* Patch-o-matic+iptables+kernel, which versions fits together? @ 2008-02-05 15:57 lokiji lokiji 2008-02-07 16:03 ` Eric Estes 2008-02-07 20:21 ` Dzianis Kahanovich 0 siblings, 2 replies; 6+ messages in thread From: lokiji lokiji @ 2008-02-05 15:57 UTC (permalink / raw) To: netfilter Hello, i would like to use connlimit module, but i don't know which version of patch-o-matic should i use on which version of kernel and iptables. Could someone help me? Thanks a lot ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Patch-o-matic+iptables+kernel, which versions fits together? 2008-02-05 15:57 Patch-o-matic+iptables+kernel, which versions fits together? lokiji lokiji @ 2008-02-07 16:03 ` Eric Estes 2008-02-07 20:21 ` Dzianis Kahanovich 1 sibling, 0 replies; 6+ messages in thread From: Eric Estes @ 2008-02-07 16:03 UTC (permalink / raw) To: netfilter > -----Original Message----- > From: netfilter-owner@vger.kernel.org [mailto:netfilter- > owner@vger.kernel.org] On Behalf Of lokiji lokiji > Sent: Tuesday, February 05, 2008 10:57 AM > To: netfilter@vger.kernel.org > Subject: Patch-o-matic+iptables+kernel, which versions fits together? > > Hello, > i would like to use connlimit module, but i don't know which version of > patch-o-matic should i use on which version of kernel and iptables. Could > someone help me? > Thanks a lot > - > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html I would like to know this myself. I've tried multiple combinations and every time I try to recompile the kernel it dies on connlimit. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Patch-o-matic+iptables+kernel, which versions fits together? 2008-02-05 15:57 Patch-o-matic+iptables+kernel, which versions fits together? lokiji lokiji 2008-02-07 16:03 ` Eric Estes @ 2008-02-07 20:21 ` Dzianis Kahanovich 2008-02-07 19:02 ` Eric Estes 2008-02-07 21:44 ` connlimit timeout average (was: Re: Patch-o-matic+iptables+kernel, which versions fits together?) Dzianis Kahanovich 1 sibling, 2 replies; 6+ messages in thread From: Dzianis Kahanovich @ 2008-02-07 20:21 UTC (permalink / raw) To: netfilter lokiji lokiji wrote: > i would like to use connlimit module, but i don't know which version of patch-o-matic should i use on which version of kernel and iptables. Could someone help me? > Thanks a lot > - > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > > Latest kernel & iptables. Connlimit now inside of kernel. PS But I lazy think about patch of connlimit to bound timeout. While users using keep-alive connections - there are too abstract classification (I use slowdown "abusers"). IMHO it is easy (in entry listing add one "if" with existing "timeout" field, but I use proxy too and first timout need for proxy, then I do not do nothing while - I do not know how to do it in squid). -- WBR, Denis Kaganovich, mahatma@eu.by http://mahatma.bspu.unibel.by ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Patch-o-matic+iptables+kernel, which versions fits together? 2008-02-07 20:21 ` Dzianis Kahanovich @ 2008-02-07 19:02 ` Eric Estes 2008-02-07 21:44 ` connlimit timeout average (was: Re: Patch-o-matic+iptables+kernel, which versions fits together?) Dzianis Kahanovich 1 sibling, 0 replies; 6+ messages in thread From: Eric Estes @ 2008-02-07 19:02 UTC (permalink / raw) To: netfilter > -----Original Message----- > From: netfilter-owner@vger.kernel.org [mailto:netfilter- > owner@vger.kernel.org] On Behalf Of Dzianis Kahanovich > Sent: Thursday, February 07, 2008 3:21 PM > To: netfilter@vger.kernel.org > Subject: Re: Patch-o-matic+iptables+kernel, which versions fits together? > > lokiji lokiji wrote: > > > i would like to use connlimit module, but i don't know which version of > patch-o-matic should i use on which version of kernel and iptables. Could > someone help me? > > Thanks a lot > > - > > To unsubscribe from this list: send the line "unsubscribe netfilter" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > Latest kernel & iptables. Connlimit now inside of kernel. > > PS But I lazy think about patch of connlimit to bound timeout. While users > using keep-alive connections - there are too abstract classification (I > use > slowdown "abusers"). IMHO it is easy (in entry listing add one "if" with > existing "timeout" field, but I use proxy too and first timout need for > proxy, > then I do not do nothing while - I do not know how to do it in squid). > > -- > WBR, > Denis Kaganovich, mahatma@eu.by http://mahatma.bspu.unibel.by > - > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html So are you saying I don't have to recompile either of them or just recompile iptables after patching it? ^ permalink raw reply [flat|nested] 6+ messages in thread
