Re: Is connlimit available in etch? Will it be available in future?

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Nick Y Kuzminyh a écrit :
> It seems that "connlimit" doesn't work even on kernel etch-n-half.
> (though error output in etch-n-half is quite different from that
>  in default 2.6.18-6 kernel)
[...]
> 4) iptables command:
>         frya:/home/nick# iptables -t filter -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
>    iptables error message:
>         iptables: Invalid argument
[...]
> 1) Is it a bug? If yes, should I report it via Bugzilla?

I have the same error here with a custom 2.6.24 kernel on etch. However 
it works with iptables 1.4.0 I had built from source from 
<http://www.netfilter.org>. I'm afraid that the libipt_connlimit.so in 
iptables 1.3.6 is just not compatible with the new xt_connlimit module 
in 2.6.23+ kernels and is only compatible with the old ipt_connlimit 
kernel module from the patch-o-matic-ng. It is likely that other matches 
and targets have the same compatibility problem. I don't remember 
exactly why I installed iptables 1.4.0, but it was probably for a 
similar reason.

There is apparently no backported iptables package in backport-etch.
<http://packages.debian.org/search?keywords=iptables&searchon=names&section=all&suite=etch-backports>

You may build and install iptables 1.4.0 or above as I did. By default, 
files will be installed in /usr/local/ and won't overwrite files from 
the Debian iptables package. Here /usr/local/sbin has precedence over 
/sbin/ in $PATH (don't know if it's the default), so "iptables" without 
path invokes iptables 1.4.0.

> 2) Does "connlimit" work in next release candidate "lenny"?

Lenny contains iptables 1.4.1, so it should work.