On 10/12/06, Rick Jones <[EMAIL PROTECTED]> wrote:
Martin Schiller wrote:
> Hi!
>
> I'm searching for a solution to suppress / delay the SYN-ACK packet of a
> listening server (-application) until he has decided (e.g. analysed the
> requesting ip-address or checked if the corresponding other end of a
> connection is available) if he wants to accept the connect request of the
> client. If not, it should be possible to reject the connect request.
How often do you expect the incomming call to be rejected? I suspect that would
have a significant effect on whether the whole thing is worthwhile.
rick jones
More to the point, on what basis would the application be rejecting a
connection request based solely on the SYN?
There are only two pieces of information available: the remote IP
address and port, and the total number of pending requests. The
latter is already addressed through the backlog size, and netfilter
rules can already be used to reject based on IP address.
That would seem to limit the usefullness to scenarios where a given
remote IP address *might* be accepted based on total traffic load,
number of other connections from the same IP address, etc. If
*all* requests from that IP address are going to be rejected, why
not use netfilter?
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
