Nick Drage wrote:
iptables -t raw -A PREROUTING -p udp --dport 53 -j NOTRACKOn Fri, Aug 27, 2004 at 05:19:07PM -0400, Jason Opperisano wrote:
long answer: it has been discussed on this list previously that
connection tracking DNS queries/responses on or for a busy DNS server
(i think the number was ~ 200 queries/second) will slow the name
resolution process down. the reason being that the state creation
adds noticeable, unnecessary latency, as most (all?) queries are one
packet request--one packet response.
I've a vague recollection of being able to specify that a rule won't create an entry in the state table, so for situations like this netfilter can act faster, as long as you specify the correct rules for connections both ways. However I can't find anything in the documentation about this... after a cursory look... can anyone refresh my memory?
iptables -t raw -A PREROUTING -p udp --sport 53 -j NOTRACK
# Not sure about if you can turn it off from internally sourced (OUTPUT chain packets)
iptables -t raw -A OUTPUT -p udp --dport 53 -j NOTRACK
iptables -t raw -A OUTPUT -p udp --sport 53 -j NOTRACK
CONFIG_IP_NF_RAW This option adds a `raw' table to iptables. This table is the very first in the netfilter framework and hooks in at the PREROUTING and OUTPUT chains.
If you want to compile it as a module, say M here and read <file:Documentation/modules.txt>. If unsure, say `N'.
NOTRACK target support CONFIG_IP_NF_TARGET_NOTRACK The NOTRACK target allows a select rule to specify which packets *not* to enter the conntrack/NAT subsystem with all the consequences (no ICMP error tracking, no protocol helpers for the selected packets).
If you want to compile it as a module, say M here and read <file:Documentation/modules.txt>. If unsure, say `N'.
