Talking about recent (was: Re: [PATCH] 2.4.x new amanda conntrack + NAT support)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Martijn Lievaart <m@rtij.nl>
Cc: netfilter-devel@lists.netfilter.org
Subject: Talking about recent (was: Re: [PATCH] 2.4.x new amanda conntrack + NAT support)
Date: Tue, 01 Apr 2003 10:23:46 +0200	[thread overview]
Message-ID: <3E894C92.5010801@rtij.nl> (raw)
In-Reply-To: <20030331.070910.52982765.davem@redhat.com>

>
>
>Harald, what is the state of ipt_recent?  Will I see it soon?
>
>  
>

Talking about recent, I'm not completely happy with the way it is now. 
If I understand things correctly the rcheck decission on matching source 
or destination is not done based on the commandline, but on 
tables->side. But iirc the rsource/rdest argument is happily accepted on 
the rcheck and subsequently ignored. This could be a useful feature, let 
the user decide. In fact, I think the table->side is unneeded, it can 
always be specified at the cost of a little work from the user. I'm 
running such a patch at home, but it is incompatible with existing 
ipt_recent as it ignores table->side. Such would break existing 
installations. I think I see a way of making this work without breaking 
any compatibility. I'll submit a patch once I have it working, based on 
the new recent module.

Why is this useful? F.i. track all outgoing connections and reject with 
tcp reset incomming idents that match the table. Otherwise fall through 
to the default drop. This would need a reversing of source and 
destination between the --set and the --rcheck. This would allow a real 
stealthy firewall that still handles idents in a sane way. I once looked 
at creating a helper for this, but that would need some major surgery on 
the iptables core I think. Using the recent match would be a rather 
clean solution at the cost of some additional memory used. Also, other 
dynamic protocols could be made a little safer by this as well, pending 
a real contrack helper.

(Yes, I know there is a feature freeze, but I'm not in a hurry)

Martijn Lievaart

next prev parent reply	other threads:[~2003-04-01  8:23 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-03-30 20:07 [PATCH] 2.4.x new amanda conntrack + NAT support Harald Welte
2003-03-31 15:09 ` David S. Miller
2003-03-31 15:24   ` Stephen Frost
2003-03-31 15:55   ` Harald Welte
2003-04-01  8:23   ` Martijn Lievaart [this message]
2003-04-07 16:46     ` Talking about recent (was: Re: [PATCH] 2.4.x new amanda conntrack + NAT support) Stephen Frost

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3E894C92.5010801@rtij.nl \
    --to=m@rtij.nl \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.