Hi, On 31 Jul 2003, John A. Sullivan III wrote: > Our idea was to filter malicious packets - spoofs, ping floods, > suspicious tcp flags - in the mangle table. We were concerned that we > wanted to intercept these packets before they hit the connection > tracking table for DNAT'd devices in case someone initiated a valid > session and then tried to turn it foul. We also noticed that the mangle > table was the first all packets hit. conntrack has no table and it precedes all the other netfilter subsystems, including the mangle table. If you want to do such optimizations then use the raw table from patch-o-matic. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
