Re: Stateless dropping of packets

From: Florian Weimer (fw@deneb.enyo.de)
Date: Wed Apr 02 2003 - 10:02:45 EST


Kevin Buhr <buhr@telus.net> writes:

>> Is it possible to drop packets, preferably using 2.4 iptables, before
>> the packet triggers updates of some caches (e.g. the route cache)?
>
> If you DROP the packet in a PREROUTING chain, that should work. Since
> the "filter" table doesn't have a PREROUTING chain, you need to use a
> table that does, like the "mangle" table. For example:
>
> iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
>
> should drop everything with a source in 10.0.0.0/8 without touching
> the routing cache.

It does, thanks a lot. *phew* Looks as if I don't have to try some
*BSD instead.

Is this extremely important application of the PREROUTING chain
documented somewhere? Should I feel embarrassed? 8-)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Mon Apr 07 2003 - 22:00:16 EST