[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipchains style



On Sun, 31 Dec 2000, Alex Shnitman wrote:

> > btw, in the new kernel (2.4), where netfilter is used, there is a new
> > notion of tables. unlike usage of multiple chains, usage of multiple
> > tables does add extra functionality, in that it allows you to have one set
> > of rules perform a complete "computation", and then the packets coming out
> > of it are re-processed by the rules in a second table. i already so a case
> > where this allowed for more functionality thens possible using kernel
> > 2.2's chains.
>
> I'm really curious -- like what?

the seperation into tables allows to treat masquerading and filtering
seperatly. thus, you can process a packet _after_ it has been processes by
a masquerading rule. this wasn't possible in the 2.2. kernel - after a
packet matcehd a masquerading rule, it didn't go any further processing
(except for as an output packet, but then some info would have been lost).

there are other added features. since the firewalling code has been
modularized in 2.4, it's possible to add new modules that will allow for
more fine-tuned filtering and masquerading. such modules were written (and
come in the stock 2.4 test kernels) for filtering packets based on the
user that originated them, supporting NAT in various forms, supporting
port redirection at the kernel level, etc.

> Or where can I read about it?

just look for the netfilter howto, available over the net, and written by
the guy that wrote a large part of the netfilter code in the 2.4 kernel.
look for it on the net.

also, look in the source too. there's a doc talking about the netfilter
code, somewhere under the kernel sources' Documentation directory.

--
guy

"For world domination - press 1,
 or dial 0, and please hold, for the creator." -- nob o. dy


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il