Bug 520797 - ip_tables: connlimit match: invalid size 24 != 16
ip_tables: connlimit match: invalid size 24 != 16
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: iptables (Show other bugs)
5.4
i686 Linux
urgent Severity high
: rc
: ---
Assigned To: iptables-maint-list
Petr Sklenar
: ZStream
Depends On:
Blocks: 499522 521999 525132 529687 532437
  Show dependency treegraph
 
Reported: 2009-09-02 08:41 EDT by Jiri Pirko
Modified: 2015-05-04 21:17 EDT (History)
27 users (show)

See Also:
Fixed In Version: iptables-1.3.5-6.1.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 525132 (view as bug list)
Environment:
Last Closed: 2012-02-21 01:21:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
proposed patch (475 bytes, patch)
2009-09-02 11:08 EDT, Jiri Pirko
no flags Details | Diff
proposed patch #2 (597 bytes, patch)
2009-09-08 06:13 EDT, Jiri Pirko
no flags Details | Diff

  None (edit)
Description Jiri Pirko 2009-09-02 08:41:45 EDT
Description of problem:

[root@nec-em20 ~]# uname -a
Linux nec-em20.rhts.bos.redhat.com 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux
[root@nec-em20 ~]# iptables -N test1234
[root@nec-em20 ~]# iptables -A test1234 -m connlimit --connlimit-above 8
iptables: Unknown error 4294967295
[root@nec-em20 ~]# dmesg
ip_tables: (C) 2000-2006 Netfilter Core Team
Netfilter messages via NETLINK v0.30.
ip_conntrack version 2.4 (8184 buckets, 65472 max) - 228 bytes per conntrack
ip_tables: connlimit match: invalid size 24 != 16

How reproducible:

Always

Additional info:
Appears on x86, not on x86_64
Comment 1 Simon Matter 2009-09-02 09:00:20 EDT
Just as a hint, some Debian folks had the same issue:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504989
Comment 2 Jiri Pirko 2009-09-02 11:07:28 EDT
I made a patch for iptables util and it works for me just fine. Try rpm here:

http://people.redhat.com/jpirko/test/iptables-1.3.5-5.3.el5.test.i686.rpm
Comment 3 Jiri Pirko 2009-09-02 11:08:58 EDT
Created attachment 359542 [details]
proposed patch
Comment 4 Jiri Pirko 2009-09-02 11:12:18 EDT
reassigning this to component iptables.
Comment 5 Simon Matter 2009-09-02 11:27:01 EDT
Works fine for me, no problems anymore, tested on i686 and also x86_64 kernel.

Thanks,
Simon
Comment 7 Eugene Teo (Security Response) 2009-09-07 23:12:23 EDT
I think I found another bug.

# rpm -q iptables
iptables-1.3.5-5.3.el5.test
# uname -rm
2.6.24.7-126.el5rt i686
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 -j REJECT
iptables: Unknown error 4294967295
# tail -1 /var/log/messages
Sep  7 23:07:31 host kernel: ip_tables: connlimit match: invalid size 32 != 24

It worked on 2.6.18-164.el5 i686 though.
Comment 8 Simon Matter 2009-09-08 02:56:48 EDT
Hi Eugene, I'm sure Jiri may give you a better answer but how I understand it the issue you see is expected because the iptables package is patched for the patched 2.6.18 kernel which is not compatible with the 2.6.24.7 you are using.

Regards,
Simon
Comment 9 Jiri Pirko 2009-09-08 03:18:07 EDT
correct - I will look at 2.6.24.7 to see how to make this work for both kernels.
Comment 10 Jiri Pirko 2009-09-08 06:13:10 EDT
Created attachment 360055 [details]
proposed patch #2
Comment 11 Jiri Pirko 2009-09-08 06:14:25 EDT
Thanks to patch #2 iptables util is compatible with 2.6.24.7-126.el5rt
Comment 12 Jiri Pirko 2009-09-08 06:19:09 EDT
Note that there is needed to patch el5 kernel too. I'm going to fill a bz for this and make it dependent on this bz.
Comment 13 Thomas Woerner 2009-09-08 09:00:23 EDT
According to discussions on irc:

1) The initial alignment patch is ok to be added.
2) Compatibility problems of 2.4.24+ and iptables-1.3.5 have to be solved in the 2.6.24+ rt kernel.
Comment 15 Gustavo Homem 2009-09-15 12:38:25 EDT
Is this iptables update scheduled to be available soon?
Comment 45 errata-xmlrpc 2012-02-21 01:21:06 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0255.html

Note You need to log in before you can comment on or make changes to this bug.