'additional netfilter queue verdict'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    additional netfilter queue verdict
From:       Russell Miller <rmiller () duskglow ! com>
Date:       2004-05-04 2:25:42
Message-ID: 200405032125.46793.rmiller () duskglow ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am the author/maintainer of a program called packetbl.  It makes use of the 
netfilter/iptables QUEUE target in order to make decisions as to the 
disposition of packets based on the results of a DNS blocklist query.  The 
functionality works quite well but I've already come upon several limitations 
of netfilter, and I would like to open up discussion on possible ways of 
getting around or eliminating these limitations.

I've had some feedback requesting some features to packetbl that are seemingly 
impossible to implement using the current netfilter base (in 2.6.5, fedora 
core 2, is what I'm using).

 I have a user who would like to use netfilter to, instead of dropping the 
packets, to rewrite them in order to bounce them to another machine to send 
fake SMTP responses.  I have another user who would like to reject the 
packets with an icmp error if they're found in the blocklist.  In order to do 
this, I was thinking of an additional verdict:

NF_CONTINUE

This verdict would remove the packet from the queue and allow processing to 
continue in the table that the rule is part of.

In the alternative or in addition, an NF_REJECT verdict might be nice too, but 
I note there are multiple ways to reject a packet, and perhaps it would be 
too much trouble to implement.

There are a couple of other things I can see being a good idea, but this is a 
start, and I won't bore you with the rest yet.  Can you please give me 
feedback on this idea?  I'm not averse to coding it, but I would like a 
general idea of a) how involved it would be, b) the degree of impossibility 
of the task I would be taking on, and c) how likely it is of being accepted 
were I to successfully do this.  Of course, if someone else were to take the 
ball and run with it, I don't think I'd complain too loudly at all.

Thanks for your time.

- --Russell

- -- 

Russell Miller - rmiller@duskglow.com - Somewhere near Sioux City, IA.
Youth cannot know age, but age is guilty if it forgets youth
    - Professor Dumbledore
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAlv8pURTA4VCI9OARAqwfAJ4vmsvMtEjH5CxofslrYu1YSCnIZwCfdmwf
N11VXdgeY+9yiSeuGR6GHMA=
=B01B
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic