settings for iptables "recent" module

When using the iptables recent module, I can see the module settings here:

$ ls -1 /sys/module/xt_recent/parameters/

and list setting for particular parameter:

$ cat /sys/module/xt_recent/parameters/ip_list_tot
100

I also know I can change the defaults when loading the module.

My question is, what happens when the list reaches the size of ip_list_tot?

Does the recent module stop adding new IP addresses or does it "rotate" the old ones out and replacing them with new ones?

I looked in the help, but could not find any explanation

iptables -m recent --help

Also, what is a reasonable size for ip_list_tot in a production environment, where I want to block offending IPs? The default ip_list_tot size of 100 seems to me ridiculously small. Could I experience any negative effects if I set it to 10'000?

Asked By: Martin Vegter

||

After reading (very fast) the source code, I would say that the older entry is removed:

if (t->entries >= ip_list_tot) {
        e = list_entry(t->lru_list.next, struct recent_entry, lru_list);
        recent_entry_remove(t, e);
}

To increase this value, you can set the parameter while loading the module manually:

~$ sudo modinfo -p xt_recent
ip_list_tot:number of IPs to remember per list (uint)
ip_list_hash_size:size of hash table used to look up IPs (uint)
ip_list_perms:permissions on /proc/net/xt_recent/* files (uint)
ip_list_uid:default owner of /proc/net/xt_recent/* files (uint)
ip_list_gid:default owning group of /proc/net/xt_recent/* files (uint)
ip_pkt_list_tot:number of packets per IP address to remember (max. 255) (uint)
~$ sudo modprobe xt_recent ip_list_tot=10000
~$ sudo cat /sys/module/xt_recent/parameters/ip_list_tot
10000

Make sure the module isn’t in use (disable firewall or, at least, rules that use the recent match) before unloading/loading.

To make this setting persistent, you can put a file under /etc/modprobe.d/xt_recent with the following content:

options xt_recent ip_list_tot=10000

(Note this method may not work and may be adapted depending on your distro).

Regarding the performance issues that may be met if you increase consequently this parameter value, it’s quite hard to tell.
It depends on your hardware, on the other tasks running on the system, etc.

Still based on reading the source code and my own background on development, I would say that the main things you may be afraid of is the introduction of latency if, for example, the currently tested IP is the last one on the list or isn’t in the list (which may occur frequently):

static struct recent_table *recent_table_lookup(struct recent_net *recent_net,
                        const char *name)
{
    struct recent_table *t;

    list_for_each_entry(t, &recent_net->tables, list)
        if (!strcmp(t->name, name))
            return t;
    return NULL;
}

Given x the complexity of list_for_each_entry() + strcmp(), the extra "cost" of setting `ip_list_tot̀ to a huge value is the time to browser the list.

Final complexity may vary between 1 * x and ip_list_tot * x.

Nevertheless, I guess that chained list in kernel is well implemented, with performance and speed as a requirements.

To conclude, I would advice you to benchmark … if possible.

Answered By: binarym
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.