ruleset: drop invalid packets at mangle priority #59
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Use earliest hook after conntrack (-200) to drop invalid packets As a consequence they are not processed by conntrack at all once identified Add diagnostic counters, hopefully hinting users in direction of net.netfilter.nf_conntrack_log_invalid=255 Obsoletes: 19a8caf Reverts: 19a8caf Signed-off-by: Andris PE <neandris@gmail.com>
Author
|
second 3rd of #22 Careful rebasing on top of #56 - iif "lo" should follow established, related accept Ref: https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks Ideally this could be 4 hooks at points where ct is entered pre/out -200 and left post/in +32k. But hooks cost CPU esp on low end platforms. |
Author
|
Ahh yes, loopback excluded to emulate fw3 workings, no harm in users running nmap -O against loopback (which is quite efficient ct invalid generator on its own) |
Author
|
Please consider brada4@aec0dc5 superseding pr #22 completely. |
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use earliest hook after conntrack (-200) to drop invalid packets
As a consequence they are not processed by conntrack at all once identified
Add diagnostic counters, hopefully hinting users in direction of net.netfilter.nf_conntrack_log_invalid=255
Obsoletes: 19a8caf
Reverts: 19a8caf
Signed-off-by: Andris PE neandris@gmail.com