$IPTABLES -N ok_tcp $IPTABLES -A ok_tcp -p TCP -m state --state NEW -m recent --name ftcp --set $IPTABLES -A ok_tcp -p TCP -m state --state NEW -m recent --name ftcp --update --seconds 30 --hitcount 300 -j DROP $IPTABLES -A ok_tcp -j ACCEPT Reproducible: Always iptables 1.4.0-r1, kernel 2.6.25-r7
Created attachment 161342 [details] config of kernel
have you tried iptables-1.4.1.1 ?
No. echo " - Creating a allowed TCP chain" $IPTABLES -N ok_tcp $IPTABLES -A ok_tcp -p TCP -m state --state NEW -m recent --name ftcp --set $IPTABLES -A ok_tcp -p TCP -m state --state NEW -m recent --name ftcp --update --seconds 5 --hitcount 20 -j REJECT --reject-with tcp-reset $IPTABLES -A ok_tcp -p TCP --syn -j ACCEPT $IPTABLES -A ok_tcp -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT No more than 20 :( - Creating a allowed UDP chain iptables: Invalid argument mike ~ # iptables -V iptables v1.4.1.1
from net/ipv4/netfilter/ipt_recent.c: static unsigned int ip_list_tot = 100; static unsigned int ip_pkt_list_tot = 20; MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list"); MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP to remember (max. 255)"); Maybe this wrong?
Compile kernel with IPTABLES modules <M> (old status is <*>) Re-emerge iptables 1.4.1.1 Reboot Now is working fine. No more than 255 hitcount. :-) Thanks.
Oops, sorry I'm change kernel tree for it: static unsigned int ip_list_tot = 500; static unsigned int ip_pkt_list_tot = 255; Sorry. I don't know, what is :(
sounds like a kernel issue and not anything userspace then ... thanks for the research into the source
Can you test with gentoo-sources-2.6.27-rX
whoops - taking back
Did this work on pre-2.6.25 kernels? If so, which ones did you test?
Also, it would be useful if you ran the iptables commands one by one so that we know exactly which one is failing. Right now it could be any one of the five, and we can only place guesses which one is actually producing the error.
This command is failing: iptables -A ok_tcp -p TCP -m state --state NEW -m recent --name ftcp --update --seconds 30 --hitcount 300 -j DROP Try it. No, i can't test in pre- kernels and .27 kernels. Sorry.
(In reply to comment #4) > from net/ipv4/netfilter/ipt_recent.c: > static unsigned int ip_list_tot = 100; > static unsigned int ip_pkt_list_tot = 20; > MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list"); > MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP to remember (max. > 255)"); > Maybe this wrong? Am I missing something here? The above are the defaults. If you want to keep track of more than 20 packets per IP (up to 255) load the module with the correct parameter. For example, # modprobe ipt_recent ip_pkt_list_tot=200
This default behaviour have changed after 2.6.24???? :-/ Thanks for help! :-)
I checked 2.6.24 and it has the same defaults. I then found this commit, which has come since 2.6.24: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d0ebf133590abdc035af6e19a6568667af0ab3b0 So, your iptables rule wasn't working on 2.6.24, but there was no failure message. Since then, netfilter has been fixed not to silently accept the unmatchable rule, hence you seeing the error message from iptables. The fix is to set the right value in the module parameter. Eray, thanks a lot for looking into this!
