From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@computergmbh.de>
Cc: Netfilter Developer Mailing List
<netfilter-devel@lists.netfilter.org>,
Andrew Beverley <andy@andybev.com>
Subject: Re: xt_connlimit 20070620_2
Date: Fri, 22 Jun 2007 15:27:33 +0200 [thread overview]
Message-ID: <467BCE45.7010009@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0706221516420.26568@fbirervta.pbzchgretzou.qr>
Jan Engelhardt wrote:
> On Jun 22 2007 14:42, Patrick McHardy wrote:
>
>>>Conntrack states are needed. For TCP this is TCP_CONNTRACK_TIME_WAIT.
>>>Hence I think all states that could possibly exist (as far as conntrack is
>>>concerned) are listed in netfilter/nf_conntrack_<proto>.h
>>
>>Indeed, its in include/linux/netfilter/nf_conntrack_sctp.h.
>>I'm wondering why its looking at the states though, a conntrack
>>in TIME_WAIT state is still a conntrack.
>
>
> The original author thought that a TIME_WAIT socket does not count
> towards the limit anymore (interpreting the code). Seems reasonable.
> Does SCTP does not have the concept of TIME_WAIT - does SCTP end
> with that is known in TCP land by "LAST_ACK"?
> If so, then all is well with SCTP and no extra state check if needed for SCTP.
I think the shutdown states correspond to TIME_WAIT/LAST_ACK.
>>>Yes there is a user-administrator race. For example,
>>> * host opens N connections (and hits the connlimit limit) and new
>>> connections are rejected
>>> * administrator reloads ip tables
>>> * now, the next N that are seen -- which may not even be the *original*
>>> connections -- are allowed, so the older ones could get magically
>>> disconnected.
>>
>>That sucks a bit.
>
>
> Well give me your stance on this. Do I have to change that now?
If you have a good idea how to fix that ..
next prev parent reply other threads:[~2007-06-22 13:27 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-20 9:39 xt_connlimit 20070620_2 Jan Engelhardt
2007-06-20 17:21 ` Andrew Beverley
2007-06-22 11:14 ` Patrick McHardy
2007-06-22 11:36 ` Jan Engelhardt
2007-06-22 11:43 ` Patrick McHardy
2007-06-22 12:33 ` Jan Engelhardt
2007-06-22 12:42 ` Patrick McHardy
2007-06-22 13:22 ` Jan Engelhardt
2007-06-22 13:27 ` Patrick McHardy [this message]
2007-06-25 11:11 ` xt_connlimit 20070625 Jan Engelhardt
2007-06-25 11:41 ` Patrick McHardy
2007-06-25 11:45 ` Patrick McHardy
2007-06-25 12:36 ` Jan Engelhardt
2007-06-25 12:43 ` Patrick McHardy
2007-06-25 14:41 ` Jan Engelhardt
2007-06-25 14:46 ` Patrick McHardy
2007-06-25 15:01 ` Jan Engelhardt
2007-06-25 15:05 ` Patrick McHardy
2007-06-25 15:05 ` Patrick McHardy
2007-06-25 15:14 ` Jan Engelhardt
2007-06-28 19:23 ` Jan Engelhardt
2007-06-28 19:27 ` Patrick McHardy
2007-06-28 19:31 ` Jan Engelhardt
2007-06-28 19:33 ` Patrick McHardy
2007-06-28 19:48 ` Patrick McHardy
2007-06-28 19:51 ` xt_connlimit 20070628 Jan Engelhardt
2007-06-28 19:55 ` xt_connlimit 20070628 kernel Jan Engelhardt
2007-06-29 11:27 ` Patrick McHardy
2007-07-01 14:11 ` Jan Engelhardt
2007-07-02 12:27 ` Patrick McHardy
2007-07-02 15:38 ` Jan Engelhardt
2007-07-02 15:40 ` Patrick McHardy
2007-07-02 19:53 ` Jan Engelhardt
2007-07-03 11:14 ` Patrick McHardy
2007-07-03 11:31 ` Jan Engelhardt
2007-07-03 11:34 ` Patrick McHardy
2007-07-04 10:56 ` Jan Engelhardt
2007-07-04 14:52 ` Patrick McHardy
2007-07-04 15:11 ` Jan Engelhardt
2007-07-06 13:05 ` Patrick McHardy
2007-07-07 17:51 ` xt_connlimit 20070707 kernel Jan Engelhardt
2007-07-09 14:30 ` Patrick McHardy
2007-07-09 15:10 ` Jan Engelhardt
2007-07-09 15:20 ` Patrick McHardy
2007-07-09 15:29 ` Patrick McHardy
2007-07-09 15:32 ` Jan Engelhardt
2007-07-09 15:33 ` Patrick McHardy
2007-07-09 15:34 ` Patrick McHardy
2007-07-09 15:38 ` Jan Engelhardt
2007-07-09 15:43 ` Patrick McHardy
2007-07-13 14:18 ` Yasuyuki KOZAKAI
[not found] ` <200707131418.l6DEIudN010879@toshiba.co.jp>
2007-07-13 15:01 ` Jan Engelhardt
2007-07-13 15:03 ` Patrick McHardy
2007-07-13 15:13 ` Jan Engelhardt
2007-07-13 15:16 ` Patrick McHardy
2007-07-13 15:31 ` Jan Engelhardt
2007-07-13 15:42 ` Patrick McHardy
2007-07-13 16:08 ` Jan Engelhardt
2007-07-13 15:44 ` Yasuyuki KOZAKAI
[not found] ` <200707131544.l6DFivSf011446@toshiba.co.jp>
2007-07-13 16:09 ` Jan Engelhardt
2007-07-10 6:30 ` Yasuyuki KOZAKAI
2007-07-11 17:37 ` Jan Engelhardt
2007-07-11 18:04 ` Patrick McHardy
2007-07-11 18:18 ` Jan Engelhardt
2007-07-11 18:19 ` Jan Engelhardt
2007-07-11 18:25 ` Patrick McHardy
[not found] ` <200707100630.l6A6UBM1021597@toshiba.co.jp>
2007-07-11 13:23 ` Patrick McHardy
2007-07-04 8:55 ` xt_connlimit 20070628 kernel Yasuyuki KOZAKAI
2007-07-04 14:52 ` Patrick McHardy
2007-06-28 20:08 ` xt_connlimit 20070628 Jan Engelhardt
2007-06-25 18:51 ` xt_connlimit 20070620_2 Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=467BCE45.7010009@trash.net \
--to=kaber@trash.net \
--cc=andy@andybev.com \
--cc=jengelh@computergmbh.de \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.