xt_TARPIT (was: ipt_account / iptables 1.3.8)
Jan Engelhardt
jengelh at computergmbh.de
Mon Jul 9 16:58:39 CEST 2007
On Jul 9 2007 16:15, Patrick McHardy wrote:
>>>
>>>No, I couldn't come up with a good way to remove the xrlim abuse yet.
>>>
If you ask me, just remove the xrlim call, and replace it by
some sort of 'last' timestamp, e.g.
time_t last;
static int target()
{
if (!otcph->syn && otcph->ack)
if (!(last <= now() + 5))
return; /* rate limit */
last = now();
}
As far as I can see, that xrlim call is there for at least one case:
tarpit sends ACKs with window=0, but client ignores the RFC-given delay for
window=0 packets.
Jan
--
More information about the netfilter-devel
mailing list