On Fri, 2004-10-29 at 00:55 +0200, Bernd Eckenfels wrote: > On Fri, Oct 29, 2004 at 12:35:25AM +0200, Bart-Jan Vrielink wrote: > > And as far as I can tell, it almost always uses udp, not tcp.
> > So it needs CONFIG_PACKET for no apparent reason? > > Hmm... I dont think there is any packeting API which does not pass the > prerouting chain of netfilter. Well, only the nat and mangle tables do have a PREROUTING chain. And the following test shows that both these chains don't stop tcpdump (which is similar to dhcpd in this aspect) from getting the packets: [EMAIL PROTECTED]:~#iptables -t mangle -A PREROUTING -p tcp --dport 5555 -j DROP [EMAIL PROTECTED]:~#iptables -t nat -A PREROUTING -p tcp --dport 5555 -j DROP [EMAIL PROTECTED]:~#tcpdump -n -i eth0 tcp port 5555 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 01:18:59.643035 IP 10.2.1.3.39138 > 10.2.1.1.5555: S 1686226515:1686226515(0) win 5840 <mss 1460,sackOK,timestamp 298281789 0,nop,wscale 0> 1 packets captured 1 packets received by filter 0 packets dropped by kernel [EMAIL PROTECTED]:~# And yes, the PREROUTING chain of the mangle table did drop this packet, after tcpdump has read it. -- Tot ziens, Bart-Jan Vrielink
