From: Florian Westphal <fw@strlen.de>
To: Chris Vine <chris@cvine.freeserve.co.uk>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: xt_recent fails with kernel 3.19.0
Date: Thu, 12 Feb 2015 12:36:43 +0100 [thread overview]
Message-ID: <20150212113643.GA13795@breakpoint.cc> (raw)
In-Reply-To: <20150212110931.6db17d7c@bother.homenet>
Chris Vine <chris@cvine.freeserve.co.uk> wrote:
> > > info->name); if (t != NULL) {
> > > - if (info->hit_count > t->nstamps_max_mask) {
> > > + if (info->hit_count > t->nstamps_max_mask + 1) {
> > > pr_info("hitcount (%u) is larger than
> > > packets to be remembered (%u) for table %s\n", info->hit_count,
> > > t->nstamps_max_mask + 1, info->name);
> >
> > Scrub that. This now fails when SSH_TRIES is set to other than a
> > power of two boundary. There seems to be something fundamentally
> > wrong with the heuristic employed here.
>
> On more testing I am wrong about that. You seem to need to rmmod
> xt_recent to get it to flush the previous setting. With that done, the
> patch does indeed seem to work with any values of SSH_TRIES.
Grrr. Right. This is because if you have single
-m recent --name DEFAULT ..
iptables-save > foo
then edit foo to bump the hitcount, then run
iptables-restore < foo
we'll find the existing DEFAULT entry with the old hitcount.
It works for something like 11 -> 13 since we're internally
tracking a count of 16 (mask 15).
I don't see a simple fix except your patch above plus
-static unsigned int ip_pkt_list_tot __read_mostly;
+static unsigned int ip_pkt_list_tot __read_mostly = 32;
To work around this.
This causes us to ignore hitcount in the check completely, at additional
memory cost.
I'll see if we can fix this in a better way.
next prev parent reply other threads:[~2015-02-12 11:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-12 10:25 xt_recent fails with kernel 3.19.0 Chris Vine
2015-02-12 10:51 ` Chris Vine
2015-02-12 11:09 ` Chris Vine
2015-02-12 11:36 ` Florian Westphal [this message]
2015-02-12 11:52 ` Florian Westphal
2015-02-12 17:04 ` Chris Vine
2015-02-12 17:09 ` Florian Westphal
2015-02-12 21:34 ` Chris Vine
2015-02-12 21:40 ` Florian Westphal
2015-02-12 21:57 ` Chris Vine
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150212113643.GA13795@breakpoint.cc \
--to=fw@strlen.de \
--cc=chris@cvine.freeserve.co.uk \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.