just joined
Topic Author
Posts: 15
Joined: Sun Jun 11, 2006 7:38 pm

"raw" chain

Sun Jul 30, 2006 3:35 am

Hi. There is a patch for netfilter that includes a "raw" chain that is processed before PREROUTING. The two purposes are doing things before CONNTRACK and be selective about what would be tracked.

Is there somewhat similar in Mikrotik ? It's much better to do incoming filtering on that chain, because dropped packets never make to the connection table, protecting it from being flooded by an evil-doer.

The other good thing is the -NOTRACK target, so one can turn off connection tracking for some traffic, not a 0/100% choice of tracking all the traffic or not tracking at all.

I noticed on the "packet flow" diagram that "hotspot input" goes before conntrack; is there a way to include generic rules there ?

