| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201201042215.20290.hans@schillstrom.com>
Date: Wed, 4 Jan 2012 22:15:10 +0100
From: Hans Schillstrom <hans@...illstrom.com>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: Hans Schillstrom <hans.schillstrom@...csson.com>,
Jan Engelhardt <jengelh@...ozas.de>,
Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
Patrick McHardy <kaber@...sh.net>,
"netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [PATCH 1/1] netfilter: Add possibility to turn off netfilters defrag per netns
Hello Again
On Wednesday, January 04, 2012 18:40:35 Pablo Neira Ayuso wrote:
> On Wed, Jan 04, 2012 at 12:48:35PM +0100, Hans Schillstrom wrote:
> > I like that idea, an "early" table at prio -500 with PREROUTING.
> > There is also a need for a new flag "--allfrags"
> > i.e. all fragments needs to be sorted out and sent to same dest for defrag.
> >
> > ex.
> > iptables -t early -A PREROUTING -i eth0 --allfrags -j NOTRACK
>
> New tables add too much overhead. We have discussed this before with
> Patrick.
>
Only if loaded ..
It would have been the perfect solution.
Is the discussion about the overhead on the list (I can't find it)?
I made a quick test with an "early" table
and --allfrags fix (for IPv4) and it works really good.
iptables -t early -A PREROUTING -i eth0 -a -j NOTRACK
iptables -t mangle -A PREROUTING -i eth0 -a -j HMARK --mod 3 --offs 100
So your opinion is no more tables,
even if it's rare that it is loaded?
Regards
Hans
Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists