On Tue, Mar 15, 2011 at 3:00 AM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > On Monday 2011-03-14 13:42, Changli Gao wrote: > >> >>Yes, you are correct only when there is no SNAT rule. If there is an >>SNAT rule: >> >>-t nat -A POSTROUTING -p tcp --dport 80 -j SNAT --to-source 192.168.0.1 >> >>the final tuples will be: >>src = home dst = router src=1.2.3.4 dst=192.168.0.1 >> >>However, the tuple saved by connlimit is src=1.2.3.4 dst=home, so this >>conn will be removed later as there isn't any conntrack, which has >>this tuple in any direction. > > But I don't yet see how your patch #1 can help. At the time > conn->tuple = *tuple is done, *tuple still contains the non-SNATed > tuple, and it is never updated again. > In this patch, conn->addr is used to save the destination/source address instead of conn->tuple.src.u3, so the conn->tuple is used for conntrack lookup only. Just as the original tuple isn't updated, we can use it to looking up the associated conntrack all the time. addr: 192.168.0.1 tuple: src = home, dst = router -- Regards, Changli Gao(xiaosuo@xxxxxxxxx) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
