On Sun, Apr 07, 2002 at 03:48:26PM +0200, Henrik Nordstrom wrote: > On Sunday 07 April 2002 12:07, Brian J. Murrell wrote: > > > > Dynamically inserting/removing rules seems like a big hack, but > > > not like a solution. > > > > Why? I thought that userspace solutions were _always_ considered > > "the better way(tm)" to do things when possible. What is a better > > solution to UPnP than a userspace daemon manipulating netfilter > > rules? > > How I understood Harald is that he do not regard a userspace daemon > who dynamically changes the iptables ruleset as the correct approach, > but the correct approach rather a userspace daemon who directly > insert new connection tracking/NAT session entries as being the > correct approach.
Exactly, that was what I meant. Dynamically changing the iptables ruleset is evil, because: 1) if some admin is reloading the iptables rules, the dynamically inserted are gone 2) inserting rules at a particular rule number (-I foobar 12) will become unreliable, because in the meantime the upnp-daemon could have inserted other rules which resulted in rule-renumbering. 3) inserting/removing single rules very often is extremely expensive within current iptables implmentation - see discussions about iptnetlink to read why. > > Perhaps you prefer the UPnP daemon to act more like a true > > application proxy and do application level forwarding to satisfy > > the requests made of it? > > This may also be an possibility, but not as efficient or flexible, > and I don't think this is how UPnP can be used. Also I don't think > this is anywhere close where Harald was aiming. well, it wouldn't have any relation to netfilter then. A pure application layer proxy is outside the scope of netfilter - and I'm interested in a netfilter solution, of course :) > Regards > Henrik Nordström -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
