I've seen numerous references to percieved problems with default
timeouts and potential DoS attacks on ip_conntrack but I'm starting to
think is possible to ip_conntrack just to miss connection closures.
I'm running on a memory constrained machine (28Mb Physical RAM) which
shouldn't prove too pro
Hi Alex,
[snip good description of general situation]
> A few questions:
>
> a) Am I measuring things correctly?
You are, but one thing is missing, if I'm correct in the explanation below.
We need to know the distribution of conntrack states from your gateway:
grep ^tcp /proc/net/ip_conntrack
Hello,
Basically i have the following problem: shaping together with SNAT works
only in one direction (incoming) .. but i am writing here since i
believe it is implementation problem .. not configuration one (but i
might have overlooked something).
If i shape using u32 .. the packet gets classif
On 9 Jul 2002, Marcus Sundberg wrote:
> Hi,
>
> The multiport match checks for the IPT_INV_PROTO flag in the 'flags'
> member of struct ipt_ip instead of in the 'invflags' member.
>
Thanks, the patch looks good, even though inverted multiport isn't
functional.
> (Where should I send this btw
On Wed, 10 Jul 2002, James Morris wrote:
> even though inverted multiport isn't functional.
Please disregard this comment... confused myself.
- James
--
James Morris
<[EMAIL PROTECTED]>
--
Live long and prosper
- Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/
GCS/E/IT d- s-: a-- C+++ UL$ P+++ L$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++
On Wed, Jul 10, 2002 at 10:00:36AM +0200, Peter Kundrat wrote:
> before rewriting dst addr/port), and there is no mangle hook in POSTROUTING
> (which would help, since it would be before SNAT).
yes, there is. You must be using a relatively old kernel verison. Think
this changed around 2.4.14
>
On Tue, Jan 22, 2002 at 07:52:30PM -0500, Brad Spengler wrote:
> I've just tried my hand at writing an iptables module. It's a match
> module that matches SYNs sent to unserved TCP ports and datagrams sent
> to unserved UDP ports. Since doing something like this is impossible
> with regular ipta
On Tue, Jul 09, 2002 at 10:21:36PM +0200, Marcus Sundberg wrote:
> Hi,
>
> The multiport match checks for the IPT_INV_PROTO flag in the 'flags'
> member of struct ipt_ip instead of in the 'invflags' member.
thanks for this fix.
>
> diff -ur linux.current/net/ipv4/netfilter/ipt_multiport.c
>lin
On Wednesday 10 July 2002 11.16, Harald Welte wrote:
> On Wed, Jul 10, 2002 at 10:00:36AM +0200, Peter Kundrat wrote:
> > before rewriting dst addr/port), and there is no mangle hook in
> > POSTROUTING (which would help, since it would be before SNAT).
>
> yes, there is. You must be using a relati
On Wednesday 10 July 2002 09.10, alex wrote:
> I've seen numerous references to percieved problems with default
> timeouts and potential DoS attacks on ip_conntrack but I'm starting
> to think is possible to ip_conntrack just to miss connection
> closures.
It can.. see the archives. Posted a rela
You are correct in saying that the packets will be coming
in and leaving on the same interface. I am dealing with TCP/UDP
packets and the addresses/ports will not be changed. The things
I will be changing are possibly:
Sequence Numbers, Flags, Options, Don't Fragment bit,
window sizes, Type of Se
12 matches
Mail list logo
