xt_connlimit 20070628 kernel
Patrick McHardy
kaber at trash.net
Wed Jul 4 16:52:17 CEST 2007
Jan Engelhardt wrote:
> On Jul 3 2007 13:34, Patrick McHardy wrote:
>
>>>>Use the conntrack tuple if one is available, otherwise use
>>>>nf_ct_get_tuple().
>>>
>>>So you are saying I should use...
>>>
>>> nf_ct_get_tuple(skb, 0, 0, match->family, match->proto, &tuple,
>>> what_l3, what_l4);
>>>
>>>at the top of count_them() and get rid of the nf_ct_get() in connlimit_match?
>>
>>
>>You could do both, if the tuple is already derived there is no need
>>to repeat that work.
>
>
> So the netfilter connection tracking system itself does nf_ct_get_tuple() at
> some point?
Right, when the packet hits connection tracking.
More information about the netfilter-devel
mailing list