yasuyuki.kozakai at toshiba.co.jp
Thu Jul 19 03:09:07 CEST 2007
From: Patrick McHardy <kaber at trash.net>
> > I'm not sure that we should make TARPIT usable in raw table, but anyway
> > why the fake untrack entry is necessary ? I think that the created packet
> > is better to pass through LOCAL_OUT hook so that nf_conntrack can attach an
> > appropriate entry. That is what REJECT does.
> I think both cases are valid. The restriction of REJECT to filter
> (and that means INPUT FORWARD OUTPUT) has only one technical justification,
> the packet is guaranteed to have a dst_entry, which is used for some
> simple checks that could also be done otherwise. In raw the original
> packet can't have been NATed, so a valid conntrack reference is not
> necessary to NAT the reply. Other than that I can think of no real
> reason why REJECT or TARPIT packets must have a conntrack refererence.
> I don't really like adding a notrack reference in the TARPIT target
> though, I would prefer to use the one from the original packet (as in
> REJECT) and for NOTRACK you would simply mark the original packet.
You're right. Yes, nf_ct_attach is also necessary. I need caffeine.
-- Yasuyuki Kozakai
More information about the netfilter-devel