On Sunday 2010-02-28 05:34, Eric Dumazet wrote: >> One of the problems with the way xt_recent is implemented is that >> there is no efficient way to remove expired entries. Oh there is: echo "- 2001:db8::1" >/proc/net/xt_recent/foo >2) All entries are flushed when > echo clear > /proc/net/xt_recent/<tablename> echo "/" >/proc/net/xt_recent/foo it is. >3) You could eventually implement a purge operation to remove all >expired entries at will > > echo purge > /proc/net/xt_recent/<tablename> Entries do not expire (except "falling off" the LRU when it's full) - there is no counter that tells them when they expired. "--seconds" is just a match option, not something that defines the LRU's properties. And that's actually good, because that allows you to write -m recent --name foo --seconds 60 -j do that -m recent --name foo --seconds 3600 -j do something else If you purged "expired" entries after 60 secs, there would be nothing left for the 3600 one to check for. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
