connbytes & 64bit counters
kaber at trash.net
Thu Oct 26 00:20:21 CEST 2006
Krzysztof Oledzki wrote:
> It seems there is something wrong with connbytes and 64bit conters.
> The "iptables" manual mention that counters are 64bit, so there should
> be no problem with overflows, but it seems it might not be true. My
> firewall puts long living ftp & http connections to a different TC class
> when they reach 256MB, but aftear they reach 4GB (probably) they go back
> to the default class, with no speed limit.
> After some researches I found that ip_conntrack_counter structure
> defined in nf_conntrack_common.h uses u_int32_t. I always thought that
> netfilter has 64bit counters, hasn't it? And I'm quite sure it used to
> work when I set up my firewall, about 1 year ago. Stange...
It was changed to save some memory in struct ip_conntrack.
The idea was mainly that its only used for ctnetlink and
it is possible to send events before overflow. Obviously,
this wasn't true (besides the fact that events are unreliable).
Not sure what we should do about it ..
More information about the netfilter-devel