[Bug 880] ipset doesn't refresh the timeout for an existing entry when the table is FULL.

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Wed Jan 8 19:46:54 CET 2014


https://bugzilla.netfilter.org/show_bug.cgi?id=880

jlgms <joseluis.gms at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |joseluis.gms at gmail.com

--- Comment #3 from jlgms <joseluis.gms at gmail.com> 2014-01-08 19:46:53 CET ---
(In reply to comment #2)
> There is no simple way to fix it: the system checks whether the set is full,
> and if yes, it rejects the action.
> 
> It could first test the element in the set and perform the action if it's
> there, but that'd mean a new overhead at adding any/all elements.

So I don't understand the option '--exist', in my opinion if --exist is present
the entry must be searched always and refresh the timeout, table full or not.

The idea is manage the set into iptables rules, now we can refresh the timeout
doing this:

... -j SET --del-set http src
... -j SET --ad-set  http src --timeout 60

¿Is this less expensive than do it into ipset first seeking the entry
(--exist)?

Thanks.

Jose Luis

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the netfilter-buglog mailing list