Bug 483588 - [RFE ] Connlimit kernel module support [rhel-5.4]
[RFE ] Connlimit kernel module support [rhel-5.4]
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Jiri Pirko
Red Hat Kernel QE team
: FutureFeature, Triaged
: 476196 (view as bug list)
Depends On:
Blocks: 5.4/TechnicalNotes 522000 522001
  Show dependency treegraph
 
Reported: 2009-02-02 10:25 EST by Issue Tracker
Modified: 2015-05-04 21:16 EDT (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 522000 522001 (view as bug list)
Environment:
Last Closed: 2009-09-02 04:48:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
simple tester application (20.00 KB, application/x-tar)
2009-02-18 11:29 EST, Jiri Pirko
no flags Details

  None (edit)
Description Issue Tracker 2009-02-02 10:25:38 EST
Escalated to Bugzilla from IssueTracker
Comment 2 Issue Tracker 2009-02-02 10:25:41 EST
Support,

I haven't checked the 32bit package, however the x86_64 package shows that
we include this module already

iptables-1.3.5-1.2.1.x86_64.rpm

/lib64/iptables/libipt_connlimit.so

--jwest

jwest assigned to issue for SEG - Feature Request.
Internal Status set to 'Waiting on Support'

This event sent from IssueTracker by jwest  [SEG - Feature Request]
 issue 237787
Comment 3 Issue Tracker 2009-02-02 10:25:43 EST
Hello,

I tried using "connlimit" and it shows error in both x86 and x86_64 arch
for RHEL5 latest kernel. It seems to me that library
"libipt_connlimit.so" is there but kernel do not provide required
module. 

# uname -a
Linux dhcp6-167.pnq.redhat.com 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38
EST 2008 x86_64 x86_64 x86_64 GNU/Linux

# iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 16
--connlimit-mask 24 -j DROP
iptables: Unknown error 18446744073709551615

# cd /lib/modules/2.6.18-128.el5/kernel/net/ipv4/netfilter/

# ls |grep -i limit
ipt_hashlimit.ko

# ls /lib64/iptables/ |grep -i limit
libip6t_limit.so
libipt_connlimit.so
libipt_hashlimit.so
libipt_limit.so

Regards,
Rohit.


Issue escalated to Support Engineering Group by: rpersai.
Internal Status set to 'Waiting on SEG'
Summary edited.

This event sent from IssueTracker by jwest  [SEG - Feature Request]
 issue 237787
Comment 6 Jiri Pirko 2009-02-16 11:44:47 EST
I have been looking at this and it seems that ipv4 support for connlimit should be backported relatively easily. But to backport ipv6 support for this it looks pretty hard. So I'm asking if ipv4 connlimit support is sufficient.

Thanks.
Comment 7 Jiri Pirko 2009-02-16 14:40:26 EST
*** Bug 476196 has been marked as a duplicate of this bug. ***
Comment 8 Jiri Pirko 2009-02-17 11:52:03 EST
ad c#6

Well, I found only ipv4 support for this is in iptables package so I think it's clear to backport only this part.
Comment 9 Jiri Pirko 2009-02-18 11:29:23 EST
Created attachment 332408 [details]
simple tester application

Simple tester. It firstly sets a limit of connections to tcp port 22222 to 5. Then it starts tcp server which listens on this port and counts connections. Then is starts tcp client which does multiple connections to the server and also counts them. If connlimit works fine, client can't create the sixth connection.

run with unpatched kernel:
[jirka@rhel53 483588_tester]$ sudo ./tester 
iptables: Unknown error 18446744073709551615
Command
"/sbin/iptables -I INPUT -p tcp --dport 22222 -m connlimit --connlimit-above 5 --connlimit-mask 24 -j REJECT"
failed with retval: 1

run with patched kernel:
[jirka@rhel53 483588_tester]$ sudo ./tester 
client: conn#1
client: conn#2
client: conn#3
client: conn#4
client: conn#5
server: conn#1
server: conn#2
server: conn#3
server: conn#4
server: conn#5
Successful!

