Bug 53325 - Errata conversion of iptables .... -m limit ##/sec
Errata conversion of iptables .... -m limit ##/sec
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
7.1
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-09-06 14:25 EDT by Dario Lesca
Modified: 2008-05-01 11:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-11-07 09:15:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch against iptables 1.2.2 (461 bytes, patch)
2001-09-08 05:46 EDT, Michael Schwendt
no flags Details | Diff
patch against iptables 1.2.3 (461 bytes, patch)
2001-09-08 05:46 EDT, Michael Schwendt
no flags Details | Diff
a different approach (544 bytes, patch)
2001-09-08 07:01 EDT, Michael Schwendt
no flags Details | Diff

  None (edit)
Description Dario Lesca 2001-09-06 14:25:24 EDT
Description of Problem:

Errata conversion of -m limit 

Version-Release number of selected component (if applicable):

I also upgrade iptable whit RAW src package:
[root@bl00 RPMS]# rpm -qa |grep iptables
iptables-1.2.2-3
[root@bl00 RPMS]#

How Reproducible:

iptables -I INPUT -p icmp -m limit --limit 21/second -j ACCEPT

Actual Results:

[root@bl00 RPMS]# iptables-save
# Generated by iptables-save v1.2.2 on Thu Sep  6 18:29:53 2001
*filter
:INPUT ACCEPT [35:1900]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [32:2640]
-A INPUT -p icmp -m limit --limit 1815126/day -j ACCEPT
COMMIT
# Completed on Thu Sep  6 18:29:53 2001
	
Dario Lesca (d.lesca@osra.it) (from Italy)
Comment 1 Michael Schwendt 2001-09-06 14:46:13 EDT
21/second = 21*3600*24/day = 1814400/day ~= 1815126/day
=> not far off ;-)
Comment 2 Michael Schwendt 2001-09-08 05:46:26 EDT
Created attachment 31314 [details]
patch against iptables 1.2.2
Comment 3 Michael Schwendt 2001-09-08 05:46:42 EDT
Created attachment 31315 [details]
patch against iptables 1.2.3
Comment 4 Michael Schwendt 2001-09-08 05:48:17 EDT
It's due to a rather unfortunate rounding of input values.
Comment 5 Michael Schwendt 2001-09-08 06:06:31 EDT
Hmmm, with the patch applied, the slower rates become more inaccurate. For
instance, 6000/hour is rounded to 1/sec (= 3600/hour). Not so nice either. I
wonder what is more important. Fine grained rates of x/minute and y/second, or
per hour or per day?

One could probably implement a check that examines the remainder in the
calculation in the old code more closely, trying to determine the best matching
unit. Sort of, not checking the remainder against zero (like the old code does),
but only if the remainder of "rates[i].mult % period" is greater than some
threshold, the unit is found:

        if (period > rates[i].mult
            || rates[i].mult % period > X)
           break;

with X being some percentage of rates[i].mult or so.
Comment 6 Michael Schwendt 2001-09-08 07:01:44 EDT
Created attachment 31316 [details]
a different approach
Comment 7 Michael Schwendt 2001-10-16 15:43:34 EDT
Today I was notified that this last patch has been applied to CVS (netfilter
userspace).
Comment 8 Bernhard Rosenkraenzer 2001-10-30 06:46:32 EST
Fixed in 1.2.4-1 (rawhide now, errata soon)

Note You need to log in before you can comment on or make changes to this bug.