Re: conntrack: confirm existing but do not create new entries

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Eugene Crosser <crosser@average.org>
Cc: netfilter@vger.kernel.org
Subject: Re: conntrack: confirm existing but do not create new entries
Date: Wed, 18 Aug 2021 18:13:40 +0200	[thread overview]
Message-ID: <20210818161340.GR607@breakpoint.cc> (raw)
In-Reply-To: <1e7f26ea-426f-0c32-829e-123cdd6c9f68@average.org>

Eugene Crosser <crosser@average.org> wrote:
> My use case is to set up a stateful firewall allowing any outgoing connection
> from a host, and restricting incoming, which obviously requires conntracking.
> The twist is that there exists a rather high probability of DoS-like incoming
> traffic, that easily overflows conntrack table with unconfirmed entries, even
> though their lifetime is very short.

Create a rule that drops NEW packets in prerouting hook. For iptables,
mangle will work (raw is too early).  For nftables, youl need to choose
a hook prioriy of -199 or higher (-198, ... to anything below 2**31).

Such packets will create a new connection entry, but because packet gets
dropped before confirmation the entry will not be committed to the table.

next prev parent reply	other threads:[~2021-08-18 16:13 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-18 15:53 conntrack: confirm existing but do not create new entries Eugene Crosser
2021-08-18 16:13 ` Florian Westphal [this message]
2021-08-18 16:20   ` Eugene Crosser
2021-08-19  7:44   ` Eugene Crosser
2021-08-19  9:09     ` Florian Westphal
2021-08-19 13:47       ` Eugene Crosser
2021-08-19 14:18         ` Florian Westphal
2021-08-23 13:31           ` Eugene Crosser
2021-08-23 13:57             ` Mathew Heard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210818161340.GR607@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=crosser@average.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.