Hi Mart, Mart Frauenlob wrote: > On 24.02.2010 12:30, netfilter-owner@xxxxxxxxxxxxxxx wrote: >> Dear Experts, >> >> Would one regard the limit module as being stateful or stateless? >> >> My gut feeling is to say that it is stateless. >> >> I presume while it maintains some (simple) state information, it has no >> semantic context of previous packets. Rather it only refers to packet >> counter statistics of which the limit module maintains or can query. >> Therefore, regardless of previously accepted traffic, if there are more >> connections than deemed acceptable, then even legitimate reconnection's >> are also blocked/logged. >> >> Under this assumption, I would classify the limit module as stateless. >> Comments? > > The limit extension operates on packets, it does not know/care about > connections. Exactly my thoughts. I wasn't sure of the limit modules internal workings and how it inspected/examined packets (packet count or otherwise). Thanks for clearing that up. > -A CHAIN -m state --state NEW -m limit --limit 3/s -j ACCEPT > would allow 3 state NEW packets/second. > >> The reason I ask is that I'd like to classify/categorise various >> iptables filter capabilities. Rather than defining just stateless (for >> example, TCP match), stateful (for example, state match), >> application-layer (l7-filter) and extension (for example, limit match) >> filter capabilities, various matches may be a member of more than one >> category. For example, l7-filter could be considered as both stateful >> and application-layer, in that it operates at layer 7 and it maintains >> state of previous packets in a buffer in order to discover if a set of >> packets describe a particular traffic flow. l7-filter could also be >> considered an extension ;-) > > Best regards > > Mart regards, Will. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
