* per j (perj8@hotmail.com) wrote: > Nope, my patch doesn't remove 'if(out) ttl++;'. However I'm not too > certain whether one would really use it. It doesn't really matter unless > --rttl is in the POSTROUTING chains. So far -m recent and LOG are both > seeing the same TTL for me and I have no --rttl in POSTROUTING. Why would > one use --rttl in POSTROUTING? That's pretty late to filter incoming > packets (or rather outgoing packets). Perhaps one would use it to mangle > forwarded parkets, but it would mean the packet already traversed the > FORWARD chain! Maybe you could better explain 'if(out) ttl++;'? I guess > it's there for those who must use --rttl in POSTROUTING? The routing is done before the FORWARD chain is done (how else would you know the outgoing interface?) and I believe the ttl incrementation happens in the routing code. I don't know that for sure and havn't had time to test it. The 'if(out) ttl++;' is meant to make TTL matching work for people who use recent matching between PREROUTING and FORWARD/POSTROUTING. If you're using -j TTL and whatnot then really all bets are off and there's no way for ipt_recent to figure that out so if you're doing that you're kind of on your own with the ipt_recent TTL matching. The point of the 'if(out) ttl++;' is to allow you to 'set' in PREROUTING and then 'rcheck' or 'update' in FORWARD, after the routing code is done and have the TTL match work correctly, provided you are not otherwise mucking the TTL. > On the other hand, I use -j TTL --ttl-inc 1 in PREROUTING to restore the > TTL of packets going through the gateway as if packets forwarded through > the gateway are coming from the gateway. So this _conflicts_ with your > 'if(out) ttl++;' if I were to use --rttl in POSTROUTING after -j TTL in the > mangle table. I think it best not to use 'if(out) ttl++;' in ipt_recent in > this case. I guess I could make that bit of code optional if there's really a need for it to be? > I see your point about making a new table entry for any different TTL from > the same ip address. Valid point indeed! --rttl seems to work fine with > your suggested code change to r_list[location].ttl, so I'm using the > following patch instead. Glad that's working. > I wonder why you left the ?old? bug hanging around without giving your > users any notice? You should have publicly announced --rttl code is not > yet done somewhere in the documentation or on your announcement pages. > It's kinda a lie to publicly release ipt_recent without announcing the TODO > list of _old_ bugs. Before this patch, --rttl worked only in extremely > rare condition when r_list[location].addr==addr and location==0. and u > knew this was an old bug for a year or so? (sigh) I didn't know about the bug before you pointed it out to me. After you pointed it out I realized how old a bug it was because of what it was doing. Stephen
Attachment:
pgp00358.pgp
Description: PGP signature
