Re: [NEW EXTENSION] Condition Match

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephane Ouellette <ouellettes@videotron.ca>
To: netfilter-devel@lists.netfilter.org
Subject: Re: [NEW EXTENSION] Condition Match
Date: Thu, 31 Oct 2002 20:51:59 -0500	[thread overview]
Message-ID: <3DC1DE3F.7040404@videotron.ca> (raw)

--- Harald Welte <laforge@gnumonks.org> wrote:

>> On Tue, Oct 29, 2002 at 10:43:07PM -0600, allen wrote:
>  
>
>>> > 
>>> > 
>>> > On Tuesday 29 October 2002 12:54 pm, Stephane Ouellette wrote:
>>    
>>
>>>> > >    I developped last week a new extension to Netfilter in order to
>>>> > > enable or disable a set of rules using /proc files.
>>>      
>>>
>>> > 
>>> > 
>>> > Yeah, as others have said, the idea is definitely cool.
>>    
>>
>> 
>> Though the idea is cool, I think we are solving a problem the wrong way.  Why
>> add complexity to the kernel for a problem which can be solved without
>> any problem from userspace?
>> 
>> Where is the problem in having a couple of different rulesets (e.g. created
>> with iptables-save) which are then loaded using an iptables-restore
>> commandline or a script at the shell of the firewall?
>

Harald,

   I have already tried the solution you propose on a production 
environment and it proved difficult to deal with.  Using the condition 
match, it is far faster to enable/disable rule sets than it is with a 
set of scripts.  It is also less error-prone on a management point of 
view as the firewall rules never change.

I would suggest that the condition match makes it to P-O-M, and let the 
users try it.

Regards,

Stephane Ouellette.

next             reply	other threads:[~2002-11-01  1:51 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-11-01  1:51 Stephane Ouellette [this message]
2002-11-02  0:41 ` [NEW EXTENSION] Condition Match allen
  -- strict thread matches above, loose matches on Subject: below --
2002-10-29 18:54 Stephane Ouellette
2002-10-29 23:00 ` Brad Chapman
2002-10-30  2:52 ` Robin Johnson
2002-10-30  4:43 ` allen
2002-10-30  9:04   ` Harald Welte
2002-10-30 10:34     ` Peter Surda
2002-10-30 11:59     ` Brad Chapman
2002-11-01  1:34   ` Stephane Ouellette
2002-11-02 14:47 ` Harald Welte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3DC1DE3F.7040404@videotron.ca \
    --to=ouellettes@videotron.ca \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.