Bug 520797 - ip_tables: connlimit match: invalid size 24 != 16
ip_tables: connlimit match: invalid size 24 != 16
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: iptables (Show other bugs)
i686 Linux
urgent Severity high
: rc
: ---
Assigned To: iptables-maint-list
Petr Sklenar
: ZStream
Depends On:
Blocks: 499522 521999 525132 529687 532437
  Show dependency treegraph
Reported: 2009-09-02 08:41 EDT by Jiri Pirko
Modified: 2015-05-04 21:17 EDT (History)
27 users (show)

See Also:
Fixed In Version: iptables-1.3.5-6.1.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 525132 (view as bug list)
Last Closed: 2012-02-21 01:21:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
proposed patch (475 bytes, patch)
2009-09-02 11:08 EDT, Jiri Pirko
no flags Details | Diff
proposed patch #2 (597 bytes, patch)
2009-09-08 06:13 EDT, Jiri Pirko
no flags Details | Diff

  None (edit)
Description Jiri Pirko 2009-09-02 08:41:45 EDT
Description of problem:

[root@nec-em20 ~]# uname -a
Linux nec-em20.rhts.bos.redhat.com 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux
[root@nec-em20 ~]# iptables -N test1234
[root@nec-em20 ~]# iptables -A test1234 -m connlimit --connlimit-above 8
iptables: Unknown error 4294967295
[root@nec-em20 ~]# dmesg
ip_tables: (C) 2000-2006 Netfilter Core Team
Netfilter messages via NETLINK v0.30.
ip_conntrack version 2.4 (8184 buckets, 65472 max) - 228 bytes per conntrack
ip_tables: connlimit match: invalid size 24 != 16

How reproducible:


Additional info:
Appears on x86, not on x86_64
Comment 1 Simon Matter 2009-09-02 09:00:20 EDT
Just as a hint, some Debian folks had the same issue:
Comment 2 Jiri Pirko 2009-09-02 11:07:28 EDT
I made a patch for iptables util and it works for me just fine. Try rpm here:

Comment 3 Jiri Pirko 2009-09-02 11:08:58 EDT
Created attachment 359542 [details]
proposed patch
Comment 4 Jiri Pirko 2009-09-02 11:12:18 EDT
reassigning this to component iptables.
Comment 5 Simon Matter 2009-09-02 11:27:01 EDT
Works fine for me, no problems anymore, tested on i686 and also x86_64 kernel.

Comment 7 Eugene Teo (Security Response) 2009-09-07 23:12:23 EDT
I think I found another bug.

# rpm -q iptables
# uname -rm i686
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 -j REJECT
iptables: Unknown error 4294967295
# tail -1 /var/log/messages
Sep  7 23:07:31 host kernel: ip_tables: connlimit match: invalid size 32 != 24

It worked on 2.6.18-164.el5 i686 though.
Comment 8 Simon Matter 2009-09-08 02:56:48 EDT
Hi Eugene, I'm sure Jiri may give you a better answer but how I understand it the issue you see is expected because the iptables package is patched for the patched 2.6.18 kernel which is not compatible with the you are using.

Comment 9 Jiri Pirko 2009-09-08 03:18:07 EDT
correct - I will look at to see how to make this work for both kernels.
Comment 10 Jiri Pirko 2009-09-08 06:13:10 EDT
Created attachment 360055 [details]
proposed patch #2
Comment 11 Jiri Pirko 2009-09-08 06:14:25 EDT
Thanks to patch #2 iptables util is compatible with
Comment 12 Jiri Pirko 2009-09-08 06:19:09 EDT
Note that there is needed to patch el5 kernel too. I'm going to fill a bz for this and make it dependent on this bz.
Comment 13 Thomas Woerner 2009-09-08 09:00:23 EDT
According to discussions on irc:

1) The initial alignment patch is ok to be added.
2) Compatibility problems of 2.4.24+ and iptables-1.3.5 have to be solved in the 2.6.24+ rt kernel.
Comment 15 Gustavo Homem 2009-09-15 12:38:25 EDT
Is this iptables update scheduled to be available soon?
Comment 45 errata-xmlrpc 2012-02-21 01:21:06 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.