[PATCH] aggressive early_drop and reserved conntrack entries

Martin Josefsson gandalf at wlug.westbo.se
Mon Dec 13 14:25:47 CET 2004


On Mon, 13 Dec 2004, Jozsef Kadlecsik wrote:

> > > Huh? No check to see if we already are assured or not?
> > > Not needed for icmp, tcp or sctp but udp and the generic handler does.
> >
> > Oops, absolutely correct, I tested the code with TCP only. Fortunately
> > it's easy to fix :-)
>
> Attached is the patch which takes into account that the assured bit might
> already be set (and thus we are on the unassured list).

I'll take this for a testdrive during a DoS on a testmachine here later
this evening. I doubt it makes any diffrence compared to the old one when
you have virtually no assured entries, just a truckload of unassured ones.
So it's a bit tricky to test in a lab, I need to set up that
sniffermachine on the real internet feed so I get a proper conntrack
table to test with.

/Martin



More information about the netfilter-devel mailing list