From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Wed, 18 Jul 2007 17:02:45 +0200 (CEST)
> Hi,
>
> On Wed, 18 Jul 2007, Patrick McHardy wrote:
>
> >> + /* This packet will not be the same as the other: clear nf fields */
> >> + nf_conntrack_put(nskb->nfct);
> >> + nskb->nfct = NULL;
>
> If the target is called from the raw table, please attach the fake untrack
> entry to the created packet so that we could use TARPIT and conntrack
> nicely.
I'm not sure that we should make TARPIT usable in raw table, but anyway
why the fake untrack entry is necessary ? I think that the created packet
is better to pass through LOCAL_OUT hook so that nf_conntrack can attach an
appropriate entry. That is what REJECT does.
-- Yasuyuki Kozakai
Date: Wed, 18 Jul 2007 17:02:45 +0200 (CEST)
> Hi,
>
> On Wed, 18 Jul 2007, Patrick McHardy wrote:
>
> >> + /* This packet will not be the same as the other: clear nf fields */
> >> + nf_conntrack_put(nskb->nfct);
> >> + nskb->nfct = NULL;
>
> If the target is called from the raw table, please attach the fake untrack
> entry to the created packet so that we could use TARPIT and conntrack
> nicely.
I'm not sure that we should make TARPIT usable in raw table, but anyway
why the fake untrack entry is necessary ? I think that the created packet
is better to pass through LOCAL_OUT hook so that nf_conntrack can attach an
appropriate entry. That is what REJECT does.
-- Yasuyuki Kozakai