[PATCH] POSTROUTING chain for mangle table
Brad Chapman
kakadu_croc@yahoo.com
Sat, 29 Sep 2001 18:56:55 -0700 (PDT)
Mr. Bulej,
--- Lubomír_Bulej <pallas@kadan.cz> wrote:
>
> On Sat, 29 Sep 2001, Brad Chapman wrote:
>
> > The patch SHOULD be included, but it isn't, because Harald has still not figured
> out
> > how to make mangle and conntrack peacefully coexist without either of these
> > two scenarios:
> >
> > - mangle provides ability to horribly break conntrack
>
> Hmm, this particular scenario might be considered a feature -- there is
> nothing wrong with providing rope to hang oneself, is there? As long as one is
> mangling stuff conntrack is not interested in, it should be safe I guess.
Right. The problem is, placing mangle before conntrack conceivably allows
Joe Q. Firewall for break it and then complain "This rule makes my state rules
fail! Why?"
>
> > - conntrack blocks mangle from doing things which don't need conntrack
>
> I can't comment on this one as I'm not enlightened enough in the ways of
> netfilter :) BTW, can mangle's PREROUTING chain screw conntrack as well?
No. NF_IP_PRI_MANGLE > NF_IP_PRI_CONNTRACK. Connection tracking, so far,
comes first, always.
>
> > TBH, I don't think the patch will ever go in.
>
> Well, perhaps it could be included at least in patch-o-matic.
That's the problem. Joe Q. Firewall will apply it and then spam the list
with messages about how successful he was at breaking conntrack, IMHO. We need
to figure out exactly how it should be done, and that figuring will probably occur
when Linus mandates 2.5.
>
>
> Lubomir
>
Brad
P.S: Nothing is really stopping me from sending this to Linus or -ac or DaveM.....
=====
Brad Chapman
Permanent e-mail: kakadu_croc@yahoo.com
Current e-mail: kakadu@adelphia.net
Alternate e-mail: kakadu@netscape.net
__________________________________________________
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com