presate/NOTRACK patch

From kadlec@blackhole.kfki.hu Mon Sep 17 10:45:24 2001
Date: Tue, 3 Apr 2001 12:17:10 +0200 (CEST)
From: Jozsef Kadlecsik 
To: netfilter-devel@us5.samba.org
Subject: [PATCH] prestate table and NOTRACK target

Hello,

This patch adds a 'prestate' table to iptables with a builtin 'NOTRACK'
target. This table is consulted *first* as a packet enters the netfilter
framework, so it can be used

- to quickly drop packets, so that conntrack won't
  even notice them, e.g:

  # "Officially" banned network
  iptables -t prestate -A PREROUTING -s banned.network -j DROP

- to force conntrack/NAT to ignore selected packets by jumping
  to the NOTRACK target:

  # Don't conntrack http requests
  iptables -t prestate -A PREROUTING -p tcp --dport http -j NOTRACK
  iptables -t prestate -A PREROUTING -p tcp --sport http -j NOTRACK

  # And don't try to conntrack multicast either...
  iptables -t prestate -A PREROUTING -s 224.0.0.1 -j NOTRACK

  # One can match these packets in the filter table
  # by the state 'NONE':
  iptables -A FORWARD -m state --state NONE -j ACCEPT

- to protect conntrack against DoS attacks at valid
  ports by (rate/ip)limiting the packets

  # limit the parallel http requests
  iptables -t prestate -A PREROUTING -p tcp --dport http \
	-m iplimit --iplimit-above 16 -j DENY

OK, here follows the consequences when using the NOTRACK target for
a connection/packet stream:

- you loose the full conntrack support, including all the
  protocol helpers like ftp, irc, etc. for the selected packets.
- you loose the full NAT support including all the protocol
  helpers like ftp, irc, etc. for the select packets.

[There is no free lunch.]