Bug 521999

Summary: ip_tables: connlimit match: invalid size 32 != 24
Product: Red Hat Enterprise MRG Reporter: Eugene Teo (Security Response) <eteo>
Component: realtime-kernelAssignee: Luis Claudio R. Goncalves <lgoncalv>
Status: CLOSED ERRATA QA Contact: David Sommerseth <davids>
Severity: high Docs Contact:
Priority: urgent    
Version: DevelopmentCC: bhu, eteo, jpirko, lgoncalv, ovasik, twoerner, williams
Target Milestone: 1.1.9   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 529867 531831 (view as bug list) Environment:
Last Closed: 2009-11-03 18:21:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 520797    
Bug Blocks: 529867, 531831    
Attachments:
Description Flags
proposed patch none

Description Eugene Teo (Security Response) 2009-09-09 02:54:11 UTC 
Description of problem:
# rpm -q iptables
iptables-1.3.5-5.3.el5.test
# uname -rm
2.6.24.7-126.el5rt i686
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15
-j REJECT
iptables: Unknown error 4294967295
# tail -1 /var/log/messages
Sep  7 23:07:31 host kernel: ip_tables: connlimit match: invalid size 32 != 24

It worked on 2.6.18-164.el5 i686 though.

Related to bug 520797. See: https://bugzilla.redhat.com/show_bug.cgi?id=520797#c13

There are compatibility problems of 2.4.24+ and iptables-1.3.5 have to be solved in the 2.6.24+ rt kernel. This is a potential problem for 2.6.30+ rt kernel too.
Comment 2 Jiri Pirko 2009-09-09 13:37:14 UTC 
Created attachment 360209 [details]
proposed patch

I tested briefly this patch applied on kernel-rt-2.6.24.7-133.el5rt. Works good. Please test this.
Comment 4 Luis Claudio R. Goncalves 2009-09-10 00:03:58 UTC 
Patch added to kernel 2.6.27.7-133.el5rt (brew build job on the way)
Comment 15 David Sommerseth 2009-10-29 11:02:43 UTC 
Moved to verified, as this works well with a new version user space iptables.

Note: This feature will still not work before the user space iptables package is upgraded.
Comment 17 errata-xmlrpc 2009-11-03 18:21:49 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1540.html