From: Josh Hunt <johunt@akamai.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>,
Patrick McHardy <kaber@trash.net>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
"netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>,
"coreteam@netfilter.org" <coreteam@netfilter.org>,
Harald Welte <laforge@netfilter.org>,
Jan Engelhardt <jengelh@medozas.de>
Subject: Re: [PATCH] netfilter: xt_hashlimit: handle iptables-restore of hash with same name
Date: Tue, 22 Jul 2014 15:49:58 -0500 [thread overview]
Message-ID: <53CECE76.2070200@akamai.com> (raw)
In-Reply-To: <1406004850-31336-1-git-send-email-johunt@akamai.com>
On 07/21/2014 11:54 PM, Josh Hunt wrote:
> Below is a first pass attempt at fixing a problem we've come across when
> trying to do an iptables-restore where the hashlimit name stays the same, but
> one of the hashlimit parameters changes but does not take affect.
>
> For ex, if you have an existing hashlimit rule, do an iptables-save, change the
> rate for that rule, and then do an iptables-restore the new rate will not be
> enforced.
>
> This appears to be due to a problem where hashlimit only checks for existing
> hashes by name and family and does not consider any of the other config
> parameters.
>
> I've attempted to fix this by having it check for all hashlimit config params,
> this way it doesn't accidentally match just on name. This brought up an issue
> of having to make hashlimit aware of how many references there are to its
> proc entry.
>
> I'm not submitting this for inclusion yet, but for feedback. Mainly on the approach
> and if there's possibly a better way of resolving this problem. My handling of
> the proc "problem" is pretty messy right now and possibly incomplete, but the
> patch below allows the case I described above to pass now. I hope to clean up
> the proc handling in a v2.
I just realized that what I'm doing with the proc stuff isn't going to
work, but feedback on the other portion is still appreciated.
Thanks
Josh
next prev parent reply other threads:[~2014-07-22 20:55 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-22 4:54 [PATCH] netfilter: xt_hashlimit: handle iptables-restore of hash with same name Josh Hunt
2014-07-22 20:49 ` Josh Hunt [this message]
2014-07-24 8:49 ` Florian Westphal
2014-07-24 10:53 ` Patrick McHardy
2014-07-24 11:48 ` Florian Westphal
2014-07-25 16:57 ` Josh Hunt
2014-08-14 14:09 ` Holger Eitzenberger
2014-08-15 3:58 ` Jan Engelhardt
2014-08-15 7:24 ` Holger Eitzenberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53CECE76.2070200@akamai.com \
--to=johunt@akamai.com \
--cc=coreteam@netfilter.org \
--cc=jengelh@medozas.de \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).