From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>,
Jan Rovner <jan.rovner@diadema.cz>
Subject: Re: netfilter: xt_connlimit: pick right dstaddr in NAT scenario
Date: Wed, 26 Jan 2011 16:29:13 +0100 [thread overview]
Message-ID: <4D403DC9.2000708@trash.net> (raw)
In-Reply-To: <alpine.LNX.2.01.1101261304310.4561@obet.zrqbmnf.qr>
On 26.01.2011 13:07, Jan Engelhardt wrote:
>
>
> The following changes since commit 4b3fd57138c969dd940651fadf90db627254edbf:
>
> IPVS: Change sock_create_kernel() to __sock_create() (2011-01-22 13:48:01 +1100)
>
> are available in the git repository at:
> git://dev.medozas.de/linux connlimit
>
> Jan Engelhardt (1):
> netfilter: xt_connlimit: pick right dstaddr in NAT scenario
>
> net/netfilter/xt_connlimit.c | 12 ++++++++----
> 1 files changed, 8 insertions(+), 4 deletions(-)
>
> ===
>
> parent 4b3fd57138c969dd940651fadf90db627254edbf (v2.6.38-rc1-151-g4b3fd57)
> commit ad86e1f27a9a97a9e50810b10bca678407b1d6fd
> Author: Jan Engelhardt <jengelh@medozas.de>
> Date: Wed Jan 26 11:50:03 2011 +0100
>
> netfilter: xt_connlimit: pick right dstaddr in NAT scenario
>
> xt_connlimit normally records the "original" tuples in a hashlist
> (such as "1.2.3.4 -> 5.6.7.8"), and looks in this list for iph->daddr
> when counting.
>
> When the user however uses DNAT in PREROUTING, looking for
> iph->daddr -- which is now 192.168.9.10 -- will not match. Thus in
> daddr mode, we need to record the reverse direction tuple
> ("192.168.9.10 -> 1.2.3.4") instead. In the reverse tuple, the dst
> addr is on the src side, which is convenient, as count_them still uses
> &conn->tuple.src.u3.
>
Pulled, thanks Jan.
prev parent reply other threads:[~2011-01-26 15:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-26 12:07 netfilter: xt_connlimit: pick right dstaddr in NAT scenario Jan Engelhardt
2011-01-26 15:29 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D403DC9.2000708@trash.net \
--to=kaber@trash.net \
--cc=jan.rovner@diadema.cz \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.