From: Paul Kosinski <prk@iment.com>
To: netfilter@lists.netfilter.org
Subject: Throttling by 'limit' in one chain fails whenever a *different* chain is modified
Date: Wed, 15 Dec 2004 18:44:20 -0500 [thread overview]
Message-ID: <041215184451.103156@ime1.iment.com> (raw)
Hi,
I have set up a moderately complicated firewall which has (among other things) two dynamic chains whose rules are changed several times per hour. The rule changing is done by first flushing the chain and then adding the new rules. Let's call these two chains DYNAMIC1 and DYNAMIC2, so the script reads thus (details of rules omitted):
iptables -F DYNAMIC1
iptables -F DYNAMIC2
if [proper time of hour]; then
iptables -A DYNAMIC1 [allow some packets]
iptables -A DYNAMIC2 [allow other packets]
fi
In another section of the firewall, I have the following chain whose purpose is to log very occasionally some continually arriving tunnel packets (just to see when the tunnel is active).
iptables -A TUNLOG \
-m state --state ESTABLISHED \
-m limit --limit 1/hour --limit-burst 1 \
-j LOG --log-prefix "iptables: Tun ... "
iptables -A TUNLOG \
-m state --state NEW \
-m limit --limit 1/minute --limit-burst 1 \
-j LOG --log-prefix "iptables: Tun-New "
iptables -A TUNLOG \
-m state --state RELATED \
-m limit --limit 1/minute --limit-burst 1 \
-j LOG --log-prefix "iptables: Tun-Rel "
iptables -A TUNLOG \
-m state --state INVALID \
-m limit --limit 1/minute --limit-burst 1 \
-j LOG --log-prefix "iptables: Tun-Bad "
iptables -A TUNLOG \
-j ACCEPT
The problem I experience is that whenever the dynamic-rule script fires, I get a log entry for an established-tunnel packet. Since the first script fires N times per hour, I get N times as many log entries for the tunnel as I want. This makes my examination of the firewall log more tedious and error prone than it should be.
This seems to me to be a bug in iptables/netfilter. I am using iptables 1.2.11 and kernel 2.4.28 with the ebtables patch 'ebtables-brnf-8_vs_2_4_28_diff'.
Paul Kosinski
next reply other threads:[~2004-12-15 23:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-15 23:44 Paul Kosinski [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-12-28 17:44 Throttling by 'limit' in one chain fails whenever a *different* chain is modified Paul Kosinski
2004-12-28 20:59 ` Phil Oester
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=041215184451.103156@ime1.iment.com \
--to=prk@iment.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.