Am 14.02.2011 16:45, schrieb Jan Engelhardt: > On Monday 2011-02-14 16:30, Stefan Berger wrote: > >> I have to revert the early loop termination in connlimit since it generates >> problems when an iptables statement does not use -m state --state NEW before >> the connlimit match extension. > > What problems? Why would xt_connlimit care about what other extensions > have been used before it? > Because we abort once the threshold has been reached, which might be before we found the matching connection and set addit to false. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
