* Stateless dropping of packets
@ 2003-04-01 20:54 Florian Weimer
2003-04-01 22:50 ` Kevin Buhr
0 siblings, 1 reply; 4+ messages in thread
From: Florian Weimer @ 2003-04-01 20:54 UTC (permalink / raw)
To: linux-kernel
Is it possible to drop packets, preferably using 2.4 iptables, before
the packet triggers updates of some caches (e.g. the route cache)?
On one particular host, I saw the route cache explode, despite all
packets being dropped (using a DROP rule).
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Stateless dropping of packets
2003-04-01 20:54 Stateless dropping of packets Florian Weimer
@ 2003-04-01 22:50 ` Kevin Buhr
2003-04-02 15:02 ` Florian Weimer
0 siblings, 1 reply; 4+ messages in thread
From: Kevin Buhr @ 2003-04-01 22:50 UTC (permalink / raw)
To: Florian Weimer; +Cc: linux-kernel
Florian Weimer <fw@deneb.enyo.de> writes:
>
> Is it possible to drop packets, preferably using 2.4 iptables, before
> the packet triggers updates of some caches (e.g. the route cache)?
If you DROP the packet in a PREROUTING chain, that should work. Since
the "filter" table doesn't have a PREROUTING chain, you need to use a
table that does, like the "mangle" table. For example:
iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
should drop everything with a source in 10.0.0.0/8 without touching
the routing cache.
--
Kevin <buhr@telus.net>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Stateless dropping of packets
2003-04-01 22:50 ` Kevin Buhr
@ 2003-04-02 15:02 ` Florian Weimer
2003-04-02 17:00 ` Kevin Buhr
0 siblings, 1 reply; 4+ messages in thread
From: Florian Weimer @ 2003-04-02 15:02 UTC (permalink / raw)
To: Kevin Buhr; +Cc: linux-kernel
Kevin Buhr <buhr@telus.net> writes:
>> Is it possible to drop packets, preferably using 2.4 iptables, before
>> the packet triggers updates of some caches (e.g. the route cache)?
>
> If you DROP the packet in a PREROUTING chain, that should work. Since
> the "filter" table doesn't have a PREROUTING chain, you need to use a
> table that does, like the "mangle" table. For example:
>
> iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
>
> should drop everything with a source in 10.0.0.0/8 without touching
> the routing cache.
It does, thanks a lot. *phew* Looks as if I don't have to try some
*BSD instead.
Is this extremely important application of the PREROUTING chain
documented somewhere? Should I feel embarrassed? 8-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Stateless dropping of packets
2003-04-02 15:02 ` Florian Weimer
@ 2003-04-02 17:00 ` Kevin Buhr
0 siblings, 0 replies; 4+ messages in thread
From: Kevin Buhr @ 2003-04-02 17:00 UTC (permalink / raw)
To: Florian Weimer; +Cc: linux-kernel
Florian Weimer <fw@deneb.enyo.de> writes:
>
> Is this extremely important application of the PREROUTING chain
> documented somewhere? Should I feel embarrassed? 8-)
No, I haven't seen it documented explicitly. It's just a fortunate
side effect of the fact that the DROP target can be used anywhere and
there's a fairly general-purpose table ("mangle") that has a
PREROUTING chain.
There's no particular reason for the "filter" table *not* to implement
PREROUTING and POSTROUTING chains (at least not that I can see) except
for a very small performance hit. I guess no one thought there'd be
much of a use for them. And it would break the nice rule of thumb
that a packet only passes through one of the three chains of the
"filter" table (not counting packets throught the loopback interface
which pass through OUTPUT then back through INPUT).
--
Kevin <buhr@telus.net>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-04-02 16:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-04-01 20:54 Stateless dropping of packets Florian Weimer
2003-04-01 22:50 ` Kevin Buhr
2003-04-02 15:02 ` Florian Weimer
2003-04-02 17:00 ` Kevin Buhr
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).