xt_TARPIT (was: ipt_account / iptables 1.3.8)
Patrick McHardy
kaber at trash.net
Mon Jul 9 16:15:14 CEST 2007
Jan Engelhardt wrote:
> On Jul 9 2007 15:37, Patrick McHardy wrote:
>
>>>in http://lists.netfilter.org/pipermail/netfilter-devel/2007-June/028366.html
>>>there was talk about a revamped xt_TARPIT.
>>>
>>>Patrick McHardy wrote:
>>>
>>>
>>>>Shouldn't be much work, maybe I'll look into this after finishing
>>>>my conntrack hash patches if no one beats me to it.
>>>
>>>Any progress? Because tarpit is in my series [kernel patch tree] (after
>>>connlimit), and I'd hate to do double effort if you already have it.
>>
>>No, I couldn't come up with a good way to remove the xrlim abuse yet.
>>
>
> from net/ipv4/icmp.c:
> * Check transmit rate limitation for given message.
> * The rate information is held in the destination cache now.
> * This function is generic and could be used for other purposes
> * too.
>
> I suppose "other purposes" could mean TCP here.. ;-')
I don't think so. Sending fake packets from an iptables target
shouldn't affect the behaviour of the network stack wrt. ICMP
errors.
More information about the netfilter-devel
mailing list