Patch-o-matic+iptables+kernel, which versions fits together?

Patch-o-matic+iptables+kernel, which versions fits together?

[lokiji lokiji]

Hello,
i would like to use connlimit module, but i don't know which version of patch-o-matic should i use on which version of kernel and iptables. Could someone help me?
Thanks a lot

RE: Patch-o-matic+iptables+kernel, which versions fits together?

[Eric Estes]

> -----Original Message-----
> From: netfilter-owner@vger.kernel.org [mailto:netfilter-
> owner@vger.kernel.org] On Behalf Of lokiji lokiji
> Sent: Tuesday, February 05, 2008 10:57 AM
> To: netfilter@vger.kernel.org
> Subject: Patch-o-matic+iptables+kernel, which versions fits together?
> 
> Hello,
> i would like to use connlimit module, but i don't know which version
of
> patch-o-matic should i use on which version of kernel and iptables.
Could
> someone help me?
> Thanks a lot
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter"
in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


I would like to know this myself. I've tried multiple combinations and
every time I try to recompile the kernel it dies on connlimit.

RE: Patch-o-matic+iptables+kernel, which versions fits together?

[Eric Estes]

> -----Original Message-----
> From: netfilter-owner@vger.kernel.org [mailto:netfilter-
> owner@vger.kernel.org] On Behalf Of Dzianis Kahanovich
> Sent: Thursday, February 07, 2008 3:21 PM
> To: netfilter@vger.kernel.org
> Subject: Re: Patch-o-matic+iptables+kernel, which versions fits
together?
> 
> lokiji lokiji wrote:
> 
> > i would like to use connlimit module, but i don't know which version
of
> patch-o-matic should i use on which version of kernel and iptables.
Could
> someone help me?
> > Thanks a lot
> > -
> > To unsubscribe from this list: send the line "unsubscribe netfilter"
in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> >
> 
> Latest kernel & iptables. Connlimit now inside of kernel.
> 
> PS But I lazy think about patch of connlimit to bound timeout. While
users
> using keep-alive connections - there are too abstract classification
(I
> use
> slowdown "abusers"). IMHO it is easy (in entry listing add one "if"
with
> existing "timeout" field, but I use proxy too and first timout need
for
> proxy,
> then I do not do nothing while - I do not know how to do it in squid).
> 
> --
> WBR,
> Denis Kaganovich,  mahatma@eu.by  http://mahatma.bspu.unibel.by
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter"
in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


So are you saying I don't have to recompile either of them or just
recompile iptables after patching it?

Re: Patch-o-matic+iptables+kernel, which versions fits together?

[Dzianis Kahanovich]

lokiji lokiji wrote:

> i would like to use connlimit module, but i don't know which version of patch-o-matic should i use on which version of kernel and iptables. Could someone help me?
> Thanks a lot
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 

Latest kernel & iptables. Connlimit now inside of kernel.

PS But I lazy think about patch of connlimit to bound timeout. While users 
using keep-alive connections - there are too abstract classification (I use 
slowdown "abusers"). IMHO it is easy (in entry listing add one "if" with 
existing "timeout" field, but I use proxy too and first timout need for proxy, 
then I do not do nothing while - I do not know how to do it in squid).

-- 
WBR,
Denis Kaganovich,  mahatma@eu.by  http://mahatma.bspu.unibel.by

connlimit timeout average (was: Re: Patch-o-matic+iptables+kernel, which versions fits together?)

[Dzianis Kahanovich]

[-- Attachment #1: Type: text/plain, Size: 812 bytes --]

Something like this (average (TOO average) timeout, untested!)

Dzianis Kahanovich wrote:

>> i would like to use connlimit module, but i don't know which version 
>> of patch-o-matic should i use on which version of kernel and iptables. 
>> Could someone help me?
>> Thanks a lot

> Latest kernel & iptables. Connlimit now inside of kernel.

> PS But I lazy think about patch of connlimit to bound timeout. While 
> users using keep-alive connections - there are too abstract 
> classification (I use slowdown "abusers"). IMHO it is easy (in entry 
> listing add one "if" with existing "timeout" field, but I use proxy too 
> and first timout need for proxy, then I do not do nothing while - I do 
> not know how to do it in squid).
> 


-- 
WBR,
Denis Kaganovich,  mahatma@eu.by  http://mahatma.bspu.unibel.by

[-- Attachment #2: connlimit-timeout.diff --]
[-- Type: text/plain, Size: 1451 bytes --]

--- a/net/netfilter/xt_connlimit.c	2007-10-09 23:31:38.000000000 +0300
+++ b/net/netfilter/xt_connlimit.c	2008-02-07 19:23:20.000000000 +0200
@@ -28,6 +28,8 @@
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_conntrack_tuple.h>
 
+int connlimit_timeout = 10*60*HZ; /* 10 sec */
+
 /* we will save the tuples of all connections we care about */
 struct xt_connlimit_conn {
 	struct list_head list;
@@ -103,7 +105,8 @@ static int count_them(struct xt_connlimi
 		      const struct nf_conntrack_tuple *tuple,
 		      const union nf_conntrack_address *addr,
 		      const union nf_conntrack_address *mask,
-		      const struct xt_match *match)
+		      const struct xt_match *match,
+		      const unsigned long timeout)
 {
 	struct nf_conntrack_tuple_hash *found;
 	struct xt_connlimit_conn *conn;
@@ -130,6 +133,7 @@ static int count_them(struct xt_connlimi
 			found_ct = nf_ct_tuplehash_to_ctrack(found);
 
 		if (found_ct != NULL &&
+		    abs(found_ct->timeout.expires-timeout)<connlimit_timeout &&
 		    nf_ct_tuple_equal(&conn->tuple, tuple) &&
 		    !already_closed(found_ct))
 			/*
@@ -210,7 +214,7 @@ static bool connlimit_match(const struct
 	}
 
 	spin_lock_bh(&info->data->lock);
-	connections = count_them(info->data, tuple_ptr, &addr, &mask, match);
+	connections = count_them(info->data, tuple_ptr, &addr, &mask, match, ct->timeout.expires);
 	spin_unlock_bh(&info->data->lock);
 
 	if (connections < 0) {

Re: connlimit timeout average

[Dzianis Kahanovich]

Dzianis Kahanovich wrote:
> Something like this (average (TOO average) timeout, untested!)
   ^^^^^^^^^
Sorry, "10*60*HZ" = 10 min ;)). 10*HZ = 10 sec.


> 
> Dzianis Kahanovich wrote:
> 
>>> i would like to use connlimit module, but i don't know which version 
>>> of patch-o-matic should i use on which version of kernel and 
>>> iptables. Could someone help me?
>>> Thanks a lot
> 
>> Latest kernel & iptables. Connlimit now inside of kernel.
> 
>> PS But I lazy think about patch of connlimit to bound timeout. While 
>> users using keep-alive connections - there are too abstract 
>> classification (I use slowdown "abusers"). IMHO it is easy (in entry 
>> listing add one "if" with existing "timeout" field, but I use proxy 
>> too and first timout need for proxy, then I do not do nothing while - 
>> I do not know how to do it in squid).
>>
> 
> 


-- 
WBR,
Denis Kaganovich,  mahatma@eu.by  http://mahatma.bspu.unibel.by