[Bug 1207] New: connlimit rule fires too often

[bugzilla-daemon at netfilter.org]

https://bugzilla.netfilter.org/show_bug.cgi?id=1207

            Bug ID: 1207
           Summary: connlimit rule fires too often
           Product: netfilter/iptables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ip_tables (kernel)
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: toralf.foerster at gmx.de

I do use the following rule to get being informed if the amount of new outgoing
connections from my server at port $p is higher than a given threshold $n:

      $IPT -A OUTPUT -p tcp --destination-port $p --syn --match connlimit
--connlimit-above $n --connlimit-mask 0 --connlimit-daddr --match limit --limit
1/second --limit-burst 1 -j LOG --log-prefix "limit $n at $p reached "

After few hours this rule fires too often (every few seconds). A restart of the
iptables init.d script solved the issue immediately and the rule fires again
just rarely as expected.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171227/e82e63ea/attachment.html>