On Fri, Nov 08, 2002 at 06:22:00AM -0500, jamal wrote:

quoted

netfilter, yeah, sure, 'could have', but please.

apology if i sounded like one of those adolescent netfilter dangerous
fools who show up with "mama, look what i can do with a packet now that
ive read netfilter docs"

No, you don't sound such, sorry for reacting the way i did.

quoted

'Make it a netfilter module' is generally what people say when
they are confronted with a feature they don't like.

My angle was to avoid being intrusive to the tcp code.
you might get a fish sent to you in .nl in an armani suit;->

Sorry but I don't like fish nor armani suits :-)

quoted

There was a thread about this in private mail round April this year,
in which some good points were raised.

There are some good points; however, whats the app for this feature?

My specific application is a proxy application that replaces the
in-kernel IP masquerading functionality, using a wildcard REDIRECT
rule plus SO_ORIGINAL_DST.  The main reason I'm doing it in userspace
is because downstream bandwidth limiting becomes a whole lot easier
this way than doing it in-kernel -- it would need complicated state
tracking and nonobvious window field manipulations if done there.

The applications that Bert and Marc named sound sane too.  There's
just a whole lot of things this thing can be used for.


cheers,
Lennert