Hi, I've developed a connection tracking module which I'd like to use for detecting packets that may be dropped with an iptables rule. That is, the connection tracker can detect that a packet is not valid in the context of the tracked connection. So, I'd like the administrator to be able to add a rule that would allow to drop/reject that packet. A possible use case is to block packets from an attacker (assumed as such as the packet is not conform considering the current state of the connection). As far as I understand it, the connection tracker usually handle this by returning a negative/null value (-NF_ACCEPT, NF_DROP, ...) which marks the packet invalid, so that it is possible to use the xt_conntrack extension to match it. I've looked at the TCP connection tracker. If I understand well, the current behavior is that if we've got an INVALID packet, it kills the conntrack, then create it again if we see an ACK later on. Am I right? That is, it seems that by any way we invalidate a packet, it always destroy the conntrack so that we haven't the connection state at our disposal anymore. I would like to avoid that for the protocol I track. Is there a way to do so? Am I missing something? Thank you. -- nimai -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
