After emerging iptables 1.2.11-r3 I noticed it was missing the libipt-dstlimit module. Reproducible: Always Steps to Reproduce: 1. emerge iptables 2. try to use dstlimit 3. watch iptables fail. Actual Results: chia-pet ~ # iptables -m dstlimit iptables v1.2.11: Couldn't load match `dstlimit':/lib/iptables/libipt_dstlimit.so: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information. Expected Results: Built and installed libipt_dstlimit.so Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.20041102-r1, 2.6.11-gentoo-r11 i686) ================================================================= System uname: 2.6.11-gentoo-r11 i686 Pentium III (Coppermine) Gentoo Base System version 1.6.12 Python: dev-lang/python-2.3.5 [2.3.5 (#1, Jun 28 2005, 15:34:00)] dev-lang/python: 2.3.5 sys-apps/sandbox: [Not Present] sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.9.5, 1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X alsa apache2 apm arts avi berkdb bitmap-fonts bzip2 crypt cups emboss encode foomaticdb fortran gdbm gif gpm gtk gtk2 imlib ipv6 jpeg libg++ libwww mad matrox mikmod motif mp3 mpeg ncurses nls ogg oggvorbis opengl oss pam pdflib perl png python qt quicktime readline samba sdl spell ssl tcpd tiff truetype truetype-fonts type1-fonts vorbis xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
Its possible this has been renamed in the kernel iptables. The "hashlimit" option seems to support the same options as the "dstlimit". So maybe for some reason this has been renamed on one side, but not the other so when iptables builds it doesnt find support for "dstlimit" in the kernel so it doesn't build that module.
so try iptables 1.3.1
iptables 1.3.1 does appear to install the libipt_hashlimit.so module. I just don't like installing packages not marked stable =)
understandable, but your quick test gives us a reason to review the new version as candidate for stable
Alright, sounds good. I appreciate the work and am glad that 1.3.1 includes the required functionality. Can probably close this now. Thanks!
*** Bug 98920 has been marked as a duplicate of this bug. ***
iptables-1.3.2 now in stable
(In reply to comment #1) > Its possible this has been renamed in the kernel iptables. The "hashlimit" > option seems to support the same options as the "dstlimit". No, it does not. Very important to limit ssh bruteforce login attempts is that very interesting option --destlimit-mode srcip-dstip which AFAIK has no couterpart in hashlimit. ervin
dstlimit support requires a patched kernel
