Two questions/proposals for the netfilter core developers

Brad Chapman
Thu, 25 Oct 2001 11:53:04 -0700 (PDT)

Mr. Eugeniu,

--- s I n <sin@Aniela.EU.ORG> wrote:
> Hi,
> I have two questions for the netfilter core developers and for the others
> that know how netfilter works:
> 1) Is someone working (or has the intention) to make match target that can
> act like a dynamic firewall, that can be used like this:
> ~# iptables -A INPUT -p TCP -m string --string "hello" -j DYNAMIC --action
>    DROP
> and the effect to such a command to be the insertion of a new rule that
> will drop all the traffic comming from the host that sent the string
> "hello" to the host receiving it ?

	No. netfilter, and kernel-space in general, is NOT the place to be
doing this. If you are looking for CodeRed/Nimda/CGI stuff, get a web proxy
like Squid, which IIRC comes with support for the SO_ORIGINAL_DST setsockopt.

> 2) Is someone working (or has the intention) to make a module for
> netfilter that cand do per host/service accounting without influencing the
> behaviour of a firewall ?

	AFAIK, no. I played around with a simple packet/byte counter which exported
info via /proc a while back, but lost the source during a hard drive upgrade :(

> Regards,
> 	Patrascu Eugeniu


Brad Chapman

Permanent e-mail:
Current e-mail:
Alternate e-mail:

Do You Yahoo!?
Make a great connection at Yahoo! Personals.