Bug 521999 - ip_tables: connlimit match: invalid size 32 != 24
Summary: ip_tables: connlimit match: invalid size 32 != 24
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: realtime-kernel
Version: Development
Hardware: All
OS: Linux
urgent
high
Target Milestone: 1.1.9
: ---
Assignee: Luis Claudio R. Goncalves
QA Contact: David Sommerseth
URL:
Whiteboard:
Depends On: 520797
Blocks: 529867 531831
TreeView+ depends on / blocked
 
Reported: 2009-09-09 02:54 UTC by Eugene Teo (Security Response)
Modified: 2016-05-22 23:28 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 529867 531831 (view as bug list)
Environment:
Last Closed: 2009-11-03 18:21:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
proposed patch (4.17 KB, patch)
2009-09-09 13:37 UTC, Jiri Pirko 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1540 0 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2009-11-03 18:21:07 UTC

Description Eugene Teo (Security Response) 2009-09-09 02:54:11 UTC 
Description of problem:
# rpm -q iptables
iptables-1.3.5-5.3.el5.test
# uname -rm
2.6.24.7-126.el5rt i686
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15
-j REJECT
iptables: Unknown error 4294967295
# tail -1 /var/log/messages
Sep  7 23:07:31 host kernel: ip_tables: connlimit match: invalid size 32 != 24

It worked on 2.6.18-164.el5 i686 though.

Related to bug 520797. See: https://bugzilla.redhat.com/show_bug.cgi?id=520797#c13

There are compatibility problems of 2.4.24+ and iptables-1.3.5 have to be solved in the 2.6.24+ rt kernel. This is a potential problem for 2.6.30+ rt kernel too.
Comment 2 Jiri Pirko 2009-09-09 13:37:14 UTC 
Created attachment 360209 [details]
proposed patch

I tested briefly this patch applied on kernel-rt-2.6.24.7-133.el5rt. Works good. Please test this.
Comment 4 Luis Claudio R. Goncalves 2009-09-10 00:03:58 UTC 
Patch added to kernel 2.6.27.7-133.el5rt (brew build job on the way)
Comment 15 David Sommerseth 2009-10-29 11:02:43 UTC 
Moved to verified, as this works well with a new version user space iptables.

Note: This feature will still not work before the user space iptables package is upgraded.
Comment 17 errata-xmlrpc 2009-11-03 18:21:49 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1540.html
Note You need to log in before you can comment on or make changes to this bug.