Using ipset-6.9.1 on Linux-3.1.1
Only managing ipv4 traffic on Intel Atom-330 firewall.
Same iptables rules, however after updating from v4 code I see issues.
Attacker sends a packet;
I detect a unserved dest port and --add-set Blah src;
LOG it, DROP it, and begone;
But the set may not match for several further packets.
Ouch. Buffers?
Blah is used as
iptables -t raw -I PREROUTING --match-set Blah src-j DROP
This DROP is NEVER logged, but certainly counted.
However I often continue to log multiple packets from blocked hosts,
despite I am supposedly blocking them on the first bad packet.
I can confirm they are in the set but when packet_count exceeds 1
something is very wrong with that picture.
Marty B.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
