From: Michael Schachtebeck <schachti@rbw.goe.net>
To: netfilter@lists.netfilter.org
Subject: Re: limit extension
Date: Wed, 20 Jul 2005 17:03:51 +0200 [thread overview]
Message-ID: <42DE67D7.5040804@rbw.goe.net> (raw)
In-Reply-To: <20050720150118.GB15339@zion.homelinux.com>
Am 07/20/2005 04:45 PM schrieb Sven Schuster:
> AFAIK, when you add, delete, replace a iptables rule, at first the
> current rules are "downloaded" from kernel, the changes are made in
> user space, then the ruleset is "uploaded" again to the kernel.
> When uploading, I think that all the internal data structures for
> the matches are deleted and then allocated freshly. That's why you
> see this behaviour in your testing. When your cronjob runs (or you
> run it manually) all the data structures get deleted and newly
> allocated, thus the limit rule matches again.
But on the other hand, the counter correctly shows the number of packets
that matched the rule; iptables -t nat -vnL PREROUTING says:
9 540 REDIRECT tcp -- eth1 * 10.10.10.69 0.0.0.0/0 tcp spts:1024:65535
dpt:80 flags:0x16/0x02 limit: avg 1/day burst 1 redir ports 5000
So it would be very strange if the rules were extracted to user space,
rewritten/modified, "uploaded" to the kernel with the correct counters
for the remaining rules, and then, the rules do not look to this
counters. ;-)
Why then save and restore the counters, if they are not used by the rules?
Michael.
--
PGP Public Key: http://www.num.math.uni-goettingen.de/schachte/key.asc
Key fingerprint: C474 8B85 17C0 0232 E439 0FBF 2451 E452 293C D798
next prev parent reply other threads:[~2005-07-20 15:03 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-19 18:07 limit extension Michael Schachtebeck
2005-07-19 20:13 ` Jan Engelhardt
2005-07-19 21:01 ` Michael Schachtebeck
2005-07-20 6:25 ` Jan Engelhardt
2005-07-20 14:15 ` Michael Schachtebeck
2005-07-20 14:45 ` Sven Schuster
2005-07-20 14:55 ` Michael Schachtebeck
2005-07-20 15:15 ` Sven Schuster
2005-07-20 14:58 ` Sven Schuster
2005-07-20 15:01 ` Sven Schuster
2005-07-20 15:03 ` Michael Schachtebeck [this message]
2005-07-20 15:05 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42DE67D7.5040804@rbw.goe.net \
--to=schachti@rbw.goe.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.