xt_connlimit 20070628 kernel
Patrick McHardy
kaber at trash.net
Tue Jul 3 13:14:25 CEST 2007
Jan Engelhardt wrote:
> Each struct xt_connlimit_data is allowed to have a different hash
> function, as long as each function is injective.
>
> A struct xt_connlimit_{info,data} is never fed both AF_INET and
> AF_INET6 connections.
> Hence it may use different hash functions for AF_INET and AF_INET6
> connections.
>
> Does that help?
Not really, you described the situation that led me to this question.
I can see that you're not using the same hash for both and I question
that. Anyway, lets drop this question, I don't care that much.
>>>>You still have the addresses and port numbers to do a lookup.
>>>>In fact the most reasonable place to use this match is in the raw table,
>>>>before any resources are consumed. So it would make a lot of sense to
>>>>simply use the values from the headers (or call the conntrack functions for
>>>>tuple decoding if that makes it easier).
>>>>
>>>
>>>To look up what? I don't quite get what you are trying to tell me.
>>
>>To look up similar connections.
>
>
> What do you mean by "similar"?
Same source tuple.
>>Connections are identifier by their tuples, you can derive them
>>yourself and do a lookup based on that.
>
>
> connlimit uses nf_ct_get(skb,...)->tuplehash[0].tuple to get at the
> tuple. nf_ct_get() can fail.
> How else should I derive it?
>
>
> Sorry if this sounds all stupid and basic, but I certainly do not want
> to parse the skb by hand to get at the source address.
Use the conntrack tuple if one is available, otherwise use
nf_ct_get_tuple().
More information about the netfilter-devel
mailing list