From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tim Gardner Subject: Re: linux-next netfilter: xt_recent: Add an entry reaper Date: Sun, 28 Feb 2010 15:42:18 -0700 Message-ID: <4B8AF14A.5030904@tpi.com> References: <20100228033841.265CFF8BB0@sepang.rtg.net> <1267331677.9082.46.camel@edumazet-laptop> Reply-To: timg@tpi.com Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: netfilter-devel-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" To: Jan Engelhardt Cc: Eric Dumazet , kaber@trash.net, coreteam@netfilter.org, netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org Jan Engelhardt wrote: > On Sunday 2010-02-28 05:34, Eric Dumazet wrote: >>> One of the problems with the way xt_recent is implemented is that >>> there is no efficient way to remove expired entries. > > Oh there is: > > echo "- 2001:db8::1" >/proc/net/xt_recent/foo > >> 2) All entries are flushed when >> echo clear > /proc/net/xt_recent/ > > echo "/" >/proc/net/xt_recent/foo > > it is. > >> 3) You could eventually implement a purge operation to remove all >> expired entries at will >> >> echo purge > /proc/net/xt_recent/ > > Entries do not expire (except "falling off" the LRU when it's full) - > there is no counter that tells them when they expired. > "--seconds" is just a match option, not something that defines > the LRU's properties. And that's actually good, because that allows > you to write > > -m recent --name foo --seconds 60 -j do that > > -m recent --name foo --seconds 3600 -j do something else > > If you purged "expired" entries after 60 secs, there would be nothing > left for the 3600 one to check for. > I hadn't really considered your example as a valid use case. It seems to me that the second rule might also match even after the first rule matches, but its also very dependent on how you've crafted your rule set. rtg -- Tim Gardner timg@tpi.com www.tpi.com OR 503-601-0234 x102 MT 406-443-5357