Thanks for your reply!
> As far as I see it's quite similar to the "connmark/CONNMARK" match
> and target. Why cannot that simply be used?
Yes, it is quite similar to connmark. But - to my knowledge - I think at
least the following differences apply:
CONNMARK can be used: a) if there are no conflicts with existing use of
connmark rules - in particular with special firewall/packetfilter
systems with built-in-rules - and b) if a connection should be
identified exactly by src/dest IP + src/dest port.
SET can be used without interfering with connection tracking and other
existing SET rules. Identifying the origin and destination of a packet
is more flexible by using one or all of src/dest IP + one port.
In particular, I used SET instead of CONNMARK to implement the rules
described by Jan Engelhardt in "Detecting and deceiving network scans".
Best Regards,
Rudolf
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
