On Sun, Apr 07, 2002 at 11:12:23AM +0200, Harald Welte wrote: > > To be more precise: A userspace daemon using the upcoming ctnetlink > interface to add connection tracking entries / nat mappings and > ip_conntrack_expect's to the firewall.
Hey, that sounds like the stateful packet filter engine I wrote on ipchains when ipchains was the state of the art technology. ftp://ftp.interlinx.bc.ca/pub/spf for anyone still interested. > Dynamically inserting/removing rules seems like a big hack, but not like > a solution. Why? I thought that userspace solutions were _always_ considered "the better way(tm)" to do things when possible. What is a better solution to UPnP than a userspace daemon manipulating netfilter rules? Perhaps you prefer the UPnP daemon to act more like a true application proxy and do application level forwarding to satisfy the requests made of it? That seems like more overhead than is necessary to me. Considering netfilter to be a set of gates and the UPnP daemon to be a gatekeeper seems like the right mix of userspace/kernel space to me. On a side note, does UPnP do anything more/better than SOCKS5? Did MS needlessly invent another protocol again? I was always under the impression that SOCKS5 allowed UDP as well as requesting TCP and UDP listeners. b. -- Brian J. Murrell
msg00581/pgp00000.pgp
Description: PGP signature
