markdv.netfilter at asphyx
Jul 7, 2007, 1:29 AM
Post #1 of 1
(558 views)
Permalink
|
|
Duplicates in recent module
|
|
Hi,
I'm getting duplicate entries in a "recent" table. E.g.:
# cat banned | grep 193.23.112.133
src=193.23.112.133 ttl: 58 last_seen: 436851854 oldest_pkt: 1 last_pkts: 436851854
src=193.23.112.133 ttl: 58 last_seen: 435101910 oldest_pkt: 1 last_pkts: 435101910
src=193.23.112.133 ttl: 58 last_seen: 435600728 oldest_pkt: 1 last_pkts: 435600728
I took a quick look at the source(*) and I as far as I understand even
if I would "--set" the same IP multiple times it would/should still only
create one entry.
These are the rules I use:
-A in $ETH0_TCP_SYN -m recent --rcheck --seconds 60 --name banned --rsource -j DROP
-A in $ETH0_TCP_SYN -m recent --remove --name banned --rsource
-A in $ETH0_TCP_SYN -m hashlimit --hashlimit 5/sec --hashlimit-name accept --hashlimit-htable-max 4096 -j ACCEPT
-A in $ETH0_TCP_SYN -m hashlimit --hashlimit 5/sec --hashlimit-name drop --hashlimit-htable-max 4096 -j DROP
-A in $ETH0_TCP_SYN -m recent --set --name banned --rsource -j DROP
Although this tries to avoid adding the same IP to the list multiple
times I think it is unavoidable that multiple packets could have passed
the initial 'rcheck', and heading towards the final 'set' rule at the
same time. (It's a quad core CPU.)
Is there something I can, or should, do to prevent these dups?
(*)I must admit that the running kernel is a 2.6.17.7 and I looked at
the source of linux-2.6.22-rc5.
Regards,
Mark.
|
