On Mon, Mar 14, 2011 at 8:26 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > On Monday 2011-03-14 07:50, Changli Gao wrote: > >>We use the reply tuples when limiting the connections by the destination >>addresses, however, in SNAT scenario, the final reply tuples won't be >>ready until SNAT is done in POSTROUING or INPUT chain > > If I am not mistaken: if you do daddr counting, SNAT is irrelevant. > Consider ruleset > -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 1.2.3.4:80 > -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 1.2.3.5:443 > > The tuple will first be (as per conntrack -L): > src=home dst=router src=router dst=home > After DNAT: > src=home dst=router src=1.2.3.4 dst=home > > Thus looking at the src of the reply tuple seems correct — at least this > is what was wanted, counting per stashed servers (=1 customer), not per > globally visible address. > Yes, you are correct only when there is no SNAT rule. If there is an SNAT rule: -t nat -A POSTROUTING -p tcp --dport 80 -j SNAT --to-source 192.168.0.1 the final tuples will be: src = home dst = router src=1.2.3.4 dst=192.168.0.1 However, the tuple saved by connlimit is src=1.2.3.4 dst=home, so this conn will be removed later as there isn't any conntrack, which has this tuple in any direction. You can't prevent a user from doing such a configuration, although you might think it is stupid to do that. Thanks for your review. -- Regards, Changli Gao(xiaosuo@xxxxxxxxx) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
