Jan Engelhardt wrote: > On Sunday 2010-02-28 05:34, Eric Dumazet wrote: >>> One of the problems with the way xt_recent is implemented is that >>> there is no efficient way to remove expired entries. > > Oh there is: > > echo "- 2001:db8::1" >/proc/net/xt_recent/foo > >> 2) All entries are flushed when >> echo clear > /proc/net/xt_recent/<tablename> > > echo "/" >/proc/net/xt_recent/foo > > it is. > >> 3) You could eventually implement a purge operation to remove all >> expired entries at will >> >> echo purge > /proc/net/xt_recent/<tablename> > > Entries do not expire (except "falling off" the LRU when it's full) - > there is no counter that tells them when they expired. > "--seconds" is just a match option, not something that defines > the LRU's properties. And that's actually good, because that allows > you to write > > -m recent --name foo --seconds 60 -j do that > > -m recent --name foo --seconds 3600 -j do something else > > If you purged "expired" entries after 60 secs, there would be nothing > left for the 3600 one to check for. > I hadn't really considered your example as a valid use case. It seems to me that the second rule might also match even after the first rule matches, but its also very dependent on how you've crafted your rule set. rtg -- Tim Gardner timg@xxxxxxx www.tpi.com OR 503-601-0234 x102 MT 406-443-5357 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html