On 14.03.2011 13:42, Changli Gao wrote: > On Mon, Mar 14, 2011 at 8:26 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: >> On Monday 2011-03-14 07:50, Changli Gao wrote: >> >>> We use the reply tuples when limiting the connections by the destination >>> addresses, however, in SNAT scenario, the final reply tuples won't be >>> ready until SNAT is done in POSTROUING or INPUT chain >> >> If I am not mistaken: if you do daddr counting, SNAT is irrelevant. >> Consider ruleset >> -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 1.2.3.4:80 >> -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 1.2.3.5:443 >> >> The tuple will first be (as per conntrack -L): >> src=home dst=router src=router dst=home >> After DNAT: >> src=home dst=router src=1.2.3.4 dst=home >> >> Thus looking at the src of the reply tuple seems correct â at least this >> is what was wanted, counting per stashed servers (=1 customer), not per >> globally visible address. >> > > Yes, you are correct only when there is no SNAT rule. If there is an SNAT rule: > > -t nat -A POSTROUTING -p tcp --dport 80 -j SNAT --to-source 192.168.0.1 > > the final tuples will be: > src = home dst = router src=1.2.3.4 dst=192.168.0.1 > > However, the tuple saved by connlimit is src=1.2.3.4 dst=home, so this > conn will be removed later as there isn't any conntrack, which has > this tuple in any direction. > > You can't prevent a user from doing such a configuration, although you > might think it is stupid to do that. > > Thanks for your review. Jan, please let me know whether you want me to apply these patches. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
