xt_connlimit 20070628 kernel

Patrick McHardy kaber at trash.net
Tue Jul 3 13:14:25 CEST 2007

Jan Engelhardt wrote:
> Each struct xt_connlimit_data is allowed to have a different hash 
> function, as long as each function is injective.
> A struct xt_connlimit_{info,data} is never fed both AF_INET and
> AF_INET6 connections.
> Hence it may use different hash functions for AF_INET and AF_INET6 
> connections.
> Does that help?

Not really, you described the situation that led me to this question.
I can see that you're not using the same hash for both and I question
that. Anyway, lets drop this question, I don't care that much.

>>>>You still have the addresses and port numbers to do a lookup.
>>>>In fact the most reasonable place to use this match is in the raw table,
>>>>before any resources are consumed. So it would make a lot of sense to
>>>>simply use the values from the headers (or call the conntrack functions for
>>>>tuple decoding if that makes it easier).
>>>To look up what? I don't quite get what you are trying to tell me.
>>To look up similar connections.
> What do you mean by "similar"?

Same source tuple.

>>Connections are identifier by their tuples, you can derive them 
>>yourself and do a lookup based on that.
> connlimit uses nf_ct_get(skb,...)->tuplehash[0].tuple to get at the 
> tuple. nf_ct_get() can fail.
> How else should I derive it?
> Sorry if this sounds all stupid and basic, but I certainly do not want 
> to parse the skb by hand to get at the source address.

Use the conntrack tuple if one is available, otherwise use

More information about the netfilter-devel mailing list