I've just noticed that in 3.4 the RST generated by a block in return-rst
rule is being blocked on the way out by a catch all block out rule,
eg.,
block return-rst in quick on $ext_if proto tcp \
from any to $reachable_addrs port = ident
block out log quick on $br_ext_if all-- RST
I wrote,
I've just noticed that in 3.4 the RST generated by a block in
return-rst rule is being blocked on the way out by a catch all block
out rule, eg.,
block return-rst in quick on $ext_if proto tcp \
from any to $reachable_addrs port = ident
block out log quick on $br_ext_if
Daniel Hartmeier wrote,
return-rst/-icmp require a bridge to have IP addresses assigned and
routing table entries added. Basically, you must be able to ping the
destination of the RST packet from userland, i.e. have a suitable
source address and (default) route to the destination. Hence, on a
Damien Miller wrote,
Miles Sabin wrote:
Just a suggestion ...
Take a peek at ternary trees for this kind of thing,
http://www.ddj.com/documents/s=921/ddj9804a/9804a.htm
http://citeseer.nj.nec.com/bentley97fast.html
Also the data structure described in:
http
Daniel Hartmeier wrote,
On Fri, Dec 20, 2002 at 12:25:57PM -0500, Michael Shalayeff wrote:
if i'm not mistaken n is the address length there...
so, regardless of the number of addresses in the set it's still
a constant for each address family...
Oh, my bad, so it's O(1) like a hash table,
