debug and notrack tables - proposal and questions
Jozsef Kadlecsik
kadlec@blackhole.kfki.hu
Fri, 19 Apr 2002 15:39:38 +0200 (CEST)
On Wed, 17 Apr 2002, Joakim Axelsson wrote:
> We would like to call this "border". Just the same as "filter INPUT", but
> the absoluty first thing that happens after the packet comes from the
> netcard-driver. Behaps a border OUTPUT doing the same thing just before
> entering the netcard driver. But it's not really needed more than in anti
> spoof and debuging of your own network. Meaning border INPUT is enough,
> really.
This 'border' table is hooked at NF_IP_PRE_ROUTING?
> Any solution with being able to mark packets for "NOTRACK" or anything is
> just too complicated in our need; handling DoS. Everything that do get pass
> "border" is conntracked (if conntrack is loaded). Plain and easy. However i
> can see that people would like the solution of letting packet get "flagged"
> notrack.
One could do both in the proposed new table: drop the packet or flag it to
avoid entering conntrack (for example web traffic).
Regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
WWW-Home: http://www.kfki.hu/~kadlec
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary