* on the Tue, May 01, 2007 at 05:53:45AM +0100, Peter Bowyer wrote:
>> "man iptables" and look for QUEUE. Then go to cpan.org and look at
>> IPTables::IPv4::IPQueue. This will allow you to knock up a user space
>> perl script to decide what to do with packets by talking to your db in
>> real time.
> Ah, now I looked into this a while back when Marc first talked about
> this technique. I investigated this method of controlling IPTables and
> came to the conclusion that it wouldn't do the job - once a packet has
> arrived in the userspace queue it's already been accepted - all you
> can do with it is drop it or carry on processing it, you can't reject
> it. You can't simulate 'nothing listening on this port'. So it's not
> suitable for the application Marc wants it for.
>
> At least, that's how I read the documentation. I have been known to be
> wrong (yes, really...).
You look to be correct. But, while dropping the packet isn't ideal, the
overall outcome of doing that in this case is still the same as doing a
reject surely?