On Tue, 2007-05-01 at 09:58 +0100, Peter Bowyer wrote: > It would create a different error condition for the SMTP client the
> other end - probably a 'connection timed out' rather than a
> 'connection refused'. This will certainly slow things down, and might
> trigger different retry logic depending on the vagueries of the
> implementation.
We're veering away from Exim specifically here, but for those who are
interested:
The netfilter QUEUE target is designed to pass things to userspace for
processing by an application able to hook the packet from the userspace
queues via the libipq API. The Perl IPTables::IPv4::IPQueue module is
one of these beasts.
Sadly, at present, libipq only has two verdicts it can pass back to the
kernel: NF_ACCEPT and NF_DROP.
If you want to implement an analogous verdict to the missing NF_REJECT,
then you have to pass NF_DROP to the kernel and then create an
appropriate ICMP packet in userspace and send it back to the source. You
can do this with the NetPacket::ICMP Perl module.
I spent some time playing with this a few months ago in order to do
packet filtering based on DNSBL lookups, but in the end I ran out of
time when a new member of the family arrived... I might get back to it
sooner or later.
