FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 12-22-2009, 03:28 PM
"James B. Byrne"
 
Default IPTABLES --hitcount maximum value

Is the maximum permitted value for --hitcount documented anywhere?
I reliably get a iptables-restore error when I specify a hitcount
value greater than 20 but I cannot find any mention of there being a
maximum value.


--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-22-2009, 03:38 PM
"Dirk H. Schulz"
 
Default IPTABLES --hitcount maximum value

Hi,

James B. Byrne schrieb:
> Is the maximum permitted value for --hitcount documented anywhere?
> I reliably get a iptables-restore error when I specify a hitcount
> value greater than 20
That is a new "phenomenon" I also ran into. You now have to adjust
memory values.

I have added to my /etc/modprobe.conf
"options ipt_recent ipt_pkt_list_tot=75"
Now I can use hitcount values of 50 (did not test if the above is
sufficient for higher values).

Dirk

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-22-2009, 05:38 PM
"James B. Byrne"
 
Default IPTABLES --hitcount maximum value

In-Reply-To: <4B30F618.6060809@kinzesberg.de>

On: Tue, 22 Dec 2009 17:38:48 +0100, "Dirk H. Schulz"
<dirk.schulz@kinzesberg.de> wrote:

> That is a new "phenomenon" I also ran into. You now have to
> adjust memory values.
>
> I have added to my /etc/modprobe.conf
> "options ipt_recent ipt_pkt_list_tot=75"
> Now I can use hitcount values of 50 (did not test if the above
> is sufficient for higher values).

I found this on the net so I deduce that you would be safe up to a
hitcount value of 75.

> [PATCH] netfilter: ipt_recent: sanity check hit count
> From: Daniel Hokka Zakrisson
> Date: Sat Mar 15 2008 - 10:11:05 EST
>
> If a rule using ipt_recent is created with a hit count greater
> than ip_pkt_list_tot, the rule will never match as it cannot
> keep track of enough timestamps. This patch makes ipt_recent
> refuse to create such rules.
>
> With ip_pkt_list_tot's default value of 20, . . .

Thanks for the lead.

Regards,


--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 12:19 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org