Re: 2.6.12: connection tracking broken?

From: Carl-Daniel Hailfinger
Date: Wed Jun 22 2005 - 19:03:26 EST


Herbert Xu schrieb:
>
> Longer term though we should obsolete the ipt_physdev module. The
> rationale there is that this creates a precedence that we can't
> possibly maintain in a consistent way. For example, we don't have
> a target that matches by hardware MAC address. If you wanted to
> do that, you'd hook into the arptables interface rather than deferring
> iptables after the creation of the hardware header.
>
> This can be done in two stages to minimise pain for people already
> using it:
>
> 1) We rewrite ipt_physdev to do the lookups necessary to get the output
> physical devices through the bridge layer. Of course this may not be
> the real output device due to changes in the environment. So this should
> be accompanied with a warning that users should switch to ebt.
>
> 2) We remove the iptables deferring since ipt_physdev will no longer need
> it.
>
> 3) After a set period (say a year or so) we remove ipt_physdev altogether.

For my local setup it is already a minor PITA that there is no tool
combining the functionality of arptables, ebtables and iptables, but
I can cope with the help of marking and ipt_physdev. If that doesn't
work reliably anymore, I'll be stuck.

Wasn't someone working on a unified framework for *tables? IIRC that
would have been pkttables, but Harald(?) said there was not much
code there yet.

Regards,
Carl-Daniel
--
http://www.hailfinger.org/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/