xt_connlimit 20070628 kernel

Jan Engelhardt jengelh at computergmbh.de
Mon Jul 2 21:53:12 CEST 2007

On Jul 2 2007 17:40, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> On Jul 2 2007 14:27, Patrick McHardy wrote:
>> > That didn't answer my question. Should IPv6 mapped IPv4 addresses be
>> > counted as the same address as the mapped IPv4 address or not?
>> No. (It is not needed.)
> And why isn't it needed? The IPv4 address space is contained in IPv6,
> so it seems only logical to count real IPv4 addresses and mapped IPv6
> addresses as the same thing.

Each struct xt_connlimit_data is allowed to have a different hash 
function, as long as each function is injective.

A struct xt_connlimit_{info,data} is never fed both AF_INET and
AF_INET6 connections.
Hence it may use different hash functions for AF_INET and AF_INET6 

Does that help?

>> > You still have the addresses and port numbers to do a lookup.
>> > In fact the most reasonable place to use this match is in the raw table,
>> > before any resources are consumed. So it would make a lot of sense to
>> > simply use the values from the headers (or call the conntrack functions for
>> > tuple decoding if that makes it easier).
>> >
>> To look up what? I don't quite get what you are trying to tell me.
> To look up similar connections.

What do you mean by "similar"?

> Connections are identifier by their tuples, you can derive them 
> yourself and do a lookup based on that.

connlimit uses nf_ct_get(skb,...)->tuplehash[0].tuple to get at the 
tuple. nf_ct_get() can fail.
How else should I derive it?

Sorry if this sounds all stupid and basic, but I certainly do not want 
to parse the skb by hand to get at the source address.


More information about the netfilter-devel mailing list