* Query: status of ipt_recent?
@ 2006-05-28 4:39 Grant Coady
2006-05-28 12:05 ` Patrick McHardy
0 siblings, 1 reply; 5+ messages in thread
From: Grant Coady @ 2006-05-28 4:39 UTC (permalink / raw)
To: netfilter-devel
Hi there,
Recently there was query on lkml about ipt_recent, that a patch
for a memory leak may not going far enough. What is status on
ipt_recent and is anyone backporting the new version to 2.4 kernel?
Thanks,
Grant.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Query: status of ipt_recent?
2006-05-28 4:39 Query: status of ipt_recent? Grant Coady
@ 2006-05-28 12:05 ` Patrick McHardy
2006-05-28 23:21 ` Grant Coady
0 siblings, 1 reply; 5+ messages in thread
From: Patrick McHardy @ 2006-05-28 12:05 UTC (permalink / raw)
To: Grant Coady; +Cc: netfilter-devel
Grant Coady wrote:
> Hi there,
>
> Recently there was query on lkml about ipt_recent, that a patch
> for a memory leak may not going far enough. What is status on
> ipt_recent and is anyone backporting the new version to 2.4 kernel?
The problem with the recent match is mostly that its an offence
to the eyes and very hard to maintain, even small and simple patches
are hard to review. As far as I know it works fine if you forget
about a few corner cases, so I don't really see a reason for a
backport. Shouldn't be very hard though.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Query: status of ipt_recent?
2006-05-28 12:05 ` Patrick McHardy
@ 2006-05-28 23:21 ` Grant Coady
2006-05-28 23:25 ` Patrick McHardy
0 siblings, 1 reply; 5+ messages in thread
From: Grant Coady @ 2006-05-28 23:21 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Sun, 28 May 2006 14:05:11 +0200, Patrick McHardy <kaber@trash.net> wrote:
>Grant Coady wrote:
>> Hi there,
>>
>> Recently there was query on lkml about ipt_recent, that a patch
>> for a memory leak may not going far enough. What is status on
>> ipt_recent and is anyone backporting the new version to 2.4 kernel?
>
>The problem with the recent match is mostly that its an offence
>to the eyes and very hard to maintain, even small and simple patches
>are hard to review. As far as I know it works fine if you forget
>about a few corner cases, so I don't really see a reason for a
>backport. Shouldn't be very hard though.
I use 2.4.latest on firewall box and was using iptables --recent
for web server traffic calming (on tiny pipe to 'net) by src_ip
to prevent DoS by some users. I hadn't noticed memory leak,
perhaps 'cos uptime max is in weeks, and I unload/reload ipt_recent
'cos firewall sets parameters (more entries, less history):
report " reload --recent (250 x 2)"
rmmod ipt_recent
# see man iptables for this:
modprobe ipt_recent ip_list_tot=250 ip_pkt_list_tot=2
each time I fiddle with the iptables ruleset.
If the author has abandoned the thing I could reformat it, throw
in some function calls to convert the spaghetti code to functions,
make it easier to see the obfuscated control flow, and throw in
some goto targets as well ;) (CodingStyle single exit)
I'd hate to duplicate a work in progress.
Cheers,
Grant.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: Query: status of ipt_recent?
2006-05-28 23:21 ` Grant Coady
@ 2006-05-28 23:25 ` Patrick McHardy
2006-05-28 23:39 ` Grant Coady
0 siblings, 1 reply; 5+ messages in thread
From: Patrick McHardy @ 2006-05-28 23:25 UTC (permalink / raw)
To: Grant Coady; +Cc: netfilter-devel
Grant Coady wrote:
> On Sun, 28 May 2006 14:05:11 +0200, Patrick McHardy <kaber@trash.net> wrote:
>
>>The problem with the recent match is mostly that its an offence
>>to the eyes and very hard to maintain, even small and simple patches
>>are hard to review. As far as I know it works fine if you forget
>>about a few corner cases, so I don't really see a reason for a
>>backport. Shouldn't be very hard though.
>
>
> I use 2.4.latest on firewall box and was using iptables --recent
> for web server traffic calming (on tiny pipe to 'net) by src_ip
> to prevent DoS by some users. I hadn't noticed memory leak,
> perhaps 'cos uptime max is in weeks, and I unload/reload ipt_recent
> 'cos firewall sets parameters (more entries, less history):
>
> report " reload --recent (250 x 2)"
> rmmod ipt_recent
> # see man iptables for this:
> modprobe ipt_recent ip_list_tot=250 ip_pkt_list_tot=2
>
> each time I fiddle with the iptables ruleset.
The leak only happens on an error path under very unlikely
circumstances.
> If the author has abandoned the thing I could reformat it, throw
> in some function calls to convert the spaghetti code to functions,
> make it easier to see the obfuscated control flow, and throw in
> some goto targets as well ;) (CodingStyle single exit)
>
> I'd hate to duplicate a work in progress.
Well, for 2.6 we have a replacement now. For 2.4 such a patch would
be too intrusive, so you would have to maintain it yourself out of
tree.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Query: status of ipt_recent?
2006-05-28 23:25 ` Patrick McHardy
@ 2006-05-28 23:39 ` Grant Coady
0 siblings, 0 replies; 5+ messages in thread
From: Grant Coady @ 2006-05-28 23:39 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
On Mon, 29 May 2006 01:25:28 +0200, Patrick McHardy <kaber@trash.net> wrote:
>Grant Coady wrote:
>> I'd hate to duplicate a work in progress.
>
>Well, for 2.6 we have a replacement now. For 2.4 such a patch would
>be too intrusive, so you would have to maintain it yourself out of
>tree.
Okay, thanks. No point flogging a near dead horse...
Grant.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-05-28 23:39 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-05-28 4:39 Query: status of ipt_recent? Grant Coady
2006-05-28 12:05 ` Patrick McHardy
2006-05-28 23:21 ` Grant Coady
2006-05-28 23:25 ` Patrick McHardy
2006-05-28 23:39 ` Grant Coady
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.