Toralf Förster <toralf.foers...@gmx.de> wrote: > At my server (stable hardened Gentoo with vanilla 4.15.7) I do have this rule: > > /sbin/iptables -A OUTPUT -p tcp --destination-port 443 --syn --match > connlimit --connlimit-above 3000 --connlimit-mask 0 --connlimit-daddr --match > limit --limit 1/second --limit-burst 1 -j LOG --log-prefix "443 hammered " > > Sometimes (usually after 2-4 days uptime) however this rule fires too often - > even over hours. > > When I restart the iptable script then the rule stopps to fire. This happened > few times in a row over the last weeks. So I'm convinced that there wasn't an > external event related to this behaviour.
You could check via conntrack -L. Restarting works because it clears the connlimit state. > Known issue? No. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
