Sorry for the late reply, I have been really busy last week. On Mon, Oct 07, 2002 at 12:38:09PM +0200, Ed White wrote: > > I will come up with better examples later. promise. > > I'm really interested, because I didn't understand what is the objective ;-)
The objective is to allow applications to insert and remove rules dynamically. The present mechanisms for adding/removing rules are too general to be easily used by applications. The application has to specify not only the complete rule parameters, but has to know _where_ exactly to place the rule in the ruleset (beginning, end, after a rule? etc.) Furthermore, the administrator has no control on what rule an application inserts, or a way to konw which rules are inserted by an application. To make matters more complex, if the application crashes, it may leave permanent rules in the ruleset. Now, after all that talk, I should note that, with proper usage of static rules (especially the user keyword) most proxy servers would never need to insert rules (or can be designed to remove that requirement) However there are isolated cases where it would be useful see the recent post by Matthew Sweet for instance. That is why I could not easily come up with a real world example. The rdr/nat rules are more complicated and ftp-proxy, for instance, does not support EPSV requests in non NAT mode because it cannot (easily) add the required rdr rule. However, the rule syntax and semantics has to be worked out for rdr/nat case. > > > This would enable better chaining of chain rules ;) > > Chain... > This word is Linux-related, could we change it ? > Call it a "jump" (infact it jumps a rule). Oops, I have not thought about ipchains! There is no jumping involved, perhaps 'link' would have been a better term or 'temp' for temporary/template or 'dynamic'. Hope this helps to clarify things Can
