From: Pablo Neira <pablo@eurodev.net>
To: Josh Samuelson <josamue1@wsc.edu>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH] new match extension `flow'
Date: Fri, 29 Oct 2004 21:32:44 +0200 [thread overview]
Message-ID: <41829ADC.2090708@eurodev.net> (raw)
In-Reply-To: <20041028020550.GA10097@wsc.edu>
Josh Samuelson wrote:
>Greetings,
>
>The attached diff files add to iptables the ability to match max
>connections allowed for various IP protocols: generic IP, ICMP, TCP
>and UDP.
>
>kernel changes:
>The patch file is for 2.6.9.
>net/ipv4/netfilter/ip_conntrack_standalone.c must be fixed by a
>patch I sent to the list earlier; see line 819 for the problem.
>It modifies some files relevant to ip_conntrack and adds a ipt_flow.c
>match module. When a new conntrack is created, a flow structure will
>have counters incremented for the type of protocol being used, indexed
>by the original direction source IP address. All current flows can
>be viewed in the "/proc/net/ip_conntrack_flow" file. The current
>number of flows can be viewed from the
>"/proc/sys/net/ipv4/netfilter/ip_conntrack_flow_count" file.
>
># cat /proc/net/ip_conntrack_flow
>192.168.1.7 IP: 1 ICMP: 0 TCP: 1 UDP: 0
>192.168.1.254 IP: 1 ICMP: 0 TCP: 0 UDP: 0
>192.168.1.7 IP: 1 ICMP: 0 TCP: 1 UDP: 0
>192.168.1.55 IP: 1 ICMP: 0 TCP: 1 UDP: 0
>192.168.1.121 IP: 2 ICMP: 0 TCP: 0 UDP: 2
># cat /proc/sys/net/ipv4/netfilter/ip_conntrack_flow_count
>5
>#
>
>iptables changes:
>The patch is for iptables-1.2.11. It adds the source to allow
>iptables to have the flow match via the shared library API that
>iptables defines. The module adds the following options:
>--maxip n (which can only be used when no protocol is specified)
>--maxicmp n (allowed with -p icmp)
>--maxtcp n (allowed with -p tcp)
>--maxudp n (allowed with -p udp)
>The flow match module can only be used in the filter table.
>
>An example of the usage:
>
>iptables -A FORWARD -p tcp -s 192.168.1.0/24 -m flow --maxtcp 150 \
>-m state --state NEW -j REJECT --reject-with tcp-reset
>
>This would deny new TCP connections from all hosts routing
>through the machine from the 192.168.1.0/24 network that already
>have 150 connections.
>
>Hope some people find this useful! Original idea from John Dunning,
>see "Flow count module" from Tue Oct 12 14:54:20 CEST 2004.
>
>Questions, comments?
>
>
cool, nice work. But can't we do a match which counts new connections? I
bet that
the problem is that we don't know when a connection is closed, maybe we
could add a
new ip_conntrack_status (something like IPS_CLOSED_BIT) which would be
set when
a connection is closed, i.e. in tcp tracking when in time
TIME_WAIT/FIN_WAIT). I don't
like so much the idea of adding more stuff to the core of the conntrack
to keep things simpler.
Pablo
next prev parent reply other threads:[~2004-10-29 19:32 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-28 2:05 [PATCH] new match extension `flow' Josh Samuelson
2004-10-28 20:15 ` Josh Samuelson
2004-10-29 19:32 ` Pablo Neira [this message]
2004-10-31 6:38 ` Josh Samuelson
2004-10-31 14:41 ` Pablo Neira
2004-11-04 2:20 ` Josh Samuelson
2004-11-06 15:19 ` Pablo Neira
2004-11-08 2:52 ` Josh Samuelson
2004-11-10 18:12 ` Pablo Neira
2004-11-13 22:12 ` Pablo Neira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41829ADC.2090708@eurodev.net \
--to=pablo@eurodev.net \
--cc=josamue1@wsc.edu \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.