* Suggestion: "--match recent --set --life-span <secs>" to prevent table filling up @ 2009-03-09 22:48 Chris Hanson 2009-03-10 16:13 ` Jan Engelhardt 0 siblings, 1 reply; 5+ messages in thread From: Chris Hanson @ 2009-03-09 22:48 UTC (permalink / raw) To: netfilter-devel Hello, A suggestion for the match recent part of netfilter. Include a life_span field in the table. A host is removed from a table after it hasn't been seen for x seconds. I suggest this because of the number of botnet hosts that rapidly fill up the /proc/net/ipt_recent tables. Sometimes an attacking host is only seen once in a long probe/attack. Additional related suggestions: Perhaps just reuse the --seconds parameter on a --set. instead of adding a new parameter. Give the field a default value. (3600?) Have a module command line parameter for changing the default value. Use 0 for an infinite life_span. I apologize for not being able to submit code. I tried looking at the source and I soon realized that my coding skills are VERY rusty. I hope this sounds useful to you all. Keep up the good work. Chris Hanson ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Suggestion: "--match recent --set --life-span <secs>" to prevent table filling up 2009-03-09 22:48 Suggestion: "--match recent --set --life-span <secs>" to prevent table filling up Chris Hanson @ 2009-03-10 16:13 ` Jan Engelhardt [not found] ` <49B6BD2E.7010908@bluebottle.com> 0 siblings, 1 reply; 5+ messages in thread From: Jan Engelhardt @ 2009-03-10 16:13 UTC (permalink / raw) To: Chris Hanson; +Cc: netfilter-devel On Monday 2009-03-09 23:48, Chris Hanson wrote: > > A suggestion for the match recent part of netfilter. Include a > life_span field in the table. A host is removed from a table after > it hasn't been seen for x seconds. How does this differ from simply ignoring hosts recorded in the list whose last_seen time is greater than x -- apart from potential memory savings? ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <49B6BD2E.7010908@bluebottle.com>]
* Re: Suggestion: "--match recent --set --life-span <secs>" to prevent table filling up [not found] ` <49B6BD2E.7010908@bluebottle.com> @ 2009-03-10 19:29 ` Jan Engelhardt 2009-03-10 20:10 ` Chris Hanson [not found] ` <200903102010.n2AKAf9t003525@mi0.bluebottle.com> 0 siblings, 2 replies; 5+ messages in thread From: Jan Engelhardt @ 2009-03-10 19:29 UTC (permalink / raw) To: Chris Hanson; +Cc: Netfilter Developer Mailing List (whew, don't strip Ccs!) On Tuesday 2009-03-10 20:19, Chris Hanson wrote: >> >>> A suggestion for the match recent part of netfilter. Include a >>> life_span field in the table. A host is removed from a table after >>> it hasn't been seen for x seconds. >> >> How does this differ from simply ignoring hosts recorded in the list >> whose last_seen time is greater than x -- apart from potential >> memory savings? > > I had the impression that the --set function behaved badly when the table > filled up. Well the “only” problem xt_recent has is that entries are thrown off the edge of the table when it fills up. It *should* do this in the style of an LRU. The only benefit of a premature removal due to life_span exceeding I can see is that you want to expire specific entries (i.e. matched by, like, -m moonphase) to specifically keep even older entries from falling off the LRU edge. Seems to be a big plan there.</thoughts> > I also believe that the "--rcheck ! --seconds x" check didn't work. > > I will investigate and report back. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Suggestion: "--match recent --set --life-span <secs>" to prevent table filling up 2009-03-10 19:29 ` Jan Engelhardt @ 2009-03-10 20:10 ` Chris Hanson [not found] ` <200903102010.n2AKAf9t003525@mi0.bluebottle.com> 1 sibling, 0 replies; 5+ messages in thread From: Chris Hanson @ 2009-03-10 20:10 UTC (permalink / raw) To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List Jan Engelhardt wrote: > (whew, don't strip Ccs!) > > On Tuesday 2009-03-10 20:19, Chris Hanson wrote: > >>> >>> >>>> A suggestion for the match recent part of netfilter. Include a >>>> life_span field in the table. A host is removed from a table after >>>> it hasn't been seen for x seconds. >>>> >>> How does this differ from simply ignoring hosts recorded in the list >>> whose last_seen time is greater than x -- apart from potential >>> memory savings? >>> >> I had the impression that the --set function behaved badly when the table >> filled up. >> > > Well the “only” problem xt_recent has is that entries are thrown off > the edge of the table when it fills up. It *should* do this in the > style of an LRU. The only benefit of a premature removal due to > life_span exceeding I can see is that you want to expire specific > entries (i.e. matched by, like, -m moonphase) to specifically keep > even older entries from falling off the LRU edge. > > Seems to be a big plan there.</thoughts> > > That is a big plan, and not worth the bother! I double checked the behavior of the table when full and it seemed to work just fine. I don't know why I thought it was broken. >> I also believe that the "--rcheck ! --seconds x" check didn't work. >> >> I will investigate and report back. >> I made a mistake in the syntax. It should be "! --rcheck --seconds x". So, in the end, all I have to complain about is that "--rcheck ! --seconds x" doesn't throw an error. It is accepted as if there was no "!". -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <200903102010.n2AKAf9t003525@mi0.bluebottle.com>]
* Re: Suggestion: "--match recent --set --life-span <secs>" to prevent table filling up [not found] ` <200903102010.n2AKAf9t003525@mi0.bluebottle.com> @ 2009-03-10 20:43 ` Jan Engelhardt 0 siblings, 0 replies; 5+ messages in thread From: Jan Engelhardt @ 2009-03-10 20:43 UTC (permalink / raw) To: Chris Hanson; +Cc: Netfilter Developer Mailing List On Tuesday 2009-03-10 21:10, Chris Hanson wrote: >>> I also believe that the "--rcheck ! --seconds x" check didn't work. >>> >>> I will investigate and report back. >>> > I made a mistake in the syntax. It should be "! --rcheck --seconds x". > > So, in the end, all I have to complain about is that "--rcheck ! --seconds x" > doesn't throw an error. It is accepted as if there was no "!". > That might be. Some modules have missing "! not allowed here" checks and just ignore it without warning about it, but Patrick has put me on hold (it seems like an infinity) with regard to new patches :-/ :-p ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2009-03-10 20:43 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-03-09 22:48 Suggestion: "--match recent --set --life-span <secs>" to prevent table filling up Chris Hanson
2009-03-10 16:13 ` Jan Engelhardt
[not found] ` <49B6BD2E.7010908@bluebottle.com>
2009-03-10 19:29 ` Jan Engelhardt
2009-03-10 20:10 ` Chris Hanson
[not found] ` <200903102010.n2AKAf9t003525@mi0.bluebottle.com>
2009-03-10 20:43 ` Jan Engelhardt
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.