Jozsef Kadlecsik a écrit : > > I usually say that conntrack is not a policy-decision machine and > therefore should not drop packets. I strongly agree. > However, for the protocol helpers I strongly believe if the helper can't > figure out the protocol elements due to any kind of parser error, then > the packet should be dropped. Otherwise we may open up possible DoS attack > vectors to sloppy server/client implementations. As a user, I do not expect packets to be dropped when I just enable conntrack without loading any filtering rule. Wouldn't it be better (if possible) to flag these packets so they can be dropped - or not - by iptables ? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
