[NETFILTER 2/8]: Add NetBIOS name service helper
Patrick McHardy
kaber at trash.net
Wed Sep 7 12:13:10 CEST 2005
Samir Bellabes wrote:
> Patrick McHardy <kaber at trash.net> writes:
>
>>Actually it was deliberate, I don't see a reason why the packet
>>should be dropped, its best effort.
>
> All conntracks are dropping packets, in that way.
> netbios_ns should do the same, or other conntracks should be patched.
Dropping when NAT fails makes sense because the reply packet
must be handled and the state is required for this. Dropping
when setting up an expectation fails doesn't make any sense to
me, the reply could still make it because for example there
are no rules or it is accepted by the rulesset.
Connection tracking only does tracking, not filtering, and should
only drop packets if necessary for accurate tracking.
Look at the FTP helper for example. It also tracks passive mode
connections, which are in many cases allowed by the ruleset
anyway. By dropping the packet we break what might work otherwise.
So I think changing the other helpers to only drop when really
neccesary also makes sense.
More information about the netfilter-devel
mailing list