IPset_iptree with timeouts on Fedora Core 4
kadlec at blackhole.kfki.hu
Fri Oct 28 15:24:11 CEST 2005
On Fri, 28 Oct 2005, Radek Hladik wrote:
> What I mean is that when I create iptree without default timeout:
> ipset -N test iptree
> and now I try to add member with timeout:
> ipset -A test 220.127.116.11%60
> but the timeout is not working and IP 18.104.22.168 stays in the iptree
> forever. According to log messages:
> kernel: net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG): gc: 1 2 3
> 4: expires 1 jiffies 9992264
> The garbage collector is called but expires value is set to 1. I think
> that it is because of the line
> ipt_set_iptree.c:141 dtree->expires[d] = map->timeout ? (timeout * HZ
> + jiffies) : 1;
> which sets expires to 1 when adding member with timeout to non-timeout
> iptree. I think it would not break backward compatibility as old
> commands do not use the ip%timeout notation.
There are two possibilites:
- The set is created with a default timeout value, in which case
all the entries time out. They can be added with specific timeout values
by using ipset or with the default value via the SET target.
- The set is created without a timeout value (this is the default),
when the entries do not time out. The set element which is actually
added to the set is denoted by '1' in the line above.
In this case there is no way to have got entries which do time out,
not without bloating the structures, which I do not want to do.
> And I've found another issue I want to ask about. Is there any
> possibility to set timeout different from default timeout via ipt_SET
No, the SET target is totally generic and has no notion whatsoever on the
underlying set types.
E-mail : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
More information about the netfilter