From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: condition for 2.6.16 Date: Fri, 28 Apr 2006 09:12:45 +0200 Message-ID: <4451C06D.8000108@trash.net> References: <200604201919.19246.max@nucleus.it> <4447D7AA.1010602@trash.net> <200604231547.29009.simonl@parknet.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Massimiliano Hofer , netfilter-devel@lists.netfilter.org Return-path: To: Simon Lodal In-Reply-To: <200604231547.29009.simonl@parknet.dk> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Simon Lodal wrote: > On Thursday 20 April 2006 20:49, Patrick McHardy wrote: > > >>We have already decided that the condition match will not be merged >>because the same thing can easily be done by adding/removing rules >>from userspace. > > > Conditions enable role separation between us admins. > > No matter how good or fast the userspace tools are, there are cases where you > simply do not want to (let others) run them, but it is acceptable to (let > others) turn on/off some predefined blocks of rules. > > Plus it is faster, less risky, and does not reset counters. I'm not really buying that argument, this can all also be done in userspace. But a lot of people seem to consider it useful, so I might reconsider if someone cleans it up so it at least doesn't need to walk the list of conditions for every packet it matches .. but no promises.