Hi,
I have a question regarding the call to l4_packet, in nf_conntrack_in(...)
from nf_conntrack_core.c
When a module like TCP returns -NF_DROP in tcp_packet(...), the packet won't
get dropped, because NF_DROP = 0, and in nf_conntrack_in the return of the
call to l4_packet is checked:
if (ret < 0) {
...
}
So, there is no way to drop packets after l4_packet.
Why does this is implemented that way?
There are several points in tcp_packet where the function returns -NF_DROP and
the comments in this function say that the packet will get blocked.
For example (from tcp_packet):
if (index == TCP_SYNACK_SET
&& ct->proto.tcp.last_index == TCP_SYN_SET
&& ct->proto.tcp.last_dir != dir
&& ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
/* b) This SYN/ACK acknowledges a SYN that we earlier
* ignored as invalid. This means that the client and
* the server are both in sync, while the firewall is
* not. We kill this session and block the SYN/ACK so
* that the client cannot but retransmit its SYN and
* thus initiate a clean new session.
*/
write_unlock_bh(&tcp_lock);
if (LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
"nf_ct_tcp: killing out of sync session ");
nf_ct_kill(ct);
return -NF_DROP;
}
I hope, that I was clear.
Could someone please explain this to me?
And how can I block packets after the call to l4_packet?
Thanks
--
Christoph Paasch
www.rollerbulls.be
--
Attachment:
signature.asc
Description: This is a digitally signed message part.
