On Fri, Feb 13, 2015 at 12:47:50PM +0100, Florian Westphal wrote: > given: > -A INPUT -m recent --update --seconds 30 --hitcount 4 > and > iptables-save > foo > > then > iptables-restore < foo > > will fail with: > kernel: xt_recent: hitcount (4) is larger than packets to be remembered (4) for table DEFAULT > > Even when the check is fixed, the restore won't work if the hitcount is > increased to e.g. 6, since by the time checkentry runs it will find the > 'old' incarnation of the table. > > We can avoid this by increasing the maximum threshold silently; we only > have to rm all the current entries of the table (these entries would > not have enough room to handle the increased hitcount). > > This even makes (not-very-useful) > -A INPUT -m recent --update --seconds 30 --hitcount 4 > -A INPUT -m recent --update --seconds 30 --hitcount 42 > work. Applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
