On 2002/10/28 10:30, Shachar Shemesh wrote:
> no true "state" is kept (for example - no proper tracking of
> connection's state, no ability to limit packets based on
> packets seen so far on the same connection)
Regarding this specific feature, which you listed as missing from
netfilter: the current version of iptables (with the bundled kernel
patches) supports access to all conntrack fields from iptables rules.,
and also keeps 32 bits of general-purpose state per connection (a
"connection mark"). This is definitely an improvement in the expressive
power of iptables.
In case anyone's interested: the relevant iptables patch-o-matic patches
are {oldnat,extra}/CONNMARK and submitted/conntrack.
This does not significantly detract from your essential argument about
iptables vs. FW-1, of course.
Eran
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
