xt_connlimit 20070628 kernel

Jan Engelhardt jengelh at computergmbh.de
Mon Jul 2 17:38:29 CEST 2007


On Jul 2 2007 14:27, Patrick McHardy wrote:
>
>That didn't answer my question. Should IPv6 mapped IPv4 addresses be
>counted as the same address as the mapped IPv4 address or not?

No. (It is not needed.)

>>>And hotdropping is quite unfriendly, it seems that as long as
>>>you're able to read the addresses (which you're always), you can still
>>>count the other connections.
>> 
>> This is nf_ct_get that can fail. Without a connection, we can't figure
>> anything.
>
>You still have the addresses and port numbers to do a lookup.
>In fact the most reasonable place to use this match is in the raw 
>table, before any resources are consumed. So it would make a lot of 
>sense to simply use the values from the headers (or call the conntrack 
>functions for tuple decoding if that makes it easier).
>
To look up what? I am sorry I don't quite get what you are trying to 
tell me.
I do recognize that -t raw -A CHAIN -p tcp --syn -m connlimit
--connlimit-above X -j ACTION is something to keep resources minimal.


	Jan



More information about the netfilter-devel mailing list