Re: Is connlimit available in etch? Will it be available in future?
Nick Y Kuzminyh a écrit :
It seems that "connlimit" doesn't work even on kernel etch-n-half.
(though error output in etch-n-half is quite different from that
in default 2.6.18-6 kernel)
[...]
4) iptables command:
frya:/home/nick# iptables -t filter -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables error message:
iptables: Invalid argument
[...]
1) Is it a bug? If yes, should I report it via Bugzilla?
I have the same error here with a custom 2.6.24 kernel on etch. However
it works with iptables 1.4.0 I had built from source from
<http://www.netfilter.org>. I'm afraid that the libipt_connlimit.so in
iptables 1.3.6 is just not compatible with the new xt_connlimit module
in 2.6.23+ kernels and is only compatible with the old ipt_connlimit
kernel module from the patch-o-matic-ng. It is likely that other matches
and targets have the same compatibility problem. I don't remember
exactly why I installed iptables 1.4.0, but it was probably for a
similar reason.
There is apparently no backported iptables package in backport-etch.
<http://packages.debian.org/search?keywords=iptables&searchon=names§ion=all&suite=etch-backports>
You may build and install iptables 1.4.0 or above as I did. By default,
files will be installed in /usr/local/ and won't overwrite files from
the Debian iptables package. Here /usr/local/sbin has precedence over
/sbin/ in $PATH (don't know if it's the default), so "iptables" without
path invokes iptables 1.4.0.
2) Does "connlimit" work in next release candidate "lenny"?
Lenny contains iptables 1.4.1, so it should work.
Reply to: