>> I am trying to conntrack with netdev on the link layer but it is >> throwing this error -> " Error: Could not process rule: Protocol wrong >> type for socket" >> >> There is nothing in the nft wiki or man page about this kind of error >> and how to rectify it. > Conntrack hooks at ipv4/ipv6 prerouting, so netdev family only > supports stateless filtering. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html Then I am having trouble to understand how |netdev| is supposed to be the ideal location to drop packets that result from DDOS attacks. Any frame type with a drop policy in |netdev| appears to be blocked from leaving the host (lo iface) either, since not making it into the transport layer. Hence any legitimate frame type utilized in a DDOS attack and dropped by a |netdev| policy would also not be able leave the host. What sort of irregular frame types are envisioned for blocking with |netdev|? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
