Hello, David Gubler a écrit : > > iptables -A INPUT -p tcp --syn --dport 8080 -m connlimit > --connlimit-above 4 -j REJECT You should reject with TCP reset instead of (default) ICMP destination port unreachable. > The fifth connection fails as expected, but after I kill some of the > other connections (verified with netstat -anp | grep ESTABLISHED), I > *still* cannot open new connections! > > To be able to connect again, I have to cease *any* connect attempts for > about two minutes. If I repeatedly try to connect, I'm not able to > connect ever again (!), even when there are no more established connections. > > As far as I can tell, the problem is the way connlimit works: It looks > at the conntrack table and considers all entries there, even the > SYN_WAIT ones (the ones that have been rejected by connlimit end up in > that state). Or to put it differently: If connlimit denies a connection, The connlimit match just matches packets, it does not deny anything. The REJECT target does. > that connection will *still* create a conntrack entry and thus will also > count against the connection limit. This can be verified using the > "conntrack -L" command. This is not the expected behaviour. AFAIK, when a packet creating a new connection is DROPPed or REJECTed, the conntrack entry should be deleted. This is what I observe on my system. And connlimit does not even count closed connection still in the TIME_WAIT state. What is your kernel version ? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
