On Monday 2011-03-14 13:42, Changli Gao wrote: >On Mon, Mar 14, 2011 at 8:26 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: >> On Monday 2011-03-14 07:50, Changli Gao wrote: >> >>>We use the reply tuples when limiting the connections by the destination >>>addresses, however, in SNAT scenario, the final reply tuples won't be >>>ready until SNAT is done in POSTROUING or INPUT chain >> >> If I am not mistaken: if you do daddr counting, SNAT is irrelevant. >> Consider ruleset >> Â-t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 1.2.3.4:80 >> Â-t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 1.2.3.5:443 >> >> The tuple will first be (as per conntrack -L): >> Âsrc=home dst=router src=router dst=home >> After DNAT: >> Âsrc=home dst=router src=1.2.3.4 dst=home >> >> Thus looking at the src of the reply tuple seems correct â at least this >> is what was wanted, counting per stashed servers (=1 customer), not per >> globally visible address. >> > >Yes, you are correct only when there is no SNAT rule. If there is an >SNAT rule: > >-t nat -A POSTROUTING -p tcp --dport 80 -j SNAT --to-source 192.168.0.1 > >the final tuples will be: >src = home dst = router src=1.2.3.4 dst=192.168.0.1 > >However, the tuple saved by connlimit is src=1.2.3.4 dst=home, so this >conn will be removed later as there isn't any conntrack, which has >this tuple in any direction. But I don't yet see how your patch #1 can help. At the time conn->tupleÂ= *tuple is done, *tuple still contains the non-SNATed tuple, and it is never updated again. (Patrick: patches 2-4 are ok) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
