How about issueing conntrack event in init

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* How about issueing conntrack event in init_conntrack()?
@ 2007-11-15  9:38 Daniel
  2007-11-15 13:57 ` Patrick McHardy
  0 siblings, 1 reply; 2+ messages in thread
From: Daniel @ 2007-11-15  9:38 UTC (permalink / raw)
  To: netfilter-devel

hi, all

We all know event IPCT_NEW is issued whenever conntrack is confirmed,
then how about issueing a IPCT_INIT event in init_conntrack()? 
IPCT_INIT indicates that one IP is trying to create a connection, maybe 
we can catch these kind of events, do some analyzation work, and block 
the evil *attempting* packet(this will prevent conntrack being confirmed). 

Is this make any sense?

Thanks :-)

Daniel
2007-11-15

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: How about issueing conntrack event in init_conntrack()?
  2007-11-15  9:38 How about issueing conntrack event in init_conntrack()? Daniel
@ 2007-11-15 13:57 ` Patrick McHardy
  0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2007-11-15 13:57 UTC (permalink / raw)
  To: Daniel; +Cc: netfilter-devel

Daniel wrote:
> hi, all
> 
> We all know event IPCT_NEW is issued whenever conntrack is confirmed,
> then how about issueing a IPCT_INIT event in init_conntrack()? 
> IPCT_INIT indicates that one IP is trying to create a connection, maybe 
> we can catch these kind of events, do some analyzation work, and block 
> the evil *attempting* packet(this will prevent conntrack being confirmed). 
> 
> Is this make any sense?


That wouldn't work since the connection is going to be confirmed
before you get a chance to do something. On SMP it might work,
but would be racy. In general ctnetlink events relate to the
conntrack table, so we don't want to send events for connections
that are not confirmed.


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2007-11-15 13:57 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-15  9:38 How about issueing conntrack event in init_conntrack()? Daniel
2007-11-15 13:57 ` Patrick McHardy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).