Hi list, An example about ... With the current user space tools there are ways for tracking INVALID connections. INVALID connections, IMHO, should be "active" if you create a firewall with stateless packet filtering and of course, setting the "needed" values for the kernel parameters. Jorge Isaac 2013/3/20, Nicolas Maître <nimai@xxxxxxxxx>: > Hi, > > I've developed a connection tracking module which I'd like to use for > detecting packets that may be dropped with an iptables rule. > That is, the connection tracker can detect that a packet is not valid > in the context of the tracked connection. So, I'd like the > administrator to be able to add a rule that would allow to drop/reject > that packet. > A possible use case is to block packets from an attacker (assumed as > such as the packet is not conform considering the current state of the > connection). > > As far as I understand it, the connection tracker usually handle this > by returning a negative/null value (-NF_ACCEPT, NF_DROP, ...) which > marks the packet invalid, so that it is possible to use the > xt_conntrack extension to match it. > > I've looked at the TCP connection tracker. If I understand well, the > current behavior is that if we've got an INVALID packet, it kills the > conntrack, then create it again if we see an ACK later on. Am I right? > > That is, it seems that by any way we invalidate a packet, it always > destroy the conntrack so that we haven't the connection state at our > disposal anymore. I would like to avoid that for the protocol I track. > Is there a way to do so? Am I missing something? > > > > Thank you. > > -- > nimai > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" > in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Jorge Isaac Dávila López --- -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
