From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@computergmbh.de>
Cc: Netfilter Developer Mailing List
<netfilter-devel@lists.netfilter.org>,
Andrew Beverley <andy@andybev.com>
Subject: Re: xt_connlimit 20070620_2
Date: Fri, 22 Jun 2007 14:42:07 +0200 [thread overview]
Message-ID: <467BC39F.2030107@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0706221420090.26568@fbirervta.pbzchgretzou.qr>
Jan Engelhardt wrote:
> On Jun 22 2007 13:43, Patrick McHardy wrote:
>
>>I didn't realize that. Still, why doesn't it support all protocols?
>
>
> It suppers all protocols that Netfilter supports, surprise surprise :)
> -A OUTPUT -p udp -m connlimit uses what Netfilter considers an UDP
> connection. /proc/net/ip_conntrack shows that. Of course these UDP
> "connections" expeire within 30 seconds by default, but that's another problem.
OK, that fine then.
>
>
>>>>Also nothing guarantees that you're looking at a TCP connection here.
>
>
> Which is why I asked how to find out I am actually looking at TCP.
> There's tuple.proto or the proto field in struct nf_conn, but the question is,
> which one should I use, or are both the same?
>
>
>>>True that. What is the SCTP state (include/linux/netfilter/nf_conntrack_tcp.h)
>>>I am looking for? (And DCCP does not seem to have states.)
>>
>>SCTP states are defined in the .c file itself I think.
>
>
> Conntrack states are needed. For TCP this is TCP_CONNTRACK_TIME_WAIT.
> Hence I think all states that could possibly exist (as far as conntrack is
> concerned) are listed in netfilter/nf_conntrack_<proto>.h
Indeed, its in include/linux/netfilter/nf_conntrack_sctp.h.
I'm wondering why its looking at the states though, a conntrack
in TIME_WAIT state is still a conntrack.
>>>Sorry, what state?
>>>Each rule keeps its own list of known connections, yes :-/
>>
>>Thats the state. It will forget them every time you change _anything_
>>in the ruleset. On second though, I guess it doesn't matter because
>>the state can be entirely reconstructed at runtime?
>
>
> Yes there is a user-administrator race. For example,
> * host opens N connections (and hits the connlimit limit) and new
> connections are rejected
> * administrator reloads ip tables
> * now, the next N that are seen -- which may not even be the *original*
> connections -- are allowed, so the older ones could get magically
> disconnected.
That sucks a bit.
> And: a lot more netfilter matches might be affected by this. hashlimit
> comes to mind. I'd say this is an administrator issue and a justified
> sacrifice to take.
No, hashlimit looks up the state from a global list. It behaves
strangely when changing parameters without deleting the table
first though.
next prev parent reply other threads:[~2007-06-22 12:42 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-20 9:39 xt_connlimit 20070620_2 Jan Engelhardt
2007-06-20 17:21 ` Andrew Beverley
2007-06-22 11:14 ` Patrick McHardy
2007-06-22 11:36 ` Jan Engelhardt
2007-06-22 11:43 ` Patrick McHardy
2007-06-22 12:33 ` Jan Engelhardt
2007-06-22 12:42 ` Patrick McHardy [this message]
2007-06-22 13:22 ` Jan Engelhardt
2007-06-22 13:27 ` Patrick McHardy
2007-06-25 11:11 ` xt_connlimit 20070625 Jan Engelhardt
2007-06-25 11:41 ` Patrick McHardy
2007-06-25 11:45 ` Patrick McHardy
2007-06-25 12:36 ` Jan Engelhardt
2007-06-25 12:43 ` Patrick McHardy
2007-06-25 14:41 ` Jan Engelhardt
2007-06-25 14:46 ` Patrick McHardy
2007-06-25 15:01 ` Jan Engelhardt
2007-06-25 15:05 ` Patrick McHardy
2007-06-25 15:05 ` Patrick McHardy
2007-06-25 15:14 ` Jan Engelhardt
2007-06-28 19:23 ` Jan Engelhardt
2007-06-28 19:27 ` Patrick McHardy
2007-06-28 19:31 ` Jan Engelhardt
2007-06-28 19:33 ` Patrick McHardy
2007-06-28 19:48 ` Patrick McHardy
2007-06-28 19:51 ` xt_connlimit 20070628 Jan Engelhardt
2007-06-28 19:55 ` xt_connlimit 20070628 kernel Jan Engelhardt
2007-06-29 11:27 ` Patrick McHardy
2007-07-01 14:11 ` Jan Engelhardt
2007-07-02 12:27 ` Patrick McHardy
2007-07-02 15:38 ` Jan Engelhardt
2007-07-02 15:40 ` Patrick McHardy
2007-07-02 19:53 ` Jan Engelhardt
2007-07-03 11:14 ` Patrick McHardy
2007-07-03 11:31 ` Jan Engelhardt
2007-07-03 11:34 ` Patrick McHardy
2007-07-04 10:56 ` Jan Engelhardt
2007-07-04 14:52 ` Patrick McHardy
2007-07-04 15:11 ` Jan Engelhardt
2007-07-06 13:05 ` Patrick McHardy
2007-07-07 17:51 ` xt_connlimit 20070707 kernel Jan Engelhardt
2007-07-09 14:30 ` Patrick McHardy
2007-07-09 15:10 ` Jan Engelhardt
2007-07-09 15:20 ` Patrick McHardy
2007-07-09 15:29 ` Patrick McHardy
2007-07-09 15:32 ` Jan Engelhardt
2007-07-09 15:33 ` Patrick McHardy
2007-07-09 15:34 ` Patrick McHardy
2007-07-09 15:38 ` Jan Engelhardt
2007-07-09 15:43 ` Patrick McHardy
2007-07-13 14:18 ` Yasuyuki KOZAKAI
[not found] ` <200707131418.l6DEIudN010879@toshiba.co.jp>
2007-07-13 15:01 ` Jan Engelhardt
2007-07-13 15:03 ` Patrick McHardy
2007-07-13 15:13 ` Jan Engelhardt
2007-07-13 15:16 ` Patrick McHardy
2007-07-13 15:31 ` Jan Engelhardt
2007-07-13 15:42 ` Patrick McHardy
2007-07-13 16:08 ` Jan Engelhardt
2007-07-13 15:44 ` Yasuyuki KOZAKAI
[not found] ` <200707131544.l6DFivSf011446@toshiba.co.jp>
2007-07-13 16:09 ` Jan Engelhardt
2007-07-10 6:30 ` Yasuyuki KOZAKAI
2007-07-11 17:37 ` Jan Engelhardt
2007-07-11 18:04 ` Patrick McHardy
2007-07-11 18:18 ` Jan Engelhardt
2007-07-11 18:19 ` Jan Engelhardt
2007-07-11 18:25 ` Patrick McHardy
[not found] ` <200707100630.l6A6UBM1021597@toshiba.co.jp>
2007-07-11 13:23 ` Patrick McHardy
2007-07-04 8:55 ` xt_connlimit 20070628 kernel Yasuyuki KOZAKAI
2007-07-04 14:52 ` Patrick McHardy
2007-06-28 20:08 ` xt_connlimit 20070628 Jan Engelhardt
2007-06-25 18:51 ` xt_connlimit 20070620_2 Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=467BC39F.2030107@trash.net \
--to=kaber@trash.net \
--cc=andy@andybev.com \
--cc=jengelh@computergmbh.de \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.