Msquared wrote: > On Wed, Jun 27, 2007 at 11:07:38AM +0200, Patrick McHardy wrote: > > >>>I seem to be having a problem where a rule with --hitcount is matching >>>when there are fewer hits than is listed in the hitcount parameter. >> >>Which kernel version are you using? > > > 2.4.22-1.2199.8.legacy.nptl > > > On Wed, Jun 27, 2007 at 12:41:46PM +0300, hdemir@xxxxxxxxxxx wrote: > > >>>The rules are in a chain that is only hit for incoming SSH connections. >>>EG: I have this rule in the INPUT chain: >>> >>> -m tcp --dport 22 -j service-ssh >> >>You are sending all the traffic to the port 22. Use -m state --state >>NEW, so that only new ssh connections can be updated. > > > I already tried that, but it made no difference (perhaps because -m state > --state ESTABLISHED,RELATED -j ACCEPT higher in the INPUT chain). > > Note from the iptables -vnL output that I showed that it only counted one > hit on the --set rule and a number of hits on the --update rule. I think I know what the reason is. My rewritten version of the recent match matches if the current packet is the nth hit and in that case doesn't note the entry. So you're only seeing n-1 entries in /proc. Did the old version behave differently here?
