From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: xt_connlimit 20070628 kernel Date: Tue, 03 Jul 2007 13:34:30 +0200 Message-ID: <468A3446.9050505@trash.net> References: <467BAF07.6020502@trash.net> <467FA9CE.8000805@trash.net> <46840B9F.7080803@trash.net> <468410A9.70309@trash.net> <4684ECB5.9070402@trash.net> <4688EF45.7020200@trash.net> <46891C50.1020904@trash.net> <468A2F91.3040002@trash.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: Netfilter Developer Mailing List To: Jan Engelhardt Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Jan Engelhardt wrote: > On Jul 3 2007 13:14, Patrick McHardy wrote: > >>>>Connections are identifier by their tuples, you can derive them >>>>yourself and do a lookup based on that. >>> >>>connlimit uses nf_ct_get(skb,...)->tuplehash[0].tuple to get at the >>>tuple. nf_ct_get() can fail. >>>How else should I derive it? >> >>Use the conntrack tuple if one is available, otherwise use >>nf_ct_get_tuple(). > > > So you are saying I should use... > > nf_ct_get_tuple(skb, 0, 0, match->family, match->proto, &tuple, > what_l3, what_l4); > > at the top of count_them() and get rid of the nf_ct_get() in connlimit_match? You could do both, if the tuple is already derived there is no need to repeat that work. Manually deriving it as fallback would allow to use the match in the raw table.