Bug 53325 - Errata conversion of iptables .... -m limit ##/sec
Summary: Errata conversion of iptables .... -m limit ##/sec
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables   
(Show other bugs)
Version: 7.1
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2001-09-06 18:25 UTC by Dario Lesca
Modified: 2008-05-01 15:38 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-11-07 14:15:29 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch against iptables 1.2.2 (461 bytes, patch)
2001-09-08 09:46 UTC, Michael Schwendt
no flags Details | Diff
patch against iptables 1.2.3 (461 bytes, patch)
2001-09-08 09:46 UTC, Michael Schwendt
no flags Details | Diff
a different approach (544 bytes, patch)
2001-09-08 11:01 UTC, Michael Schwendt
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:144 normal SHIPPED_LIVE : Updated iptables packages are available 2001-10-30 05:00:00 UTC

Description Dario Lesca 2001-09-06 18:25:24 UTC
Description of Problem:

Errata conversion of -m limit 

Version-Release number of selected component (if applicable):

I also upgrade iptable whit RAW src package:
[root@bl00 RPMS]# rpm -qa |grep iptables
[root@bl00 RPMS]#

How Reproducible:

iptables -I INPUT -p icmp -m limit --limit 21/second -j ACCEPT

Actual Results:

[root@bl00 RPMS]# iptables-save
# Generated by iptables-save v1.2.2 on Thu Sep  6 18:29:53 2001
:INPUT ACCEPT [35:1900]
:OUTPUT ACCEPT [32:2640]
-A INPUT -p icmp -m limit --limit 1815126/day -j ACCEPT
# Completed on Thu Sep  6 18:29:53 2001
Dario Lesca (d.lesca@osra.it) (from Italy)

Comment 1 Michael Schwendt 2001-09-06 18:46:13 UTC
21/second = 21*3600*24/day = 1814400/day ~= 1815126/day
=> not far off ;-)

Comment 2 Michael Schwendt 2001-09-08 09:46:26 UTC
Created attachment 31314 [details]
patch against iptables 1.2.2

Comment 3 Michael Schwendt 2001-09-08 09:46:42 UTC
Created attachment 31315 [details]
patch against iptables 1.2.3

Comment 4 Michael Schwendt 2001-09-08 09:48:17 UTC
It's due to a rather unfortunate rounding of input values.

Comment 5 Michael Schwendt 2001-09-08 10:06:31 UTC
Hmmm, with the patch applied, the slower rates become more inaccurate. For
instance, 6000/hour is rounded to 1/sec (= 3600/hour). Not so nice either. I
wonder what is more important. Fine grained rates of x/minute and y/second, or
per hour or per day?

One could probably implement a check that examines the remainder in the
calculation in the old code more closely, trying to determine the best matching
unit. Sort of, not checking the remainder against zero (like the old code does),
but only if the remainder of "rates[i].mult % period" is greater than some
threshold, the unit is found:

        if (period > rates[i].mult
            || rates[i].mult % period > X)

with X being some percentage of rates[i].mult or so.

Comment 6 Michael Schwendt 2001-09-08 11:01:44 UTC
Created attachment 31316 [details]
a different approach

Comment 7 Michael Schwendt 2001-10-16 19:43:34 UTC
Today I was notified that this last patch has been applied to CVS (netfilter

Comment 8 Bernhard Rosenkraenzer 2001-10-30 11:46:32 UTC
Fixed in 1.2.4-1 (rawhide now, errata soon)

Note You need to log in before you can comment on or make changes to this bug.