>> >NOTRACK is valid in the raw table alone. If you want a generic "NOTRACK >> >and TARPIT everything which is not allowed", then that I think won't go. >> >> Would it work to have a -t filter-capable NOTRACK target? > >No, that'd be too late, the packet were already be tracked by then. >Everything which is not marked by NOTRACK in the raw table, before >conntrack, will enter conntrack. Would it at least be possible to make a target which drops the conntrack struct, so memory is freed? Jan Engelhardt -- | Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen, | Am Fassberg, 37077 Goettingen, www.gwdg.de
