Re: Netfilter patch-o-matic connlimit

From: Joseph Mack <mack.joseph@xxxxxxx>
Date: Wed, 25 Aug 2004 12:51:52 -0400
Stuart Clark wrote:
> Hi there..
> I have a LVS setup with two directors direct routing to 4 real
> servers. 

I'm definitely not the person to reply to this one, but thought I'd
pop up since no-one has replied yet. Hopefully Julian,
Horms or Ratz will pop up and answer you. In the meantime read the HOWTO
about Julian's nfct patch to LVS (and the previous - antefacto - code 
that lead to it).

> I have been trying to use the 'connlimit' patch from
> Netfilter patch-o-matic on the director to restrict the number of
> concurrent connections coming into the VIP.  I have not been able to
> get it working with the PREROUTING or FORWARD tables, 

I would have thought you could get it to work in PREROUTING, but LVS
bypasses FORWARD, so rules in that chain won't work.

> and was wondering if is due to LVS that connlimit can not seem to track
> connections?

LVS doesn't use conntrack, it's too slow. However I don't know why you
can't get rules in PREROUTING to work


