183771's Journal: Rusty Rusell rewriting netfilter code again

Rusty Rusell is rewriting some parts of netfilter code, have a look to their thoughts.

"Yay! Working on netfilter code again. Some decisions made at the netfilter summit to simplify the code. In particular, we've decided to (try to) get rid of some complex code in the core. Firstly, it's time to remove the ipfwadm and ipchains backwards compatibility code. I had to provide a special interface half-way into the NAT and connection tracking code for these layers: getting rid of that will allow various cleanups. Secondly, NAT mapping to multiple ranges is a very rarely-used feature which complicates the code. It can be simulated with a random match which chooses different NAT rules for each connection, anyway, and it makes the core more complicated. Finally, for local Destination NAT, if we send the packet out a different interface, we also do Source NAT to match the interface address. This has always been questionable, and means that we now have multiple NATs on a single hook. Changing this is likely to break some setups, but many people do not enable local NAT anyway."