Re: [PATCH 1/2] xt_connlimit (kernel) - connection limiting

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andrew Beverley <andy@andybev.com>
To: Jan Engelhardt <jengelh@linux01.gwdg.de>
Cc: Netfilter Developer Mailing List
	<netfilter-devel@lists.netfilter.org>,
	Netfilter Mailing List <netfilter@lists.netfilter.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/2] xt_connlimit (kernel) - connection limiting
Date: Sun, 03 Jun 2007 19:32:06 +0100	[thread overview]
Message-ID: <1180895526.6601.44.camel@andybev> (raw)
In-Reply-To: <Pine.LNX.4.61.0706031914120.10578@yvahk01.tjqt.qr>

On Sun, 2007-06-03 at 19:18 +0200, Jan Engelhardt wrote:
> On Jun 3 2007 18:00, Andrew Beverley wrote:
> >On Sun, 2007-06-03 at 13:12 +0200, Jan Engelhardt wrote:
> >> Adds the connlimit match that has been in POM-NG for a long time.
> >> 
> >>     *	works with 2.6.22, xtables'ified and all that
> >> 
> >>     *	will request nf_conntrack_ipv4 upon load
> >> 	(otherwise it hotdrops every packet - a glitch that goes back
> >> 	to at least 2.6.20.2)
> >
> >Excellent! This has been at the back of my mind for a while.
> >
> >Is there any chance of getting UDP flows added as well as TCP
> >connections?
> 
> I dare to say it's easy. The real problem is rather, that UDP is
> connectionless, so for one, connlimit can, by definition of the word
> 'connectionless', not apply to UDP, though it is technically
> possible.

Understood.

> Second, because UDP "connections" "fly" (timeout after 30
> seconds), just spewing one UDP packet out may kill another connection
> (e.g. if you use connlimit in conjunction with DROP or REJECT).

I see what you mean, although I personally would use this with an IPSET
target, and I would argue it is the responsibility of the administrator
to ensure it is used correctly.

> What's more, UDP packets can be easily forged, much more than TCP, so
> anyone on the same subtree (not subnet, because that's something
> different) can send a bogus UDP packet and stop your connections from
> working.

I didn't know that, but I doubt anyone where I would use it would be
able to do that :-)

> Let's see how to implement UDP counting...

The alternative, as I see it, is to adapt hashlimit to have an option to
limit by number of different concurrent streams to different port
numbers (but same source/destination IP address). However, I personally
think it would sit better in connlimit, even if UDP is not a connection
by strict definition.

Is it something you would consider, or shall I look at it myself?

With regards to Patrick's comment, IIRC this was one of the points he
originally raised.

Regards,

Andy Beverley

next prev parent reply	other threads:[~2007-06-03 18:32 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-06-03 11:12 [PATCH 0/2] xt_connlimit - connection limiting Jan Engelhardt
2007-06-03 11:12 ` [PATCH 1/2] xt_connlimit (kernel) " Jan Engelhardt
2007-06-03 11:12   ` Jan Engelhardt
2007-06-03 11:46   ` Yasuyuki KOZAKAI
2007-06-03 11:46   ` Yasuyuki KOZAKAI
     [not found]   ` <200706031146.l53BkuaZ011945@toshiba.co.jp>
2007-06-03 12:35     ` Jan Engelhardt
2007-06-03 17:00   ` Andrew Beverley
2007-06-03 17:18     ` Jan Engelhardt
2007-06-03 18:32       ` Andrew Beverley [this message]
2007-06-03 17:34   ` Patrick McHardy
2007-06-05  8:33     ` Jan Engelhardt
2007-06-05 11:36       ` Patrick McHardy
2007-06-03 11:14 ` [PATCH 2/2] xt_connlimit (iptables) " Jan Engelhardt
2007-06-03 11:23   ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1180895526.6601.44.camel@andybev \
    --to=andy@andybev.com \
    --cc=jengelh@linux01.gwdg.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.