Wouldn't it be much cleaner if we enable forwarding selectively on interfaces where we need it instead of system wide forwarding? as an example: normally you do not need forwarding on your eth0 in a gateway setup.
Yes. The wan-forward part is kind of handle stuff the same way. With the increased space in front of connection tracking we could now enforce dropping these packages directly.
Wouldn't it be much cleaner if we enable forwarding selectively on interfaces where we need it instead of system wide forwarding? as an example: normally you do not need forwarding on your eth0 in a gateway setup.