There is problem with connlimit for iptables: In iptables-1.3.4: ~ # iptables -I OUTPUT -m connlimit --connlimit-above 50 -j DROP iptables: No chain/target/match by that name In iptables-1.3.5: ~ # iptables -I OUTPUT -m connlimit --connlimit-above 50 -j DROP iptables: Unknown error 4294967295 Other rules added to OUTPUT chain works fine, only connlimit produce errors. ~ # emerge --info Portage 2.0.54 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r3, 2.6.15-gentoo-r1-patch-o-matic-v2 i686) ================================================================= System uname: 2.6.15-gentoo-r1-patch-o-matic-v2 i686 Pentium II (Deschutes) Gentoo Base System version 1.6.14 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium2 -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium2 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://ftp.du.se/pub/os/gentoo http://gentoo.zie.pg.gda.pl http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://mirror.switch.ch/mirror/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 acl acpi4linux alsa apm arts avi bash-completion berkdb bitmap-fonts bzip2 cdr chroot crypt curl customlog dri eds emboss encode ethereal expat extensions flood foomaticdb fortran ftp gd gdbm gif gmp gpm gstreamer idn imagemagic imagemagick imap imlib isdnlog java jpeg ldap libclamav libg++ libwww logrotate mad maildir mcal mhash mikmod motif mozilla mp3 mpeg mysql mysqli ncurses nls nntp ntlm ogg oggvorbis opengl oss pam pcre pdflib perl php png pppd procmail python quicktime readline remote ruby samba sasl sdl slang snmp spell ssl stats svga tcpd threads tiff truetype truetype-fonts type1-fonts underscores unicode uudeview virus-scan vorbis vpopmail xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY ~ # grep -i match_limit /usr/src/linux/.config CONFIG_IP_NF_MATCH_LIMIT=m ~ # lsmod | grep limit ipt_limit 2240 2 ~ # equery uses iptables | grep extensions + + extensions : Enable support for 3rd patch-o-matic extensions ~ # iptables -m connlimit --help | tail -n 4 connlimit v1.3.5 options: [!] --connlimit-above n match if the number of existing tcp connections is (not) above n --connlimit-mask n group hosts using mask
cannot see the direct security impact, thus reassigning to base-system.Beware, because I'm slightly drunk - flame me if this was a wrong decision.
(In reply to comment #1) > cannot see the direct security impact, thus reassigning to base-system.Beware, > because I'm slightly drunk - flame me if this was a wrong decision. You may be right. It's my first bug report here and I thought, if I write about iptables i write about security than base-system. This "bug" certainly does not cause security problems. Sorry and thank you for correction :)
The name of the module is ipt_connlimit not ipt_limit. (ipt_limit is for another purpose) If you want to use connlimit you must patch your kernel with patch-o-matic.
thanks for the info
(In reply to comment #3) > The name of the module is ipt_connlimit not ipt_limit. (ipt_limit is for > another purpose) > > If you want to use connlimit you must patch your kernel with patch-o-matic. > I used patch-o-matic-ng and applied it on kernel and iptables. The error is unresolved and still apears. I should write this in first post: ~ # grep -i limit /usr/src/linux/.config CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_HASHLIMIT=y CONFIG_IP_NF_MATCH_CONNLIMIT=y instead of output of the command: ~ # grep -i match_limit /usr/src/linux/.config
> I used patch-o-matic-ng and applied it on kernel and iptables. The error is > unresolved and still apears. I tried it with a 2.6.16 kernel the other day and it worked. Maybe this is irrelevant, but: a) I only applied the patch on kernel. b) I build it as a module. c) There were errors running patch-o-matic. After patching, menuconfig showed me the CONNLIMIT MATCH option, but it never build the module, so i patched it manually and everything was ok. So, i suggest you try building it as a module, and see if it creates (and loads) it.
goto the forums for support with custom kernel patching
