connlimit timeout average (was: Re: Patch-o-matic+iptables+kernel, which versions fits together?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Something like this (average (TOO average) timeout, untested!)

Dzianis Kahanovich wrote:
i would like to use connlimit module, but i don't know which version of patch-o-matic should i use on which version of kernel and iptables. Could someone help me? 
Thanks a lot



Latest kernel & iptables. Connlimit now inside of kernel.
PS But I lazy think about patch of connlimit to bound timeout. While users using keep-alive connections - there are too abstract classification (I use slowdown "abusers"). IMHO it is easy (in entry listing add one "if" with existing "timeout" field, but I use proxy too and first timout need for proxy, then I do not do nothing while - I do not know how to do it in squid). 




--
WBR,
Denis Kaganovich,  mahatma@xxxxx  http://mahatma.bspu.unibel.by

--- a/net/netfilter/xt_connlimit.c	2007-10-09 23:31:38.000000000 +0300
+++ b/net/netfilter/xt_connlimit.c	2008-02-07 19:23:20.000000000 +0200
@@ -28,6 +28,8 @@
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_conntrack_tuple.h>
 
+int connlimit_timeout = 10*60*HZ; /* 10 sec */
+
 /* we will save the tuples of all connections we care about */
 struct xt_connlimit_conn {
 	struct list_head list;
@@ -103,7 +105,8 @@ static int count_them(struct xt_connlimi
 		      const struct nf_conntrack_tuple *tuple,
 		      const union nf_conntrack_address *addr,
 		      const union nf_conntrack_address *mask,
-		      const struct xt_match *match)
+		      const struct xt_match *match,
+		      const unsigned long timeout)
 {
 	struct nf_conntrack_tuple_hash *found;
 	struct xt_connlimit_conn *conn;
@@ -130,6 +133,7 @@ static int count_them(struct xt_connlimi
 			found_ct = nf_ct_tuplehash_to_ctrack(found);
 
 		if (found_ct != NULL &&
+		    abs(found_ct->timeout.expires-timeout)<connlimit_timeout &&
 		    nf_ct_tuple_equal(&conn->tuple, tuple) &&
 		    !already_closed(found_ct))
 			/*
@@ -210,7 +214,7 @@ static bool connlimit_match(const struct
 	}
 
 	spin_lock_bh(&info->data->lock);
-	connections = count_them(info->data, tuple_ptr, &addr, &mask, match);
+	connections = count_them(info->data, tuple_ptr, &addr, &mask, match, ct->timeout.expires);
 	spin_unlock_bh(&info->data->lock);
 
 	if (connections < 0) {
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux