On 18/08/2021 18:13, Florian Westphal wrote: > Eugene Crosser <crosser@xxxxxxxxxxx> wrote: >> My use case is to set up a stateful firewall allowing any outgoing connection >> from a host, and restricting incoming, which obviously requires conntracking. >> The twist is that there exists a rather high probability of DoS-like incoming >> traffic, that easily overflows conntrack table with unconfirmed entries, even >> though their lifetime is very short. > > Create a rule that drops NEW packets in prerouting hook. For iptables, > mangle will work (raw is too early). For nftables, youl need to choose > a hook prioriy of -199 or higher (-198, ... to anything below 2**31). > > Such packets will create a new connection entry, but because packet gets > dropped before confirmation the entry will not be committed to the table. Oh, cool trick! I will try that, thank you very much! Eugene
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
