Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 109537 - iptables' libipt_recent match module ignores hitcount parameter
Summary: iptables' libipt_recent match module ignores hitcount parameter
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-17 00:32 UTC by Triffid Hunter
Modified: 2005-10-24 20:16 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Triffid Hunter 2005-10-17 00:32:29 UTC
~ # iptables --line-numbers -v -L INPUT
Chain INPUT (policy DROP 198K packets, 19M bytes)
num   pkts bytes target     prot opt in     out     source               destination
...
9    13319  794K CONNRATELIMIT  tcp  --  eth0   any    !192.168.0.0/24       
funkmunch.net       multiport dports ftp,ssh,smtp,pop3
...

~ # iptables --line-numbers -v -L CONNRATELIMIT

Chain CONNRATELIMIT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        1    60            tcp  --  any    any     anywhere             anywhere  
          tcp flags:FIN,SYN,RST,ACK/SYN recent: SET name: tcp side: source
2        1    60 LOG        tcp  --  any    any     anywhere             anywhere  
          tcp flags:FIN,SYN,RST,ACK/SYN recent: CHECK seconds: 120 hit_count: 10 
name: tcp side: source LOG level warning
3        1    60 DROP       tcp  --  any    any     anywhere             anywhere  
          tcp flags:FIN,SYN,RST,ACK/SYN recent: CHECK seconds: 120 hit_count: 10 
name: tcp side: source


The above rules block every SYN packet, though they should allow 10 every 2 minutes 
per ip address, then start blocking according to the manual.

Reproducible: Always
Steps to Reproduce:
1. create above rules with ipt_recent module
2. echo 'clear' > /proc/net/ipt_recent/tcp
3. try to connect


Actual Results:  
connection refused, every time, even just after a clear.

Expected Results:  
connection allowed 10 times per 2 minutes per ip address

# iptables --version
iptables v1.3.3
# uname -a
Linux peladrine 2.6.12-gentoo-r3.peladrine #1 Wed Jul 6 03:16:37 EST 2005 i686 AMD 
Duron(tm) Processor AuthenticAMD GNU/Linux

# emerge info
Portage 2.0.52-r1 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r1, 2.6.12-
gentoo-r3.peladrine i686)
=================================================================
System uname: 2.6.12-gentoo-r3.peladrine i686 AMD Duron(tm) Processor
Gentoo Base System version 1.12.0_pre6
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
dev-lang/python:     2.3.5, 2.4.1-r1
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.18-r1
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=athlon-tbird -maccumulate-outgoing-args -mcpu=athlon-tbird -
momit-leaf-frame-pointer -mfpmath=387 -mtune=athlon-tbird -fexpensive-optimizations -
fmove-all-movables -fomit-frame-pointer -fprefetch-loop-arrays -frerun-cse-after-loop 
-frerun-loop-opt -ftracer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config 
/var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d"
CXXFLAGS="-O2 -pipe -march=athlon-tbird -maccumulate-outgoing-args -mcpu=athlon-tbird 
-momit-leaf-frame-pointer -mfpmath=387 -mtune=athlon-tbird -fexpensive-optimizations 
-fmove-all-movables -fomit-frame-pointer -fprefetch-loop-arrays -frerun-cse-after-
loop -frerun-loop-opt -ftracer -fvisibility-inlines-hidden"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distcc distlocks fixpackages sandbox sfperms strict"
GENTOO_MIRRORS="http://mirror.isp.net.au/pub/gentoo/ http://mirror.aarnet.edu.au/pub/
gentoo/ http://mirror.pacific.net.au/linux/Gentoo"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://mirror.wa.3fl.net/gentoo-portage"
USE="3dnow 3dnowext X509 a52 aac acpi alsa apache2 apm atm avi bash-completion berkdb 
big-tables bind-mysql bitmap-fonts bzip2 bzlib caps cli crypt curl dba dedicated 
divx4linux djbfft dts dvd eds emboss encode erandom exif extensions fame fastcgi 
foomaticdb fortran ftp gd-external gdbm gif glibc-omitfp gnutls gpm gstreamer gtk2 
hardenedphp hpn imagemagick imagemajick imlib inifile ipv6 ithreads jpeg junit libg++ 
libwww linuxthreads-tls lzo mad math mbox memlimit mhash mikmod mime mjpeg mmap mmx 
mmxext mod_perl mod_php mp3 mpeg mpm-worker mysql mysqli ncurses network nls nocd 
nojoystick novideo nptl offensive ogg oggvorbis oss pam pam_chroot pam_console 
pam_timestamp pcre pdflib perl php png posix pvm python readline samba session shared 
sharedext soap sockets socks5 sse ssl tcpd tetex threads tokenizer truetype-fonts 
type1-fonts usb userlocales vhosts vorbis win32codecs x86 xinetd xml xml2 xmlrpc xsl 
xvid yv12 zip zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
Comment 1 SpanKY gentoo-dev 2005-10-17 05:33:33 UTC
try different versions of iptables / kernel and see if you can find one that works
Comment 2 SpanKY gentoo-dev 2005-10-24 20:16:46 UTC
and/or file a bug with upstream iptables

http://bugzilla.netfilter.org/