Something I was thinking about when trying to come up with good .
Basically I would have all the 'HW applied' rules in a special chain, let's call it input-hw.
Then in INPUT you would have :
-A INPUT -i swp+,bond+ -j input-hw
as being the first rule (and checked by cl-acltools that it is such).
Then inside that input-hw chain you'd put all the rules you want applied at the hardware level (with all the constraints you have for those), but instead of 'ACCEPT' you'd use RETURN.
And finally all the rules you would put in INPUT itself wouldn't be applied through the hardware at all, they'd be normal linux kernel rules.
I see several advantages to this :
* It becomes very clear what is pushed in HW and what isn't.
* It makes it possible to have rules not pushed to HW and just applied locally on the host while still having them all loaded from the same config files by cl-acltool.
* You could write a NFQUEUE software that pushes all packets going to input-hw to a userspace software emulating the HW more accurately (for VX lab environments)
My main issue at the moment is I'd like to have some rules pushed to the HW, but then when packets end up hitting the CPU I'd like them to go through the "normal" linux stateful firewall.
So I can have the HW protect as much as it can and apply rate limiting and such, but then still be able to have stateful firewalling. And in the current model I'm not too sure how to do that ?