xt_TARPIT

Yasuyuki KOZAKAI yasuyuki.kozakai at toshiba.co.jp
Thu Jul 19 02:38:02 CEST 2007


From: Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>
Date: Wed, 18 Jul 2007 17:02:45 +0200 (CEST)

> Hi,
> 
> On Wed, 18 Jul 2007, Patrick McHardy wrote:
> 
> >> +	/* This packet will not be the same as the other: clear nf fields */
> >> +	nf_conntrack_put(nskb->nfct);
> >> +	nskb->nfct = NULL;
> 
> If the target is called from the raw table, please attach the fake untrack 
> entry to the created packet so that we could use TARPIT and conntrack 
> nicely.

I'm not sure that we should make TARPIT usable in raw table, but anyway
why the fake untrack entry is necessary ? I think that the created packet
is better to pass through LOCAL_OUT hook so that nf_conntrack can attach an
appropriate entry. That is what REJECT does.

-- Yasuyuki Kozakai



More information about the netfilter-devel mailing list