xt_connlimit 20070628 kernel

Patrick McHardy kaber at trash.net
Tue Jul 3 13:34:30 CEST 2007


Jan Engelhardt wrote:
> On Jul 3 2007 13:14, Patrick McHardy wrote:
> 
>>>>Connections are identifier by their tuples, you can derive them 
>>>>yourself and do a lookup based on that.
>>>
>>>connlimit uses nf_ct_get(skb,...)->tuplehash[0].tuple to get at the 
>>>tuple. nf_ct_get() can fail.
>>>How else should I derive it?
>>
>>Use the conntrack tuple if one is available, otherwise use
>>nf_ct_get_tuple().
> 
> 
> So you are saying I should use...
> 
>   nf_ct_get_tuple(skb, 0, 0, match->family, match->proto, &tuple,
>                   what_l3, what_l4);
> 
> at the top of count_them() and get rid of the nf_ct_get() in connlimit_match?


You could do both, if the tuple is already derived there is no need
to repeat that work. Manually deriving it as fallback would allow
to use the match in the raw table.



More information about the netfilter-devel mailing list