From: Patrick McHardy <kaber@trash.net>
To: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>
Cc: jengelh@computergmbh.de, netfilter-devel@lists.netfilter.org,
safari-netfilter@safari.iki.fi, kadlec@blackhole.kfki.hu
Subject: Re: xt_TARPIT
Date: Thu, 19 Jul 2007 02:44:49 +0200 [thread overview]
Message-ID: <469EB401.8000700@trash.net> (raw)
In-Reply-To: <200707190038.l6J0c3pR002571@toshiba.co.jp>
Yasuyuki KOZAKAI wrote:
> From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> Date: Wed, 18 Jul 2007 17:02:45 +0200 (CEST)
>
>
>> If the target is called from the raw table, please attach the fake untrack
>> entry to the created packet so that we could use TARPIT and conntrack
>> nicely.
>>
>
> I'm not sure that we should make TARPIT usable in raw table, but anyway
> why the fake untrack entry is necessary ? I think that the created packet
> is better to pass through LOCAL_OUT hook so that nf_conntrack can attach an
> appropriate entry. That is what REJECT does.
>
I think both cases are valid. The restriction of REJECT to filter
(and that means INPUT FORWARD OUTPUT) has only one technical justification,
the packet is guaranteed to have a dst_entry, which is used for some
simple checks that could also be done otherwise. In raw the original
packet can't have been NATed, so a valid conntrack reference is not
necessary to NAT the reply. Other than that I can think of no real
reason why REJECT or TARPIT packets must have a conntrack refererence.
I don't really like adding a notrack reference in the TARPIT target
though, I would prefer to use the one from the original packet (as in
REJECT) and for NOTRACK you would simply mark the original packet.
next prev parent reply other threads:[~2007-07-19 0:44 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-08 14:59 xt_TARPIT (was: ipt_account / iptables 1.3.8) Jan Engelhardt
2007-07-09 13:37 ` Patrick McHardy
2007-07-09 14:11 ` Jan Engelhardt
2007-07-09 14:15 ` Patrick McHardy
2007-07-09 14:58 ` Jan Engelhardt
2007-07-09 15:04 ` Patrick McHardy
2007-07-09 15:09 ` Jan Engelhardt
2007-07-09 15:16 ` Patrick McHardy
2007-07-10 9:17 ` Jan Engelhardt
[not found] ` <20070710190717.ccq5x5v4s5pqvxto@m.safari.iki.fi>
2007-07-18 11:12 ` Jan Engelhardt
2007-07-18 13:04 ` Patrick McHardy
2007-07-18 15:02 ` Jozsef Kadlecsik
2007-07-19 0:38 ` xt_TARPIT Yasuyuki KOZAKAI
2007-07-19 0:44 ` Patrick McHardy [this message]
2007-07-19 1:09 ` xt_TARPIT Yasuyuki KOZAKAI
2007-07-19 6:49 ` xt_TARPIT Jozsef Kadlecsik
2007-07-29 14:44 ` xt_TARPIT Jan Engelhardt
2007-07-30 12:23 ` xt_TARPIT Patrick McHardy
2007-07-30 13:35 ` xt_TARPIT Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=469EB401.8000700@trash.net \
--to=kaber@trash.net \
--cc=jengelh@computergmbh.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@lists.netfilter.org \
--cc=safari-netfilter@safari.iki.fi \
--cc=yasuyuki.kozakai@toshiba.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.