* Userspace (QUEUE) Filter Verdict Targets, REJECT and TARPIT
@ 2004-12-17 10:17 Gordan Bobic
2004-12-17 15:41 ` Henrik Nordstrom
0 siblings, 1 reply; 2+ messages in thread
From: Gordan Bobic @ 2004-12-17 10:17 UTC (permalink / raw)
To: netfilter-devel
Hi,
I am trying to write a configurable userspace packet filter for handling huge
numbers of complex rules (I need it for hundreds of thousands of rules). The
problem that I am finding is that the libipq only seems to offer ACCEPT and
DROP verdict targets for userspace filters.
Is there a way to set REJECT or TARPIT as targets? I ask because it is nice to
respond with REJECT to non-hostile hosts so that they don't get tied with
connections when DROP is used. Similarly, it would be nice to be able to
TARPIT the hostile hosts to slow them down. At the moment, the only way I can
think of to handle this is to set a DROP verdict but then send out a custom
made raw packet using something like libnet, but this would rather complicate
the code I am developing (but if it's the only option, so be it, I guess).
Finally - is there a way to practically handle TARPIT in a resource-cheap way
when conntrack is used? My packet filter needs to operate in a NAT
enfironment, so conntrack is not something I can avoid using.
Best regards.
Gordan
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-12-17 15:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-12-17 10:17 Userspace (QUEUE) Filter Verdict Targets, REJECT and TARPIT Gordan Bobic
2004-12-17 15:41 ` Henrik Nordstrom
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.