Re: Synflood filtering and Conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 2010-07-29 14:34, Pascal Hambourg wrote:
>>> Trying 127.0.0.1...
>>>      [NEW] tcp      6 120 SYN_SENT src=127.0.0.1 dst=127.0.0.1
>>> sport=59734 dport=23 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=23
>>> dport=59734
>>>
>>> ...seconds later...
>>> # conntrack -L | grep =23
>>> conntrack v0.9.14 (conntrack-tools): 12 flow entries have been shown.
>>> tcp      6 97 SYN_SENT src=127.0.0.1 dst=127.0.0.1 sport=59734
>>> dport=23 packets=1 bytes=60 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1
>>> sport=23 dport=59734 packets=0 bytes=0 mark=0 secmark=0 use=2
>>>
>>> 2 minutes it is.
>
>That's because it is a locally generated connection, so the conntrack
>confirm takes place after POSTROUTING. Even though the packet is dropped
>in INPUT after it is looped back, the conntrack entry is already
>confirmed. Now try again with the DROP rule in OUTPUT, or from a remote
>host.

But the ct entry must undoubtly exist to be able to match -m conntrack 
--ctstate NEW. Perhaps it's just that conntrack(8) won't show it?

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux