conntrack defrag is needed only if some module like CONNTRACK or NAT
explicitly requests it. For plain forwarding scenarios, defrag is
not needed and can be skipped if NOTRACK is set in a rule.
Since conntrack defrag is currently higher priority than raw table,
setting NOTRACK is not sufficient.
On Thu, Jan 04, 2018 at 09:26:40AM +1100, Duncan Roe wrote:
> On Wed, Jan 03, 2018 at 03:41:08PM +0100, Pablo Neira Ayuso wrote:
> > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
> > --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode
> > srcip,dstport
On Wed, Jan 03, 2018 at 03:41:08PM +0100, Pablo Neira Ayuso wrote:
> iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
> --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode
> srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
>
> shows:
>
>
Commit-ID: dfe1b4427835f995aed593d063e6fcdf78b00823
Gitweb: https://git.kernel.org/tip/dfe1b4427835f995aed593d063e6fcdf78b00823
Author: Paul E. McKenney
AuthorDate: Mon, 27 Nov 2017 09:26:06 -0800
Committer: Paul E. McKenney
Commit-ID: 4be2b04e43fd3d8164d7aeb1808e47fbeb0c0de0
Gitweb: https://git.kernel.org/tip/4be2b04e43fd3d8164d7aeb1808e47fbeb0c0de0
Author: Paul E. McKenney
AuthorDate: Mon, 9 Oct 2017 12:09:04 -0700
Committer: Paul E. McKenney
Commit-ID: ffa53c5863ddb265f9a25729023f4d0409cdacf7
Gitweb: https://git.kernel.org/tip/ffa53c5863ddb265f9a25729023f4d0409cdacf7
Author: Paul E. McKenney
AuthorDate: Tue, 24 Oct 2017 06:48:39 -0700
Committer: Paul E. McKenney
iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport
--hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
shows:
nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip
On Wed, Jan 03, 2018 at 09:47:46AM +1100, Duncan Roe wrote:
> Hi Pablo,
>
> On Sun, Dec 31, 2017 at 12:16:30AM +0100, Pablo Neira Ayuso wrote:
> > Hi Harsha,
> >
> > On Sun, Dec 31, 2017 at 09:51:10AM +1100, Duncan Roe wrote:
> > > On Thu, Dec 28, 2017 at 11:52:36AM +0100, Pablo Neira Ayuso
Do not output timeout or burst if not in original iptables command.
This version correctly translates all 3 examples in the wiki.
(This is a patch to previous commit 27de281d8aca84e3c841b3ae72a17616b1382ac4)
Signed-off-by: Duncan Roe
---