ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
> Then I am having trouble to understand how |netdev| is supposed to be
> the ideal location to drop packets that result from DDOS attacks. Any
> frame type with a drop policy in |netdev| appears to be blocked from
> leaving the host (lo iface) either,
That makes no sense. Packets sent via lo never leave the host.
And netdev supports ingress (incoming) only.
netdev ingress is tied to an interface.
$ cat example
flush ruleset
table netdev ingress {
chain in_public {
type filter hook ingress device eth0 priority 0; policy drop;
ip daddr 192.168.2.12 counter accept
ip saddr 192.168.2.1 accept
meta protocol { arp, ip6 } counter accept
counter
}
}
This only filters packets coming in on eth0.
There is no impact on lo, or any other interface -- such packets do not
even enter the 'in_public' chain.
> transport layer. Hence any legitimate frame type utilized in a DDOS
> attack and dropped by a |netdev| policy would also not be able leave
> the host.
Again, this statement makes no sense to me.
I suspect you were dropping incoming arp packets, making l2 address
resolution fail and breaking ip connectivity.
> What sort of irregular frame types are envisioned for blocking with
> |netdev|?
You can drop any packet you like and apply any type of filtering
on packet content you want, including rate limiting for instance.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
