Packets don't go to userspace at all if they're going *through* a router.
But we still need this functionality for firewalls on the host.
Some firewall applications need to track connections, scan packets
within a connection, and even have the option of dropping connections
altogether (eg. intrusion protection). Netfilter will need some
rearrangement to achieve this if channels go direct to userspace.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds