From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: xt_TARPIT (was: ipt_account / iptables 1.3.8) Date: Mon, 09 Jul 2007 16:15:14 +0200 Message-ID: <469242F2.6080505@trash.net> References: <469239FE.3020904@trash.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: Netfilter Developer Mailing List , kadlec@blackhole.kfki.hu To: Jan Engelhardt Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Jan Engelhardt wrote: > On Jul 9 2007 15:37, Patrick McHardy wrote: > >>>in http://lists.netfilter.org/pipermail/netfilter-devel/2007-June/028366.html >>>there was talk about a revamped xt_TARPIT. >>> >>>Patrick McHardy wrote: >>> >>> >>>>Shouldn't be much work, maybe I'll look into this after finishing >>>>my conntrack hash patches if no one beats me to it. >>> >>>Any progress? Because tarpit is in my series [kernel patch tree] (after >>>connlimit), and I'd hate to do double effort if you already have it. >> >>No, I couldn't come up with a good way to remove the xrlim abuse yet. >> > > from net/ipv4/icmp.c: > * Check transmit rate limitation for given message. > * The rate information is held in the destination cache now. > * This function is generic and could be used for other purposes > * too. > > I suppose "other purposes" could mean TCP here.. ;-') I don't think so. Sending fake packets from an iptables target shouldn't affect the behaviour of the network stack wrt. ICMP errors.