On Mon, Nov 16, 2009 at 09:54, Rainer Gerhards <[email protected]> wrote: > I agree, but many people seem to use this functionality, and it was > introduced some years ago by request. I do not feel comfortable with the idea > of removing support for it. The newer protocols do not support ACLs in any > case. > > Are there some more voices in regard to removing that functionality? Would > make the implementation (and probably the throughput) a bit simpler/faster.
I agree with david's assessment that "security" by this type of ACL is minimally effective. However, the functionality is occasionally useful for situations where management of the software is easier than management of the firewall (typically for business/operational constraints). I'd love to see it reimplemented as a modular part of the ephemeral "middle layer" along with other filtering and modification functionality. I know RanierScript is supposed to fill a lot of that void, but until it's implemented and proven performant my wishes still lie with a filter layer API. >> I agree that fewer messages will probably be lost by accepting them and >> checking later than by pausing to do the check initially. Ditto - although conceptually pure, front-end checking is probably too expensive for such a performance-critical component as the receiver. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
