limit extension

Sven Schuster schuster.sven at
Wed Jul 20 17:15:43 CEST 2005

Hi Michael,

On Wed, Jul 20, 2005 at 04:55:02PM +0200, Michael Schachtebeck told us:
> But on the other hand, the counter correctly shows the number of packets
> that matched the rule; iptables -t nat -vnL PREROUTING says:
> 9 540 REDIRECT tcp -- eth1 * tcp spts:1024:65535
> dpt:80 flags:0x16/0x02 limit: avg 1/day burst 1 redir ports 5000
> So it would be very strange if the rules were extracted to user space,
> rewritten/modified, "uploaded" to the kernel with the correct counters
> for the remaining rules, and then, the rules do not look to this
> counters. ;-)

I'm not that familiar with the iptables internals, but I suspect that
the counters (which are probably part of the "core" rule data structure)
are downloaded to userspace and get uploaded again untouched when just
adding or deleting a rule from an existing ruleset, but the limit-match
internal data structure will will get reallocated.

Maybe one of the developers reads this mail and can prove me wrong or
perhaps even right :-)


> Why then save and restore the counters, if they are not used by the rules?
> Michael.

Linux zion 2.6.13-rc3-mm1 #6 PREEMPT Mon Jul 18 19:42:52 CEST 2005 i686 athlon i386 GNU/Linux
 17:11:17 up 1 day, 21:23,  1 user,  load average: 0.00, 0.05, 0.05
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20050720/3fc16c6b/attachment-0001.bin

More information about the netfilter mailing list