On Mon, 9 Nov 2015, Patrick McHardy wrote: > Basically the idea is: > > * don't mark the first SYN untracked and have it create a conntrack as normal > * direct that SYN to synproxy > * mark the connection as proxied, which will avoid setting the ASSURED bit when > receiving our spoofed reply > * only set assured once we have the connection fully established > > This would create a conntrack, but keep it evictable under pressure. So the > cost would be ct set up, but we could tear it down at any point when we're > under pressure. The synproxy target can handle both connections with and > without a conntrack. [...] > The ct state rule could actually be created automatically since it is a > dependency. [...] > The method of using notrack would of course still be possible. I like the idea: the notrack method would still be supported and the "do conntrack but with safety-net" way would be possible too. Looks cool! Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
