Description of problem: [root@nec-em20 ~]# uname -a Linux nec-em20.rhts.bos.redhat.com 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:54 EDT 2009 i686 i686 i386 GNU/Linux [root@nec-em20 ~]# iptables -N test1234 [root@nec-em20 ~]# iptables -A test1234 -m connlimit --connlimit-above 8 iptables: Unknown error 4294967295 [root@nec-em20 ~]# dmesg ip_tables: (C) 2000-2006 Netfilter Core Team Netfilter messages via NETLINK v0.30. ip_conntrack version 2.4 (8184 buckets, 65472 max) - 228 bytes per conntrack ip_tables: connlimit match: invalid size 24 != 16 How reproducible: Always Additional info: Appears on x86, not on x86_64
Just as a hint, some Debian folks had the same issue: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504989
I made a patch for iptables util and it works for me just fine. Try rpm here: http://people.redhat.com/jpirko/test/iptables-1.3.5-5.3.el5.test.i686.rpm
Created attachment 359542 [details] proposed patch
reassigning this to component iptables.
Works fine for me, no problems anymore, tested on i686 and also x86_64 kernel. Thanks, Simon
I think I found another bug. # rpm -q iptables iptables-1.3.5-5.3.el5.test # uname -rm 2.6.24.7-126.el5rt i686 # iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 -j REJECT iptables: Unknown error 4294967295 # tail -1 /var/log/messages Sep 7 23:07:31 host kernel: ip_tables: connlimit match: invalid size 32 != 24 It worked on 2.6.18-164.el5 i686 though.
Hi Eugene, I'm sure Jiri may give you a better answer but how I understand it the issue you see is expected because the iptables package is patched for the patched 2.6.18 kernel which is not compatible with the 2.6.24.7 you are using. Regards, Simon
correct - I will look at 2.6.24.7 to see how to make this work for both kernels.
Created attachment 360055 [details] proposed patch #2
Thanks to patch #2 iptables util is compatible with 2.6.24.7-126.el5rt
Note that there is needed to patch el5 kernel too. I'm going to fill a bz for this and make it dependent on this bz.
According to discussions on irc: 1) The initial alignment patch is ok to be added. 2) Compatibility problems of 2.4.24+ and iptables-1.3.5 have to be solved in the 2.6.24+ rt kernel.
Is this iptables update scheduled to be available soon?
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0255.html