Hi Michael, On Wed, Jul 20, 2005 at 04:55:02PM +0200, Michael Schachtebeck told us: > But on the other hand, the counter correctly shows the number of packets > that matched the rule; iptables -t nat -vnL PREROUTING says: > > 9 540 REDIRECT tcp -- eth1 * 10.10.10.69 0.0.0.0/0 tcp spts:1024:65535 > dpt:80 flags:0x16/0x02 limit: avg 1/day burst 1 redir ports 5000 > > So it would be very strange if the rules were extracted to user space, > rewritten/modified, "uploaded" to the kernel with the correct counters > for the remaining rules, and then, the rules do not look to this > counters. ;-) I'm not that familiar with the iptables internals, but I suspect that the counters (which are probably part of the "core" rule data structure) are downloaded to userspace and get uploaded again untouched when just adding or deleting a rule from an existing ruleset, but the limit-match internal data structure will will get reallocated. Maybe one of the developers reads this mail and can prove me wrong or perhaps even right :-) Sven > > Why then save and restore the counters, if they are not used by the rules? > > Michael. -- Linux zion 2.6.13-rc3-mm1 #6 PREEMPT Mon Jul 18 19:42:52 CEST 2005 i686 athlon i386 GNU/Linux 17:11:17 up 1 day, 21:23, 1 user, load average: 0.00, 0.05, 0.05
Attachment:
pgpBn4DqcWaV0.pgp
Description: PGP signature
