Design proposal for a better ACL language
Eric S. Raymond
esr at thyrsus.com
Tue Jun 14 20:42:27 UTC 2016
Mark Atwood <fallenpegasus at gmail.com>:
> It is possible to write an iptables kernel loadable module that can do
> application level filtering, and the ntp packet format even lends itself to
> However, we will not go down that route. It would be Linux-only, it would
> be outside of our remit and outside of our current hot skill-set, it would
> be yet another moving part, it would be difficult to package, and difficult
> to get many installations to install, as they get very strict about which
> KLMs they will install, and all for very little if any performance increase.
> We will put the ntp application level packet filter in user space in the
> ntpsec implementation, not in the kernel.
I concur 100% on both result and reasoning.
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
More information about the devel