Escalated to Bugzilla from IssueTracker
Support, I haven't checked the 32bit package, however the x86_64 package shows that we include this module already iptables-1.3.5-1.2.1.x86_64.rpm /lib64/iptables/libipt_connlimit.so --jwest jwest assigned to issue for SEG - Feature Request. Internal Status set to 'Waiting on Support' This event sent from IssueTracker by jwest [SEG - Feature Request] issue 237787
Hello, I tried using "connlimit" and it shows error in both x86 and x86_64 arch for RHEL5 latest kernel. It seems to me that library "libipt_connlimit.so" is there but kernel do not provide required module. # uname -a Linux dhcp6-167.pnq.redhat.com 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64 x86_64 GNU/Linux # iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j DROP iptables: Unknown error 18446744073709551615 # cd /lib/modules/2.6.18-128.el5/kernel/net/ipv4/netfilter/ # ls |grep -i limit ipt_hashlimit.ko # ls /lib64/iptables/ |grep -i limit libip6t_limit.so libipt_connlimit.so libipt_hashlimit.so libipt_limit.so Regards, Rohit. Issue escalated to Support Engineering Group by: rpersai. Internal Status set to 'Waiting on SEG' Summary edited. This event sent from IssueTracker by jwest [SEG - Feature Request] issue 237787
I have been looking at this and it seems that ipv4 support for connlimit should be backported relatively easily. But to backport ipv6 support for this it looks pretty hard. So I'm asking if ipv4 connlimit support is sufficient. Thanks.
*** Bug 476196 has been marked as a duplicate of this bug. ***
ad c#6 Well, I found only ipv4 support for this is in iptables package so I think it's clear to backport only this part.
Created attachment 332408 [details] simple tester application Simple tester. It firstly sets a limit of connections to tcp port 22222 to 5. Then it starts tcp server which listens on this port and counts connections. Then is starts tcp client which does multiple connections to the server and also counts them. If connlimit works fine, client can't create the sixth connection. run with unpatched kernel: [jirka@rhel53 483588_tester]$ sudo ./tester iptables: Unknown error 18446744073709551615 Command "/sbin/iptables -I INPUT -p tcp --dport 22222 -m connlimit --connlimit-above 5 --connlimit-mask 24 -j REJECT" failed with retval: 1 run with patched kernel: [jirka@rhel53 483588_tester]$ sudo ./tester client: conn#1 client: conn#2 client: conn#3 client: conn#4 client: conn#5 server: conn#1 server: conn#2 server: conn#3 server: conn#4 server: conn#5 Successful! run with patched kernel with connlimit malfunction (should never happen) [jirka@rhel53 483588_tester]$ sudo ./tester client: conn#1 client: conn#2 client: conn#3 client: conn#4 client: conn#5 client: conn#6 client: REACHED MAX CONNECTION LIMIT!!! CONNLIMIT DOES NOT WORK!
in kernel-2.6.18-139.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 Please do NOT transition this bugzilla state to VERIFIED until our QE team has sent specific instructions indicating when to do so. However feel free to provide a comment indicating that this fix has been verified.
While testing kernel-2.6.18-160.el5 in 5.3 userland (iptables-1.3.5-4.el5) I get the following error in kernel log: ip_tables: connlimit match: invalid size 24 != 16 That doesn't happen with kernel-2.6.18-128.4.1.el5 so I guess it's because of this change (linux-2.6-net-netfilter-x_tables-add-connlimit-match.patch). The following shows the error for me: iptables -N test1234 iptables -A test1234 -m connlimit --connlimit-above 8 Do I need a newer iptables? I didn't find one in 5.4beta channel.
hello Simon. I need more info for your problem like kernel arch, iptables package version, iptables package arch. Does only the executing of two mentioned commands trigger the message? Thanks.
Hello Jiri, sorry for not providing more information. Because you asked about arch I did some tests which are interesting. Now it seems to me that the problem is not with the kernel itself but with iptables - or a combination of both. Kernel version is always 2.6.18-160.el5, iptables is iptables-1.3.5-4.el5. My test is to run the statements as mentioned above: iptables -N test1234 iptables -A test1234 -m connlimit --connlimit-above 8 This leads to the kernel message but also to an error from iptables, like so: On host A i386/i686 arch: [root@client140 ~]# iptables -N test1234 [root@client140 ~]# iptables -A test1234 -m connlimit --connlimit-above 8 iptables: Unknown error 4294967295 dmesg: ip_tables: connlimit match: invalid size 24 != 16 On host B x86_86 arch: [root@delta64 ~]# iptables -N test1234 [root@delta64 ~]# iptables -A test1234 -m connlimit --connlimit-above 8 [root@delta64 ~]# dmesg: (empty) Now, using 32bit iptables from host A on host B: [root@delta64 ~]# IPTABLES_LIB_DIR=_lib_iptables32 ./iptables32 -N test1234 [root@delta64 ~]# IPTABLES_LIB_DIR=_lib_iptables32 ./iptables32 -A test1234 -m connlimit --connlimit-above 8 iptables: Unknown error 4294967295 dmesg: ip_tables: connlimit match: invalid size 24 != 16 Can you reproduce it?
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-1243.html
The issue mentioned above still exists with kernel and iptables from RHEL5.4. iptables-1.3.5-5.3.el5 [root@client140 ~]# uname -a Linux client140.bi.corp.invoca.ch 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux [root@client140 ~]# iptables -N test1234 [root@client140 ~]# iptables -A test1234 -m connlimit --connlimit-above 8 iptables: Unknown error 4294967295 dmesg shows: ip_tables: connlimit match: invalid size 24 != 16 Note: this really seems to happen only on ix86 arch, not x86_64.
I created a new bz to track issue mentioned in Comment #19 : bz520797