Re[2]: Is connlimit available in etch? Will it be available in future?

To: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Cc: Debian Firewall <debian-firewall@lists.debian.org>
Subject: Re[2]: Is connlimit available in etch? Will it be available in future?
From: Nick Y Kuzminyh <nick_kuz@deom.chph.ras.ru>
Date: Mon, 20 Oct 2008 12:56:01 +0300
Message-id: <[🔎] 1519460420.20081020125601@deom.chph.ras.ru>
Reply-to: Nick Y Kuzminyh <nick_kuz@deom.chph.ras.ru>
In-reply-to: <[🔎] 48F89928.70306@plouf.fr.eu.org>
References: <[🔎] 784115248.20081017143545@deom.chph.ras.ru> <[🔎] 48F89928.70306@plouf.fr.eu.org>

Dear Pascal,
It seems that "connlimit" doesn't work even on kernel etch-n-half.
(though error output in etch-n-half is quite different from that
 in default 2.6.18-6 kernel)

Friday, October 17, 2008, 4:54:48 PM, you wrote:

> The connlimit match support was included in the mainline kernel since 
> version 2.6.23, so it is not available in the default 2.6.18 kernels 
> included in Debian etch. However it is available in the newer 
> 2.6.24-etchnhalf kernel which was added to the latest release of Debian
> etch, 4.0r4.

I used two PCs with up-to-date "etch" for architectures AMD64 and 486,
and in both cases I've got error message:
"iptables: Invalid argument"

1)  Kernels used:
         2.6.24-etchnhalf.1-amd64
         2.6.24-etchnhalf.1-486

2) iptables package:  iptables-1.3.6.0debian1-5

3) Output of "zgrep CONNLIMIT /proc/config.gz" command:
         CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m"

4) iptables command:
        frya:/home/nick# iptables -t filter -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
   iptables error message:
        iptables: Invalid argument

5) The same command with "strace" produced bulk output that I can't
understand. I've compared this output with normally completed iptables
command, and I think that main difference is at last "setsockopt"
call. Please find below last 4 lines of strace for 486 architecture:
--------------------------------------------------------------------------------------
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3
getsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\313\200\267\t\313\10\0\0\0\200#\0\313\240\35\n"..., [84]) = 0
getsockopt(3, SOL_IP, 0x41 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [840]) = 0
setsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1136) = -1 EINVAL (Invalid argument)
write(2, "iptables: Invalid argument\n", 27iptables: Invalid argument
) = 27
exit_group(1)                           = ?
--------------------------------------------------------------------------------------

===Questions===
1) Is it a bug? If yes, should I report it via Bugzilla?
2) Does "connlimit" work in next release candidate "lenny"?



-- 
Best regards,
 Nick

Reply to:

Follow-Ups:
- Re: Is connlimit available in etch? Will it be available in future?
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
- Re: Is connlimit available in etch? Will it be available in future?
  - From: Ansgar Wiechers <lists@planetcobalt.net>

References:
- Is connlimit available in etch? Will it be available in future?
  - From: Nick Y Kuzminyh <nick_kuz@deom.chph.ras.ru>
- Re: Is connlimit available in etch? Will it be available in future?
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Prev by Date: Re: About Shorewall FIrewall (Help)
Next by Date: Re: Is connlimit available in etch? Will it be available in future?
Previous by thread: Re: Is connlimit available in etch? Will it be available in future?
Next by thread: Re: Is connlimit available in etch? Will it be available in future?
Index(es):
- Date
- Thread