On Mon, 1 Jul 2002, Henrik Nordstrom wrote: > > - rewrite the IPT_CONTINUE targets as matches > > I am not very fond of this.. besides the order dependency it also has the > question on how to easily determine what will happen with the packet.. No > obvious distinction between something that matches packets and something that > modifies packets or internal system state (conntrack, nfmark, ippools etc..).
Nothing much can be do about order dependecy except the clear documentation of the feature. When the prestate/raw table will be ready (oh well, time...) then it'll be a good aid in spotting misconfigured rules. I see that the apparent distinction between true matches and matches with side effect would be lost compared to the case of separated matches, actions. Hoewer, would it help to the end user if there were a separated interface to the matches with side-effect (actions)? What would be the rule for an action name? I fear it would create a confusion about which module is a match, which one is an action if an action name would be lowercased. Something new must be introduced. The question is which one more coherent *and* more user-friendly. > > In my opinion the match solution would be better, cleaner. > > So your current opinion is that the IPT_CONTINUE targets should be rewritten > as matches? This is my current personal opinion. The naming issue of actions really disturbs me. Regards, Jozsef - E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] WWW-Home: http://www.kfki.hu/~kadlec Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
