-m limit problem

Darius Tribandis sirijus at kobra.ktu.lt
Tue Sep 21 10:20:47 CEST 2004


Now i understand. I thing that counter resets just after i reload specific
rule, but if it resets each time i modify any of rules =- than it must by
trated as bug, because it lacks all funcionality of iptables limit match

is it posible to owercome this "future" ? ;)

D. Tribandis
Kaunas University of Technology
Institute of Information Technology Development

----- Original Message ----- 
From: "Henrik Nordstrom" <hno at marasystems.com>
To: "Darius Tribandis" <sirijus at kobra.ktu.lt>
Cc: <netfilter-devel at lists.netfilter.org>
Sent: Tuesday, September 21, 2004 12:52 AM
Subject: Re: -m limit problem

> On Tue, 21 Sep 2004, Darius Tribandis wrote:
> > /usr/sbin/iptables -t nat -N httpinfo
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp -s USERIP -m
mac --mac-source
> > AA:AA:BB:BB:CC:CC -m multiport --destination-port 80,8080,3128 -j
> > /usr/sbin/iptables -t nat -A httpinfo -p tcp -s -m
limit --limit
> > 1/day --limit-burst 1 -j DNAT --to LOCALIP:5454
> >
> > sometimes i nead some times per day do like this:
> >
> > /usr/sbin/iptables -t nat -F PREROUTING
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp -s USERIP -m
mac --mac-source
> > AA:AA:BB:BB:CC:CC -m multiport --destination-port 80,8080,3128 -j
> >
> > here problem begins.
> > i am not modifaing httpinfo table but i geting redirect after every
> > like this.
> Due to the way limit stores it's counters the counters are reset each time
> you modify the ruleset in the same table (nat in your case).
> In theory it may be possible to modify the iptables kernel API to allow
> limit to keep it's counters while modifying the iptable, but in reality
> the best method is to modify limit to keep it's counters in a more sane
> place than within the iptable matchdata.. (or more realistic, write an
> alternative match implementation using separate counters).
> Regards
> Henrik

More information about the netfilter-devel mailing list