From: Dzianis Kahanovich <mahatma@bspu.unibel.by>
To: netfilter@vger.kernel.org
Subject: connlimit timeout average (was: Re: Patch-o-matic+iptables+kernel, which versions fits together?)
Date: Thu, 07 Feb 2008 19:44:56 -0200 [thread overview]
Message-ID: <47AB7BD8.8040103@bspu.unibel.by> (raw)
In-Reply-To: <47AB6847.4000405@bspu.unibel.by>
[-- Attachment #1: Type: text/plain, Size: 812 bytes --]
Something like this (average (TOO average) timeout, untested!)
Dzianis Kahanovich wrote:
>> i would like to use connlimit module, but i don't know which version
>> of patch-o-matic should i use on which version of kernel and iptables.
>> Could someone help me?
>> Thanks a lot
> Latest kernel & iptables. Connlimit now inside of kernel.
> PS But I lazy think about patch of connlimit to bound timeout. While
> users using keep-alive connections - there are too abstract
> classification (I use slowdown "abusers"). IMHO it is easy (in entry
> listing add one "if" with existing "timeout" field, but I use proxy too
> and first timout need for proxy, then I do not do nothing while - I do
> not know how to do it in squid).
>
--
WBR,
Denis Kaganovich, mahatma@eu.by http://mahatma.bspu.unibel.by
[-- Attachment #2: connlimit-timeout.diff --]
[-- Type: text/plain, Size: 1451 bytes --]
--- a/net/netfilter/xt_connlimit.c 2007-10-09 23:31:38.000000000 +0300
+++ b/net/netfilter/xt_connlimit.c 2008-02-07 19:23:20.000000000 +0200
@@ -28,6 +28,8 @@
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_tuple.h>
+int connlimit_timeout = 10*60*HZ; /* 10 sec */
+
/* we will save the tuples of all connections we care about */
struct xt_connlimit_conn {
struct list_head list;
@@ -103,7 +105,8 @@ static int count_them(struct xt_connlimi
const struct nf_conntrack_tuple *tuple,
const union nf_conntrack_address *addr,
const union nf_conntrack_address *mask,
- const struct xt_match *match)
+ const struct xt_match *match,
+ const unsigned long timeout)
{
struct nf_conntrack_tuple_hash *found;
struct xt_connlimit_conn *conn;
@@ -130,6 +133,7 @@ static int count_them(struct xt_connlimi
found_ct = nf_ct_tuplehash_to_ctrack(found);
if (found_ct != NULL &&
+ abs(found_ct->timeout.expires-timeout)<connlimit_timeout &&
nf_ct_tuple_equal(&conn->tuple, tuple) &&
!already_closed(found_ct))
/*
@@ -210,7 +214,7 @@ static bool connlimit_match(const struct
}
spin_lock_bh(&info->data->lock);
- connections = count_them(info->data, tuple_ptr, &addr, &mask, match);
+ connections = count_them(info->data, tuple_ptr, &addr, &mask, match, ct->timeout.expires);
spin_unlock_bh(&info->data->lock);
if (connections < 0) {
next prev parent reply other threads:[~2008-02-07 21:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-05 15:57 Patch-o-matic+iptables+kernel, which versions fits together? lokiji lokiji
2008-02-07 16:03 ` Eric Estes
2008-02-07 20:21 ` Dzianis Kahanovich
2008-02-07 19:02 ` Eric Estes
2008-02-07 21:44 ` Dzianis Kahanovich [this message]
2008-02-07 21:55 ` connlimit timeout average Dzianis Kahanovich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47AB7BD8.8040103@bspu.unibel.by \
--to=mahatma@bspu.unibel.by \
--cc=mahatma@eu.by \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox