Re: linux kernel TCP, network connections and iptables

From: Andi Kleen (ak@suse.de)
Date: Thu Sep 07 2000 - 17:24:54 EST


On Fri, Sep 08, 2000 at 12:21:40AM +0200, Andi Kleen wrote:
> You do not even need patches for it. You can do it as well with a TBF
> filter in the qdisc and a u32 filter that selects RSTs (it is even a
> standard example in iproute2)
>
> Another way that may work is to set the send buffer of tcp_socket in
> tcp_ipv4.c to a really small value, so that only one RST packet fits.
> Then you get a good load limit implicitely in the stack
> (there should be probably a sysctl for that)

I forgot to add: Alexey is of course right in that it doesn't help you
at all. You cannot defend against packet floods, and with an active TCP
you can be always tricked into bouncing packets without load limit
(e.g. just by sending out of order packets for an established connection
or in a zillion other ways)

-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Thu Sep 07 2000 - 21:00:31 EST