RE: kazaaa is making me crazy!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> -----Original Message-----
> From: netfilter-admin@xxxxxxxxxxxxxxxxxxx 
> [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of 
> Esteban Ribicic
> Sent: Wednesday, June 11, 2003 2:36 AM
> To: netfilter@xxxxxxxxxxxxxxxxxxx; LARTC
> Cc: winfield@xxxxxxxxxxxx
> Subject: kazaaa is making me crazy!
> 
> 
> im trying to debug how cpu consuming could be the string 
> match. is it a lineal function? i mean..
> 
> 1 Mbit -> 1024/8 Kbytes
> 
> supossaing mtu payload is 1500 bytes, i have in 1 megabit 
> [(1024/8)*1000]*1500 = 1920000000 packets
> 
> anorther thing..this rule just filter the initial download 
> request..that would be okay if oyu want filter completely, 
> but if you want to slwo down (i mean using tc/htb/fwmarks) 
> you wouldnt be matching the hole download, only the request...
> 
> iptables -t mangle -A PREROUTING -p tcp -m --string "Kazaa" -j DROP
> 
> 
> any comment, any idea?
> 

Wouldn't it be better if you put -m state --state established on top of
the rules. And also to the INPUT or FORWARD chain. That way not every
packet needs to be checked for -m --string "Kazaa"

iptables -t mangle -D PREROUTING -p tcp -m --string "Kazaa" -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -m string --string
"Kazaa" -j DROP

Regards Klintan




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux