Hi all
I have two suggestions for your very nice netfilter framework:
First of all it would be nice if the multiport match would accept not
only single ports but also port ranges. This would streamline the
whole thing a little bit. I don't know the actual code, but the
implementation of multiport probably uses an array to store the
ports. If this array could be extended to be an array of structs then
it would be possible to store also port ranges, e.g.
struct portrange {
u_int16_t begin;
u_int16_t end;
};
struct portrange multiport[15];
For single ports, begin and end would be identical. This would
require additional 30 bytes per multiport call, but I think this is
acceptable.
The other suggestion would be simplifying the output chain
traversing. This means making the traversal of packets from the host
(output) symetrical to the traversal of packets form the host. For
example incomming packets are handled by
- mangle
- nat
- filter
so the output packets should traverse the tables in reverse order
(filter, nat, mangle). I don't know where the queuing disciplines
hook in. Because of the queuing disciplines can only control the
outgoing data stream, the best place would probably be after the
routing desicion, nat (POSTROUTING) and mangle (POSTROUTING) is done.
The only thing which would be lost is the nat of locally generated
packet, but I've read that it isn't functional yet and the question
is if it is really necessary.
I think, this would result in a much simpler code for netfilter as
well as programs generating the rules without loosing functionality.
Thanks
Norbert
