MARA Systems AB
Sweden