Design proposal for a better ACL language

Eric S. Raymond esr at
Tue Jun 14 20:42:27 UTC 2016

Mark Atwood <fallenpegasus at>:
> It is possible to write an iptables kernel loadable module that can do
> application level filtering, and the ntp packet format even lends itself to
> it.
> However, we will not go down that route.  It would be Linux-only, it would
> be outside of our remit and outside of our current hot skill-set, it would
> be yet another moving part, it would be difficult to package, and difficult
> to get many installations to install, as they get very strict about which
> KLMs they will install, and all for very little if any performance increase.
> We will put the ntp application level packet filter in user space in the
> ntpsec implementation, not in the kernel.
> ..m

I concur 100% on both result and reasoning.
		<a href="">Eric S. Raymond</a>

More information about the devel mailing list