-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Resend to netfilter-devel@xxxxxxxxxxxxxxx, posted first to lkml. Recently I tried to mitigate some slow attacks via netfilter rule utilizing hashlimit target. I used the following specification: -A DETECT_INVALID -m hashlimit --hashlimit-upto 10/hour --hashlimit-mode srcip --hashlimit-name attack_invalid -j RETURN Now I seen some strange stuff. The counter in /proc/net/ipt_hashlimit/attack_invalid only counts from 60 back to 0 and then the entry disappears. Than means that a rate of 10/hour will never ever be detected at all. On that box I use kernel 3.16.0 from debian backport to oldstable Which seems to be somewhat equal to 3.16.7. So maybe that bug has beed find earlier or is even fixed upstream. I have no easy way to upgrade that kernel short term as the box is productive. Shorter times like 30/hour with a slightly bigger burst (10 instead of the default 5) seems to work as expected but is not able to detect the attacks due to the slow rate. Am I the only who seen that behaviour or is that a known limitation? I find no such notes anywhere that there is a limit here. (Although I would believe that there is a high limit somewhere. But then I would expect them to be returend with some errno when trying to set a to high value.) Please keep me in Cc as I do not monitor this List that often. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@xxxxxxxxx> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJVUKdyAAoJEKZ8CrGAGfasMGQL/3BXsjHwkRp/THoc6sY22CeK NfA42d0Yc05Jg0MNrvAZk8X7dnSuqpzyEju8/VsFEuwkE4oUkMMf5OCMYo8SpXuT cC+hGslOOmF3NW/VvK+6q75c0XERFV91WFSgE5MwFJQHbLYTLcVGYxShSkhQhwMU 8gqzfBbOLmoI1FyU8tVZtMgyLbsp8U/TerHRs2RDgCE6PeAy3t6zukU/ld60RtFe FVrn/oMVBTxrv5EPWUBeV93LC7t/HHiBW8yPxrzY11DfTUP/0OCzZnHcW5JOOzoU AYcLKbt+VwVxpZQtLJT/FdZOsJuJT7rJna/RJvCgiZgkvF+mvQXTYOOYhac7o1C7 pylXEbs6CRKs8Ou1itLkkoCPR6j3PuDOUR9afiLbA9/wINOxHEr7uBTse3l6Vs+S XRbESdTAjc1tMLO7BaCMf+5w9qSwzS/xz7cLDLmwPhN+W9B0u6eUHP8CTOmlZT6j k6+KrE9c2xv8NwcNBZP/7yqbagaZL47W3qIhxrTGCw== =aszC -----END PGP SIGNATURE----- -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
