xt_connlimit 20070628 kernel

Patrick McHardy kaber at trash.net
Mon Jul 2 17:40:00 CEST 2007

Jan Engelhardt wrote:
> On Jul 2 2007 14:27, Patrick McHardy wrote:
>> That didn't answer my question. Should IPv6 mapped IPv4 addresses be
>> counted as the same address as the mapped IPv4 address or not?
> No. (It is not needed.)

And why isn't it needed? The IPv4 address space is contained in IPv6,
so it seems only logical to count real IPv4 addresses and mapped IPv6
addresses as the same thing.

>>>> And hotdropping is quite unfriendly, it seems that as long as
>>>> you're able to read the addresses (which you're always), you can still
>>>> count the other connections.
>>> This is nf_ct_get that can fail. Without a connection, we can't figure
>>> anything.
>> You still have the addresses and port numbers to do a lookup.
>> In fact the most reasonable place to use this match is in the raw 
>> table, before any resources are consumed. So it would make a lot of 
>> sense to simply use the values from the headers (or call the conntrack 
>> functions for tuple decoding if that makes it easier).
> To look up what? I am sorry I don't quite get what you are trying to 
> tell me.

To look up similar connections. Connections are identifier by their
tuples, you can derive them yourself and do a lookup based on that.

More information about the netfilter-devel mailing list