Re: [PATCH] Get icmp ratelimit from sysctl in ipt_REJECT.c

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Duncan Palmer <dunk_palmer@yahoo.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH] Get icmp ratelimit from sysctl in ipt_REJECT.c
Date: Fri, 11 Feb 2005 20:05:06 +0100	[thread overview]
Message-ID: <420D01E2.5000008@trash.net> (raw)
In-Reply-To: <20050211075222.63979.qmail@web60608.mail.yahoo.com>

Duncan Palmer wrote:

>Is there anywhere that sends icmp pkts apart from
>icmp.c and ipt_REJECT.c? (a quick look suggests not).
>If not, then one problem I can see with removing
>xrlim_allow() from ipt_REJECT is that its behaviour
>will become inconsistent with that of icmp.c, in that
>it doesn't use sysctl for setting rlimit (not that it
>ever has...)
>
It doesn't has to be consistent with icmp.c, but it should be
consistent with the remainder of iptables, this means to do as
the ruleset says.

>After reading the relevant bits of the RFC and a bit
>more code, I agree that xrlim_allow() is indeed
>buggered...
>
>I'm far from being an expert on linux's networking
>internals, but it seems to me that many aspects of the
>operation of network stacks are configurable using
>sysctl variables. Not calling icmpv4_xrlim_allow()
>will make the icmp ratelimit parameter a bit of an odd
>one out as far as ipv4 is concerned, as I think there
>are other ipv4 sysctl parameters who's functionality
>could similarly be replaced by iptables...
>
ipt_REJECT is different from icmp.c, it doesn't send ICMP messages
in response to error conditions but because the admin said so in
his ruleset. If he wants to limit it he can use the limit match.

>I'll be happy do do up a patch on whatever is decided
>upon anyway...
>
I already removed it in my tree, but haven't committed it yet.

Regards
Patrick

     prev parent reply	other threads:[~2005-02-11 19:05 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-02-08  4:29 [PATCH] Get icmp ratelimit from sysctl in ipt_REJECT.c Duncan Palmer
2005-02-08  4:47 ` Duncan Palmer
2005-02-08 23:34 ` Patrick McHardy
2005-02-11  7:52   ` Duncan Palmer
2005-02-11 19:05     ` Patrick McHardy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=420D01E2.5000008@trash.net \
    --to=kaber@trash.net \
    --cc=dunk_palmer@yahoo.com \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.