> I think the netfilter problems are more significant.
I don't see why. If I'm designing a server process that requires very high throughput, I'm not going to install iptables rules for established connections. That kind of performance hit just seems antithetical to high throughput.
I would think the following logic would be fine for users:
* If the iptables rules installed only filter on the first packet in a connection, network channels can be used for data reception.
* If per-packet (establisted connection) rules are in effect, disable network channels.
I'd be perfectly happy with such a compromise, and I can't imagine it would be to hard to set a /proc variable when iptables installs a rull for established connections.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds