Benefits of Netfilter userspace extensions

[Simon Peter]

Hi,

in general, is it beneficial to implement netfilter extensions
(especially packet mangling ones, using libnetfilter-queue) into
userland versus kernel?

Pros I can think of are:
- Ease of implemention, easier debugging, etc.
- More robust against bugs (only userspace program fails)

Of course there are cons, too:
- Slower
- Not as secure (userspace program might be easy to kill)

Did I miss anything?

Would you guys recommend to implement my packet mangling extension into
userspace, especially if I need to pull in a lot of information from
connection tracking?

Thanks,
Simon