[CentOS] IPTABLES --hitcount maximum value

Tue Dec 22 18:38:40 UTC 2009
James B. Byrne <byrnejb at harte-lyne.ca>

In-Reply-To: <4B30F618.6060809 at kinzesberg.de>

On: Tue, 22 Dec 2009 17:38:48 +0100, "Dirk H. Schulz"
<dirk.schulz at kinzesberg.de> wrote:

> That is a new "phenomenon" I also ran into. You now have to
> adjust memory values.
>
> I have added to my /etc/modprobe.conf
> "options ipt_recent ipt_pkt_list_tot=75"
> Now I can use hitcount values of 50 (did not test if the above
>  is sufficient for higher values).

I found this on the net so I deduce that you would be safe up to a
hitcount value of 75.

> [PATCH] netfilter: ipt_recent: sanity check hit count
> From: Daniel Hokka Zakrisson
> Date: Sat Mar 15 2008 - 10:11:05 EST
>
> If a rule using ipt_recent is created with a hit count greater
> than ip_pkt_list_tot, the rule will never match as it cannot
> keep track of enough timestamps. This patch makes ipt_recent
> refuse to create such rules.
>
> With ip_pkt_list_tot's default value of 20, . . .

Thanks for the lead.

Regards,


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3