* connlimit timeout average (was: Re: Patch-o-matic+iptables+kernel, which versions fits together?) 2008-02-07 20:21 ` Dzianis Kahanovich 2008-02-07 19:02 ` Eric Estes @ 2008-02-07 21:44 ` Dzianis Kahanovich 2008-02-07 21:55 ` connlimit timeout average Dzianis Kahanovich 1 sibling, 1 reply; 6+ messages in thread From: Dzianis Kahanovich @ 2008-02-07 21:44 UTC (permalink / raw) To: netfilter [-- Attachment #1: Type: text/plain, Size: 812 bytes --] Something like this (average (TOO average) timeout, untested!) Dzianis Kahanovich wrote: >> i would like to use connlimit module, but i don't know which version >> of patch-o-matic should i use on which version of kernel and iptables. >> Could someone help me? >> Thanks a lot > Latest kernel & iptables. Connlimit now inside of kernel. > PS But I lazy think about patch of connlimit to bound timeout. While > users using keep-alive connections - there are too abstract > classification (I use slowdown "abusers"). IMHO it is easy (in entry > listing add one "if" with existing "timeout" field, but I use proxy too > and first timout need for proxy, then I do not do nothing while - I do > not know how to do it in squid). > -- WBR, Denis Kaganovich, mahatma@eu.by http://mahatma.bspu.unibel.by [-- Attachment #2: connlimit-timeout.diff --] [-- Type: text/plain, Size: 1451 bytes --] --- a/net/netfilter/xt_connlimit.c 2007-10-09 23:31:38.000000000 +0300 +++ b/net/netfilter/xt_connlimit.c 2008-02-07 19:23:20.000000000 +0200 @@ -28,6 +28,8 @@ #include <net/netfilter/nf_conntrack_core.h> #include <net/netfilter/nf_conntrack_tuple.h> +int connlimit_timeout = 10*60*HZ; /* 10 sec */ + /* we will save the tuples of all connections we care about */ struct xt_connlimit_conn { struct list_head list; @@ -103,7 +105,8 @@ static int count_them(struct xt_connlimi const struct nf_conntrack_tuple *tuple, const union nf_conntrack_address *addr, const union nf_conntrack_address *mask, - const struct xt_match *match) + const struct xt_match *match, + const unsigned long timeout) { struct nf_conntrack_tuple_hash *found; struct xt_connlimit_conn *conn; @@ -130,6 +133,7 @@ static int count_them(struct xt_connlimi found_ct = nf_ct_tuplehash_to_ctrack(found); if (found_ct != NULL && + abs(found_ct->timeout.expires-timeout)<connlimit_timeout && nf_ct_tuple_equal(&conn->tuple, tuple) && !already_closed(found_ct)) /* @@ -210,7 +214,7 @@ static bool connlimit_match(const struct } spin_lock_bh(&info->data->lock); - connections = count_them(info->data, tuple_ptr, &addr, &mask, match); + connections = count_them(info->data, tuple_ptr, &addr, &mask, match, ct->timeout.expires); spin_unlock_bh(&info->data->lock); if (connections < 0) { ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: connlimit timeout average 2008-02-07 21:44 ` connlimit timeout average (was: Re: Patch-o-matic+iptables+kernel, which versions fits together?) Dzianis Kahanovich @ 2008-02-07 21:55 ` Dzianis Kahanovich 0 siblings, 0 replies; 6+ messages in thread From: Dzianis Kahanovich @ 2008-02-07 21:55 UTC (permalink / raw) To: netfilter Dzianis Kahanovich wrote: > Something like this (average (TOO average) timeout, untested!) ^^^^^^^^^ Sorry, "10*60*HZ" = 10 min ;)). 10*HZ = 10 sec. > > Dzianis Kahanovich wrote: > >>> i would like to use connlimit module, but i don't know which version >>> of patch-o-matic should i use on which version of kernel and >>> iptables. Could someone help me? >>> Thanks a lot > >> Latest kernel & iptables. Connlimit now inside of kernel. > >> PS But I lazy think about patch of connlimit to bound timeout. While >> users using keep-alive connections - there are too abstract >> classification (I use slowdown "abusers"). IMHO it is easy (in entry >> listing add one "if" with existing "timeout" field, but I use proxy >> too and first timout need for proxy, then I do not do nothing while - >> I do not know how to do it in squid). >> > > -- WBR, Denis Kaganovich, mahatma@eu.by http://mahatma.bspu.unibel.by ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-02-07 21:55 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-02-05 15:57 Patch-o-matic+iptables+kernel, which versions fits together? lokiji lokiji 2008-02-07 16:03 ` Eric Estes 2008-02-07 20:21 ` Dzianis Kahanovich 2008-02-07 19:02 ` Eric Estes 2008-02-07 21:44 ` connlimit timeout average (was: Re: Patch-o-matic+iptables+kernel, which versions fits together?) Dzianis Kahanovich 2008-02-07 21:55 ` connlimit timeout average Dzianis Kahanovich
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox