* Julien Bordet <[EMAIL PROTECTED]> [2004-03-01 21:35]:In fact, even if it does not really matter to you in fact, I'm not talking about a kernel "proxy" here. I'm talking about something smart enough to tag packets "related" and so to "pass" them. If we go on with FTP, a piece of code that attach data connexions to the command connexion initiated before. In case of a bridge, I clearly do not need (and do not want !) a proxy, nor NAT support.
However, when one does bridge traffic shaping, this is not the same thing
at all : proxifying means that your are not bridging any more, using a IP
address for the bridge, and so on. I really think it is a very dirty
solution. The kernel space solution here is much cleaner, as it is
transparent for the firewall administrator.
you are so wrong.
doing this kind of proxying in-kernel is just plain wrong, and error-prone.
don't people read bugtraq?I do read bugtraq, and yes I'm aware of security problem of ipf and netfilter.
don't people learn from all the security problems ipf and the linux guys had with their in-kernel proxies?
Yet, I'm talking about a feature we need. Bridging with a certain "understanding" of the FTP protocol is clearly needed. And yes FTP is a crappy protocol,. I'm not a I-want-everything-in-the-kernel guy, I 'd like a solution.
Julien
