* filtering in mangle table
@ 2007-07-27 10:02 Ganesan Natarajan
2007-07-27 11:59 ` John A. Sullivan III
2007-07-28 10:24 ` Pascal Hambourg
0 siblings, 2 replies; 3+ messages in thread
From: Ganesan Natarajan @ 2007-07-27 10:02 UTC (permalink / raw)
To: netfilter
Hi,
My requirement is before giving the packets to user space
application(even before routing) I need to filter the packets. This
has to be done for all packets irrespective of particular protocol.
so I am using the the mangle table with PREROUTING chain to filter as
well as to queue the packets using the DROP, QUEUE targets of
"iptables". But in man pages it is specified that the filter rules
should not be added into mangle table.
Is there any issues if I proceed with that?
Ganesan
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: filtering in mangle table
2007-07-27 10:02 filtering in mangle table Ganesan Natarajan
@ 2007-07-27 11:59 ` John A. Sullivan III
2007-07-28 10:24 ` Pascal Hambourg
1 sibling, 0 replies; 3+ messages in thread
From: John A. Sullivan III @ 2007-07-27 11:59 UTC (permalink / raw)
To: Ganesan Natarajan; +Cc: netfilter
On Fri, 2007-07-27 at 15:32 +0530, Ganesan Natarajan wrote:
> Hi,
> My requirement is before giving the packets to user space
> application(even before routing) I need to filter the packets. This
> has to be done for all packets irrespective of particular protocol.
>
> so I am using the the mangle table with PREROUTING chain to filter as
> well as to queue the packets using the DROP, QUEUE targets of
> "iptables". But in man pages it is specified that the filter rules
> should not be added into mangle table.
>
> Is there any issues if I proceed with that?
>
> Ganesan
>
We have been doing something very similar in the open source ISCS
network security management project (http://iscs.sourceforge.net).
Although the bulk of the tens of thousands of access control rules we
create for complex internal and micro-perimeter security are added to
our filter table, we handle malicious packet checks (spoofs, ping
floods, malformed packets, etc.) in the mangle table. Seems to be
working fine for us! - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: filtering in mangle table
2007-07-27 10:02 filtering in mangle table Ganesan Natarajan
2007-07-27 11:59 ` John A. Sullivan III
@ 2007-07-28 10:24 ` Pascal Hambourg
1 sibling, 0 replies; 3+ messages in thread
From: Pascal Hambourg @ 2007-07-28 10:24 UTC (permalink / raw)
To: netfilter
Hello,
Ganesan Natarajan a écrit :
> My requirement is before giving the packets to user space
> application(even before routing) I need to filter the packets.
Why even before routing ? (Yes, I'm curious)
> so I am using the the mangle table with PREROUTING chain to filter as
> well as to queue the packets using the DROP, QUEUE targets of
> "iptables". But in man pages it is specified that the filter rules
> should not be added into mangle table.
Built-in targets such as DROP and QUEUE can be used in any table and
chain. But target extensions may have limitations. For exemple the
REJECT target can be used only in the filter table, so it cannot be used
in the mangle table. Also, filtering in the nat table is not recommended
because the nat table does not see all packets but only packets in the
NEW state which are the first packet of a connection.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-07-28 10:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-07-27 10:02 filtering in mangle table Ganesan Natarajan
2007-07-27 11:59 ` John A. Sullivan III
2007-07-28 10:24 ` Pascal Hambourg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox