Re: Synflood filtering and Conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Jan Engelhardt a écrit :
> On Wednesday 2010-07-28 15:30, Pascal Hambourg wrote:
>>
>> Right, the DROP target has no direct effect on conntrack. When a
>> packet belonging to an already existing (confirmed) connection is
>> dropped, the conntrack entry is not destroyed. But IIUC when the
>> first packet that would create a new connection (and a new conntrack
>> entry) is dropped for any reason before it reaches the conntrack
>> confirm in the LOCAL_IN or POST_ROUTING
>> hooks (after INPUT or POSTROUTING chains), the conntrack
>> entry is destroyed, isn't it ?

> Think. -m conntrack --ctstate NEW would not work if the ct only
> sprung into existence once it is confirmed.
> The ct is created about before you enter the mangle-PREROUTING chain.

Did I wrote otherwise ?
I wrote that the new conntrack entry created by a packet is destroyed if
if that packet does not reach contrack confirm, so I believe it implies
that it was created first. You can't destroy something that does not
exist, right ?

1. Packet is seen by conntrack in PRE_ROUTING/LOCAL_OUT -> create
conntrack entry.
2. Packet is seen again by conntrack in LOCAL_IN/POST_ROUTING -> confirm
conntrack entry, otherwise delete it.

Am I correct ?


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux