On Saturday 25 March 2006 23:32, Mark Butler wrote: > A true firewall should never need to do anything but drop packets and > reset connections. Changes to the way packets are routed should be done > at the routing layer, using the flow information from the transport > layer.
The real world doesn't work this way. > The flowi structure already contains all that information for routing > purposes. No reason why it could not be used to do early netfilter > reduction as well. Right? netfilter is unfortunately too powerfull for that. It can do many complex dynamic decisions per packet that are impossible to cache or predict. In theory you could try to build such a fast path for some simple filtering that implements a subset of full netfilter, but nobody has attempted to do so so far. -Andi - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
