From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: Re: filtering in mangle table Date: Fri, 27 Jul 2007 07:59:56 -0400 Message-ID: <1185537596.6574.2.camel@localhost> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: Ganesan Natarajan Cc: netfilter@lists.netfilter.org On Fri, 2007-07-27 at 15:32 +0530, Ganesan Natarajan wrote: > Hi, > My requirement is before giving the packets to user space > application(even before routing) I need to filter the packets. This > has to be done for all packets irrespective of particular protocol. > > so I am using the the mangle table with PREROUTING chain to filter as > well as to queue the packets using the DROP, QUEUE targets of > "iptables". But in man pages it is specified that the filter rules > should not be added into mangle table. > > Is there any issues if I proceed with that? > > Ganesan > We have been doing something very similar in the open source ISCS network security management project (http://iscs.sourceforge.net). Although the bulk of the tens of thousands of access control rules we create for complex internal and micro-perimeter security are added to our filter table, we handle malicious packet checks (spoofs, ping floods, malformed packets, etc.) in the mangle table. Seems to be working fine for us! - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com Financially sustainable open source development http://www.opensourcedevel.com