On Thursday 2011-06-09 14:29, Karl Heiss wrote: >> You could use two separate tables, which has the same effect as >> storing entries with a unique key of <saddr-or-daddr-bit, addr> >> in a single table, unless I missed something. > >I assume you mean something like this: > >iptables -A INPUT -p tcp --dport 23 -m recent --rcheck --seconds 30 -j DROP >iptables -A INPUT -p tcp --dport 23 -m recent --set -j DROP I mean: -A foo -p tcp [plus other conds] -m recent --name by-srcip --rsource --set -A foo -p tcp [other conds] -m recent --name by-dstip --rdest --set -A bar -p tcp -m recent --name by-srcip --rsource --rcheck -A baz -p tcp -m recent --name by-dstip --rdest --rcheck >PS. After taking a second look at the code, I realized I stuck my >foot in my mouth about xt_recent not differentiating between saddr and >daddr. It does indeed differentiate by choosing the correct address >from the incoming packet to match against the entry IPs. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