run with patched kernel with connlimit malfunction (should never happen)
[jirka@rhel53 483588_tester]$ sudo ./tester 
client: conn#1
client: conn#2
client: conn#3
client: conn#4
client: conn#5
client: conn#6
client: REACHED MAX CONNECTION LIMIT!!! CONNLIMIT DOES NOT WORK!
Comment 11 Don Zickus 2009-04-16 14:39:11 EDT
in kernel-2.6.18-139.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please do NOT transition this bugzilla state to VERIFIED until our QE team
has sent specific instructions indicating when to do so.  However feel free
to provide a comment indicating that this fix has been verified.
Comment 19 Simon Matter 2009-08-19 04:41:39 EDT
While testing kernel-2.6.18-160.el5 in 5.3 userland (iptables-1.3.5-4.el5) I get the following error in kernel log:

ip_tables: connlimit match: invalid size 24 != 16

That doesn't happen with kernel-2.6.18-128.4.1.el5 so I guess it's because of this change (linux-2.6-net-netfilter-x_tables-add-connlimit-match.patch).

The following shows the error for me:
iptables -N test1234
iptables -A test1234 -m connlimit --connlimit-above 8

Do I need a newer iptables? I didn't find one in 5.4beta channel.
Comment 20 Jiri Pirko 2009-08-19 07:45:13 EDT
hello Simon. I need more info for your problem like kernel arch, iptables package version, iptables package arch. Does only the executing of two mentioned commands trigger the message? Thanks.
Comment 21 Simon Matter 2009-08-19 15:41:29 EDT
Hello Jiri, sorry for not providing more information. Because you asked about arch I did some tests which are interesting. Now it seems to me that the problem is not with the kernel itself but with iptables - or a combination of both.

Kernel version is always 2.6.18-160.el5, iptables is iptables-1.3.5-4.el5.

My test is to run the statements as mentioned above:
iptables -N test1234
iptables -A test1234 -m connlimit --connlimit-above 8

This leads to the kernel message but also to an error from iptables, like so:

On host A i386/i686 arch:
[root@client140 ~]# iptables -N test1234
[root@client140 ~]# iptables -A test1234 -m connlimit --connlimit-above 8
iptables: Unknown error 4294967295

dmesg: ip_tables: connlimit match: invalid size 24 != 16


On host B x86_86 arch:
[root@delta64 ~]# iptables -N test1234
[root@delta64 ~]# iptables -A test1234 -m connlimit --connlimit-above 8
[root@delta64 ~]# 

dmesg: (empty)


Now, using 32bit iptables from host A on host B:
[root@delta64 ~]# IPTABLES_LIB_DIR=_lib_iptables32 ./iptables32 -N test1234
[root@delta64 ~]# IPTABLES_LIB_DIR=_lib_iptables32 ./iptables32 -A test1234 -m connlimit --connlimit-above 8
iptables: Unknown error 4294967295

dmesg: ip_tables: connlimit match: invalid size 24 != 16


Can you reproduce it?
Comment 22 errata-xmlrpc 2009-09-02 04:48:40 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1243.html
Comment 23 Simon Matter 2009-09-02 06:26:12 EDT
The issue mentioned above still exists with kernel and iptables from RHEL5.4.

iptables-1.3.5-5.3.el5

[root@client140 ~]# uname -a
Linux client140.bi.corp.invoca.ch 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux

[root@client140 ~]# iptables -N test1234
[root@client140 ~]# iptables -A test1234 -m connlimit --connlimit-above 8
iptables: Unknown error 4294967295

dmesg shows:
ip_tables: connlimit match: invalid size 24 != 16

Note: this really seems to happen only on ix86 arch, not x86_64.
Comment 25 Jiri Pirko 2009-09-02 08:44:42 EDT
I created a new bz to track issue mentioned in Comment #19 : bz520797

Note You need to log in before you can comment on or make changes to this bug.