Re: Request for comments

Crutcher Dunnavant (crutcher@datastacks.com)
Thu, 19 Jul 2001 12:30:49 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: (no name): "Re: kernel lockup in 2.4.5-ac3 and 2.4.6-pre7 (netfilter ?)"
Previous message: Daniel Phillips: "Re: Inclusion of zoned inactive/free shortage patch"

++ 19/07/01 18:44 +0300 - Cornel Ciocirlan:
> a) more efficient packet filtering. After a cache entry is created for a
> flow, we apply the ACLs for the packet and associate the action with the
> flow. All subsequent packets belonging to the same flow will be
> dropped/accepted without re-appying the packet filtering rules

I'm seeing an identification problem arise here. You have to be able to
identify packets in a flow robustly, and you have to be able to spot packets
trying to fake it. I dont see any way in which you will be able to avoid
the packet filtering rules here.

-- 
Crutcher        <crutcher@datastacks.com>
GCS d--- s+:>+:- a-- C++++$ UL++++$ L+++$>++++ !E PS+++ PE Y+ PGP+>++++
    R-(+++) !tv(+++) b+(++++) G+ e>++++ h+>++ r* y+>*$
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Next message: (no name): "Re: kernel lockup in 2.4.5-ac3 and 2.4.6-pre7 (netfilter ?)"
Previous message: Daniel Phillips: "Re: Inclusion of zoned inactive/free shortage patch"