| |
| |
| |
|
Comments:
<0> Anybody know if there are plans for an IPv6 version of the recent module? Or will the current module be made a protocol-independent xt_recent?
<1> danieldg: currently I think there's any real plans for ipt_recent, first of all it needs a maintainer that fixes bugs in it, I've seen some patches on netfilter-devel so maybe someone steps up and fixes it
<2> what iptables target should i use with netfilter_queue ?
<2> NFQUEUE?
<0> aton`: QUEUE should work
<2> yeah it works fine
<2> is there a way to get the mac addresses from netfilter_queue?
<2> i plan to write a routing application
<0> nfq_get_physindev
<0> er, no
<0> nfq_get_packet_hw
<0> I need to read before copy+paste
<2> ah thanks
<2> how can i differentiate between a packet that comes to my host and one that is just sent to my hwaddr because someone set his default gateway to my box?
<2> check the destination ip?
<0> yes
<2> if i am on a hub then thats problematic
<2> i get alot of packets that dont belong to me
<2> but i shouldnt route them
<0> but they have your MAC?
<2> yes, otherwise i wouldnt get them?
<2> or?
<2> uh let me check
<3> wrong, you're on a hub
<2> aah
<2> so the hub gives me correct macs, while routing gives me correct ips but wrong macs
<2> cool, that way i can check for my mac and not my ip
<2> if i have a computer that uses a gateway to send out packets, will it accept answer packets that are not routed through the gateway, but go directly to it?
<1> yes
<2> so it doesnt check the mac adresses?
<1> unless the gateway performs some kind of NAT and the answer packets aren't deNATed, then the client will barf
<1> no
<2> no, i write the gateway myself
<2> i'd like to have all packets that are sent routed through my software
<2> then i send them out to the internet, over a nating router
<2> the answer packets go to my natting router, and are then probably sent to the origin host directly
<2> and not over my software
<1> ok
<2> lol i hope this works
<2> its a big game about what part of hard/software knows what information etc
<1> as long as you don't modify the packets so much that the client won't accept the answer packets
<2> if it wont check the mac, they seem untouched
<2> i will try it
<1> just don't go changing ack/seq numbers and things like that, then the client won't accept the answer packets unless they go through the machine that modified the original packets so it can mangle the answer packets as well
<4> hi all, I am trying to use ipsets, and am able to create a set with a range of IPs but when I test that set for an IP in that range, it says it isn't there
<4> for example, I do: ipset -N accounting ipmap --from 69.90.134.130 --to 69.90.134.253; ipset -T accounting 69.90.134.131
<4> and it says: 69.90.134.131 is NOT in set accounting.
<1> well, you created a set that can _hold_ entries from .130 to .253
<1> but they aren't set so you won't find them
<1> iirc you have ipset -A for that
<1> and the ipset match can do it as well iirc
<1> I've mostly used ippool which is the predecessor to ipset
<2> is there an easy way to p*** a packet that i got through netlink_queue back to the net?
<2> or do i have to make a raw socket and send it on that one?
<4> Gandalf_: ok, but I guess I do not understand why I would create a set that can hold .130 to .253 and then have to add those to that set, seems redundant. Additionally it limits me from creating one set that contains more than one network
<1> hacim: first you create a set with defined boundaries that you specify, this allows ipset to allocate correct amount of memory (the ipmap is just a bitmap, like an array so you need to know how many entries you are going to need)
<1> hacim: then you set which ones should be set or unset (they are all unset by default)
<1> hacim: if you just want to match all ipaddresses between .130 and .253 you can use the iprange match
<4> Gandalf_: ah, I think what I need to use is a nethash, rather than an ipmap type
<4> Gandalf_: iphash or nethash (rather than iprange), thanks
<2> in the description of netlink_queue it says reinjecting altered packets to the kernel nfnetlink_queue subsystem, but there is no documentation as how to do this :(
<4> it appears as if I do iptables -v -n -x -m set -L input --set accounting src,dst it doesn't print the packet count of specific ip addresses in an ipset, but just the entire set... anyone know how I can get it to tell me the packets of a particular IP in an ipset?
<5> hacim: ipset don't have counters for packet matching , you can count only packets that match set
<4> dflow: thats what I thought... if I create an ipmap ipset for each IP I want to count, then I can count each of those sets, but do I gain anything at all?
<2> sorry got disconnected..
<2> in the description of netlink_queue it says reinjecting altered packets to the kernel nfnetlink_queue subsystem, but there is no documentation as how to do this :(
<5> hacim: when you want count packets per ip , sets are useless for you , but there is lot gain , you can use large blacklist , without fear of losing your router :>
<4> dflow: yeah, but my question is if I use ipsets for individual IPs for accounting, will I gain?
<5> hacim: nah, you will have 1 ip per set this is useless
<5> hacim: I think ACCOUNT or account can counts packets per ip in subnet , but I don't realy know that is current state of this patches
Return to
#netfilter
or
Go to some related
logs:
uses ffmpeg-php
debian scsi sata synch
#ubuntu
Call to undefined function ldap_start_tls() suse
ExecCommand xtrlock
kpgp deb ubuntu
canadgroup
two keyboards linux xorg.conf
ubuntu ltermcap
aticonfig viewsonic 1600x1200
|
|