xt_connlimit 20070628 kernel
jengelh at computergmbh.de
Mon Jul 2 17:38:29 CEST 2007
On Jul 2 2007 14:27, Patrick McHardy wrote:
>That didn't answer my question. Should IPv6 mapped IPv4 addresses be
>counted as the same address as the mapped IPv4 address or not?
No. (It is not needed.)
>>>And hotdropping is quite unfriendly, it seems that as long as
>>>you're able to read the addresses (which you're always), you can still
>>>count the other connections.
>> This is nf_ct_get that can fail. Without a connection, we can't figure
>You still have the addresses and port numbers to do a lookup.
>In fact the most reasonable place to use this match is in the raw
>table, before any resources are consumed. So it would make a lot of
>sense to simply use the values from the headers (or call the conntrack
>functions for tuple decoding if that makes it easier).
To look up what? I am sorry I don't quite get what you are trying to
I do recognize that -t raw -A CHAIN -p tcp --syn -m connlimit
--connlimit-above X -j ACTION is something to keep resources minimal.
More information about the netfilter-devel