problem with connlimit module compile

problem with connlimit module compile

[Keith]

I'm using kernel 2.6.13 and iptables 1.3.2 and 
patch-o-matic ng-20040621

I'm getting an error when I try to patch and compile to use 
connlimit from the patch-o-matic base. the errors look like this:

In function count_them:
struct ip_conntrack_tuple_hash has no member named ctrack

And sure enough I find the ctrack pointer was removed here:
http://lists.netfilter.org/pipermail/netfilter-devel/2005-January/018147.htm
l


I started digging into the source and find it non-trivial
Any suggestions on a work around?

 

Re: problem with connlimit module compile

[Damon Gray]

You are going to want to go with a much newer version of POM for the 
connlimit module, I have only tested the latest version with 2.6.11.X, but 
AFAIK it would work on later versions as well.

Good luck

-Damon-

On Thu, 1 Sep 2005, Keith wrote:

> I'm using kernel 2.6.13 and iptables 1.3.2 and
> patch-o-matic ng-20040621
>
> I'm getting an error when I try to patch and compile to use
> connlimit from the patch-o-matic base. the errors look like this:
>
> In function count_them:
> struct ip_conntrack_tuple_hash has no member named ctrack
>
> And sure enough I find the ctrack pointer was removed here:
> http://lists.netfilter.org/pipermail/netfilter-devel/2005-January/018147.htm
> l
>
>
> I started digging into the source and find it non-trivial
> Any suggestions on a work around?
>
>
>
>
>
>

ip_conntrack_get doesn't call nf_conntrack_get(&ct->ct_general)

[Damon Gray]

Until I looked more closely I always assumed ip_conntrack_get was doing 
the proper reference counting, and I would always call ip_conntrack_put 
for everything I was "getting". The problem is that ip_conntrack_put calls
nf_conntrack_put(&ct->ct_general) but ip_conntrack_get *does not* call 
nf_conntrack_get(&ct->ct_general). Problem? If so I would be happy to send 
a patch.

Thanks

-Damon-

Re: ip_conntrack_get doesn't call nf_conntrack_get(&ct->ct_general)

[Patrick McHardy]

Damon Gray wrote:
> 
> Until I looked more closely I always assumed ip_conntrack_get was doing
> the proper reference counting, and I would always call ip_conntrack_put
> for everything I was "getting". The problem is that ip_conntrack_put calls
> nf_conntrack_put(&ct->ct_general) but ip_conntrack_get *does not* call
> nf_conntrack_get(&ct->ct_general). Problem? If so I would be happy to
> send a patch.

This is one of the uglies of ip_conntrack. ip_conntrack_get just returns
the nfct pointer from the skb and the nfctinfo field in *ctinfo, without
increasing the refcnt, refcounting is done using nf_conntrack_get.
Before nfctinfo was introduced, ctinfo it had to be derived from the
nfct pointer, which is why ip_conntrack_get exists. Cleanup patches in
this area would be very welcome, but it should be done for nf_conntrack,
which copied this part of ip_conntrack.