Hello Again On Wednesday, January 04, 2012 18:40:35 Pablo Neira Ayuso wrote: > On Wed, Jan 04, 2012 at 12:48:35PM +0100, Hans Schillstrom wrote: > > I like that idea, an "early" table at prio -500 with PREROUTING. > > There is also a need for a new flag "--allfrags" > > i.e. all fragments needs to be sorted out and sent to same dest for defrag. > > > > ex. > > iptables -t early -A PREROUTING -i eth0 --allfrags -j NOTRACK > > New tables add too much overhead. We have discussed this before with > Patrick. > Only if loaded .. It would have been the perfect solution. Is the discussion about the overhead on the list (I can't find it)? I made a quick test with an "early" table and --allfrags fix (for IPv4) and it works really good. iptables -t early -A PREROUTING -i eth0 -a -j NOTRACK iptables -t mangle -A PREROUTING -i eth0 -a -j HMARK --mod 3 --offs 100 So your opinion is no more tables, even if it's rare that it is loaded? Regards Hans
Attachment:
signature.asc
Description: This is a digitally signed message part.
