* Query: the limit module stateless or stateful?
@ 2010-02-24 10:57 William Fitzgerald
2010-02-24 12:06 ` Mart Frauenlob
0 siblings, 1 reply; 3+ messages in thread
From: William Fitzgerald @ 2010-02-24 10:57 UTC (permalink / raw)
To: Mail List - Netfilter
Dear Experts,
Would one regard the limit module as being stateful or stateless?
My gut feeling is to say that it is stateless.
I presume while it maintains some (simple) state information, it has no
semantic context of previous packets. Rather it only refers to packet
counter statistics of which the limit module maintains or can query.
Therefore, regardless of previously accepted traffic, if there are more
connections than deemed acceptable, then even legitimate reconnection's
are also blocked/logged.
Under this assumption, I would classify the limit module as stateless.
Comments?
The reason I ask is that I'd like to classify/categorise various
iptables filter capabilities. Rather than defining just stateless (for
example, TCP match), stateful (for example, state match),
application-layer (l7-filter) and extension (for example, limit match)
filter capabilities, various matches may be a member of more than one
category. For example, l7-filter could be considered as both stateful
and application-layer, in that it operates at layer 7 and it maintains
state of previous packets in a buffer in order to discover if a set of
packets describe a particular traffic flow. l7-filter could also be
considered an extension ;-)
regards,
Will.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Query: the limit module stateless or stateful?
2010-02-24 10:57 Query: the limit module stateless or stateful? William Fitzgerald
@ 2010-02-24 12:06 ` Mart Frauenlob
2010-02-24 12:28 ` William Fitzgerald
0 siblings, 1 reply; 3+ messages in thread
From: Mart Frauenlob @ 2010-02-24 12:06 UTC (permalink / raw)
Cc: wfitzgerald, netfilter
On 24.02.2010 12:30, netfilter-owner@vger.kernel.org wrote:
> Dear Experts,
>
> Would one regard the limit module as being stateful or stateless?
>
> My gut feeling is to say that it is stateless.
>
> I presume while it maintains some (simple) state information, it has no
> semantic context of previous packets. Rather it only refers to packet
> counter statistics of which the limit module maintains or can query.
> Therefore, regardless of previously accepted traffic, if there are more
> connections than deemed acceptable, then even legitimate reconnection's
> are also blocked/logged.
>
> Under this assumption, I would classify the limit module as stateless.
> Comments?
The limit extension operates on packets, it does not know/care about
connections.
-A CHAIN -m state --state NEW -m limit --limit 3/s -j ACCEPT
would allow 3 state NEW packets/second.
>
> The reason I ask is that I'd like to classify/categorise various
> iptables filter capabilities. Rather than defining just stateless (for
> example, TCP match), stateful (for example, state match),
> application-layer (l7-filter) and extension (for example, limit match)
> filter capabilities, various matches may be a member of more than one
> category. For example, l7-filter could be considered as both stateful
> and application-layer, in that it operates at layer 7 and it maintains
> state of previous packets in a buffer in order to discover if a set of
> packets describe a particular traffic flow. l7-filter could also be
> considered an extension ;-)
Best regards
Mart
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Query: the limit module stateless or stateful?
2010-02-24 12:06 ` Mart Frauenlob
@ 2010-02-24 12:28 ` William Fitzgerald
0 siblings, 0 replies; 3+ messages in thread
From: William Fitzgerald @ 2010-02-24 12:28 UTC (permalink / raw)
To: netfilter
Hi Mart,
Mart Frauenlob wrote:
> On 24.02.2010 12:30, netfilter-owner@vger.kernel.org wrote:
>> Dear Experts,
>>
>> Would one regard the limit module as being stateful or stateless?
>>
>> My gut feeling is to say that it is stateless.
>>
>> I presume while it maintains some (simple) state information, it has no
>> semantic context of previous packets. Rather it only refers to packet
>> counter statistics of which the limit module maintains or can query.
>> Therefore, regardless of previously accepted traffic, if there are more
>> connections than deemed acceptable, then even legitimate reconnection's
>> are also blocked/logged.
>>
>> Under this assumption, I would classify the limit module as stateless.
>> Comments?
>
> The limit extension operates on packets, it does not know/care about
> connections.
Exactly my thoughts. I wasn't sure of the limit modules internal
workings and how it inspected/examined packets (packet count or
otherwise). Thanks for clearing that up.
> -A CHAIN -m state --state NEW -m limit --limit 3/s -j ACCEPT
> would allow 3 state NEW packets/second.
>
>> The reason I ask is that I'd like to classify/categorise various
>> iptables filter capabilities. Rather than defining just stateless (for
>> example, TCP match), stateful (for example, state match),
>> application-layer (l7-filter) and extension (for example, limit match)
>> filter capabilities, various matches may be a member of more than one
>> category. For example, l7-filter could be considered as both stateful
>> and application-layer, in that it operates at layer 7 and it maintains
>> state of previous packets in a buffer in order to discover if a set of
>> packets describe a particular traffic flow. l7-filter could also be
>> considered an extension ;-)
>
> Best regards
>
> Mart
regards,
Will.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-02-24 12:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-24 10:57 Query: the limit module stateless or stateful? William Fitzgerald
2010-02-24 12:06 ` Mart Frauenlob
2010-02-24 12:28 ` William Fitzgerald
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.