Le 03/03/2017 à 19:20, Matthew Sims a écrit :
Quick backstory. I recently took over an unused project from a co-worker
who left over a year ago. The idea was to block IPs that reached a certain
hit_count limit within a minute.
When this was enabled, it worked...sort of. While iptables was keeping
track of IPs, we weren't able to block when tests were performed.
The reason had something to do with IPs in a "buffer pool" (??) were being
knocked out when new IPs were tracked? I don't have the actual issue as he
never documented it. I'm guessing that while iptables was keeping track of
hit_counts, the list grew so big that it had to bump out IPs at the end of
the list to track new ones.
You may be talking about the "recent" match.
The iptables or iptables-extensions manpage describes how to tune its
table sizes.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html