On Wed, 6 Mar 2002, Guillaume Morin wrote: > Dans un message du 06 Mar à 8:52, Harald Welte écrivait : > > I don't actually think that the unclean match should be widely delpoyed in > > production systems, honestly. I think it's just the wrong way to do > > packet filtering. It's a nice toy for some development and other > > 'experimental' use - but nothing more.
I agree that it should be left as experimental; an option for advanced users and developers. Given that the module does not actually match all unclean IP packets, and may later cause valid packets to be dropped, I don't feel that it should be a standard kernel option. > > Well, I do not think that the experimental status fits this description. > Look at CONFIG_EXPERIMENTAL help : 'Some of the various things that > Linux supports (such as network drivers, file systems, network > protocols, etc.) can be in a state of development where the > functionality, stability, or the level of testing is not yet high > enough for general use.' I would say that the experimental nature of ipt_unclean is not appropriate for general use, where the focus should really be on deploying effective access control rules for network traffic. We should not be providing, as standard, modules with complicated semantics (e.g. "it doesn't actually work properly, but..."), which is likely to make the software and its deployment more complicted than it needs to be. - James -- James Morris <[EMAIL PROTECTED]>
