hi,
i try use iptables connlimit,
# iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j DROP iptables: Unknown error 4294967295
where is problem ? thanks
# rpm -qa | grep iptables iptables-1.3.5-4.el5
# uname -a Linux test 2.6.18-92.1.1.el5 #1 SMP Sat Jun 21 19:04:27 EDT 2008 i686 i686 i386 GNU/Linux
noro wrote:
hi,
i try use iptables connlimit,
# iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j DROP iptables: Unknown error 4294967295
where is problem ? thanks
# rpm -qa | grep iptables iptables-1.3.5-4.el5
# uname -a Linux test 2.6.18-92.1.1.el5 #1 SMP Sat Jun 21 19:04:27 EDT 2008 i686 i686 i386 GNU/Linux
Hi. The problem isn't yours alone. Despite the man page, there is no support for the iptables connlimit match in CentOS 5 nor any previous version.
The real issue is that, due to the way RH builds iptables(*), there have been longstanding disparities(**) between the iptables userspace tool and the kernel. For example, in Fedora 6/RHEL 5/CentOS 5, although there is an iptables module in /lib/iptables/libipt_connlimit.so which supports the connlimit match in iptables, there is no corresponding netfilter module in /lib/modules/(version)/kernel/net/ipv4/netfilter/ to handle it in the kernel. Fedora 3/RHEL 4/CentOS 4 have the same problem. Other disparities exist as well.
Anyway, since there is no stock kernel support for connlimit, the iptables module included in these distros is rather useless to you. :(
The kernel module is not included in the centosplus kernel either, so if you really must have connlimit working on CentOS 5 there are three options:
1. Upgrade your kernel to a newer version.
The connlimit module finally went into mainline at kernel v2.6.23. http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23
IIRC, Fedora 7 doesn't support connlimit in the kernel either, but Fedora 8 and 9 do.
2. Patch it and maintain your own build.
See http://www.netfilter.org/projects/patch-o-matic/pom-external.html#pom-extern...
3. Find a pre-built module maintained elsewhere.
I only know of one repository for RHEL4: http://ftp.pslib.cz/pub/users/Milan.Kerslager/RHEL-4/stable/
Please note that the CentOS team won't support non-stock kernels.
Sorry for the bad news and the long message with irrelevant details (they're for the list archive and googlers).
Best Regards, PWR
(*) https://bugzilla.redhat.com/show_bug.cgi?id=191331#c8
(**) Some more examples: https://bugzilla.redhat.com/show_bug.cgi?id=253014 http://linuxczar.net/wordpress/archives/67
On Sun, Jun 29, 2008 at 4:19 AM, Peter Riley Peter.Riley@hotpop.com wrote:
noro wrote:
hi,
i try use iptables connlimit,
[...]
Hi. The problem isn't yours alone. Despite the man page, there is no support for the iptables connlimit match in CentOS 5 nor any previous version.
Maybe you can make the recent module do the job, kind of...
-
Marcelo Roccasalva -
noro -
Peter Riley