All of lore.kernel.org
 help / color / mirror / Atom feed
From: Gordan Bobic <gordan@bobich.net>
To: netfilter-devel@lists.netfilter.org
Subject: Userspace (QUEUE) Filter Verdict Targets, REJECT and TARPIT
Date: Fri, 17 Dec 2004 10:17:21 +0000	[thread overview]
Message-ID: <200412171017.21908.gordan@bobich.net> (raw)

Hi,

I am trying to write a configurable userspace packet filter for handling huge 
numbers of complex rules (I need it for hundreds of thousands of rules). The 
problem that I am finding is that the libipq only seems to offer ACCEPT and 
DROP verdict targets for userspace filters.

Is there a way to set REJECT or TARPIT as targets? I ask because it is nice to 
respond with REJECT to non-hostile hosts so that they don't get tied with 
connections when DROP is used. Similarly, it would be nice to be able to 
TARPIT the hostile hosts to slow them down. At the moment, the only way I can 
think of to handle this is to set a DROP verdict but then send out a custom 
made raw packet using something like libnet, but this would rather complicate 
the code I am developing (but if it's the only option, so be it, I guess).

Finally - is there a way to practically handle TARPIT in a resource-cheap way 
when conntrack is used? My packet filter needs to operate in a NAT 
enfironment, so conntrack is not something I can avoid using.

Best regards.

Gordan

             reply	other threads:[~2004-12-17 10:17 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-12-17 10:17 Gordan Bobic [this message]
2004-12-17 15:41 ` Userspace (QUEUE) Filter Verdict Targets, REJECT and TARPIT Henrik Nordstrom

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200412171017.21908.gordan@bobich.net \
    --to=gordan@bobich.net \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.