why can't use connlimit ??

why can't use connlimit ??

[Buddy wu]

   I want to use connlimit to set the connections of each person to a
certain number, but when I add a rule using iptables, error occured
like these:

[root@server1 linux]# /sbin/iptables -A INPUT -m connlimit
--connlimit-above 6 -j DROP
iptables: No chain/target/match by that name

   I have searched for this problem, someone said it maybe need to
load the ipt_connlimit module. I tried it, but it can not work. I
doubted that I have the wrong command.
   first I use '/sbin/modprobe ipt_connlimit' command ,and then I
reaceive the error 'FATAL: Module ipt_connlimit not found.'
   second, I use '/sbin/modprobe /lib/iptables/libipt_connlimit.so'
and then error comes again 'FATAL: Module
/lib/iptables/libipt_connlimit.so not found.'

   How to make it work ? I'm almost mad

Thank for your advise

Re: why can't use connlimit ??

[Rob Sterenborg]

On Fri, October 28, 2005 08:19, Buddy wu wrote:
>    I want to use connlimit to set the connections of each person to a
> certain number, but when I add a rule using iptables, error occured
> like these:
>
> [root@server1 linux]# /sbin/iptables -A INPUT -m connlimit
> --connlimit-above 6 -j DROP
> iptables: No chain/target/match by that name
>
>    I have searched for this problem, someone said it maybe need to
> load the ipt_connlimit module. I tried it, but it can not work. I
> doubted that I have the wrong command.
>    first I use '/sbin/modprobe ipt_connlimit' command ,and then I
> reaceive the error 'FATAL: Module ipt_connlimit not found.'
>    second, I use '/sbin/modprobe /lib/iptables/libipt_connlimit.so'
> and then error comes again 'FATAL: Module
> /lib/iptables/libipt_connlimit.so not found.'

Do you *have* ipt_connlimit ? (Try : "locate ipt_connlimit")

Also, AFAIK such module would be in
"/lib/modules/<kernel-version>/kernel/net/ipv4/netfilter".


Gr,
Rob

Re: why can't use connlimit ??

[Buddy wu]

In the System It has libipt_connlimit.so file. but don't have
ipt_connlimit.ko or .o file. Is this the reason why can't load the
connlimit module?
     If it's the reason , then need I recombile the kernel?
     I have done so, but When I patch the kernel with the latest patch
of POM, and comblie the kernel. errors occured. Just like I have said
-----------------------------------------------------------------
CC      net/ipv4/netfilter/ipt_connlimit.o
net/ipv4/netfilter/ipt_connlimit.c: In function `count_them':
net/ipv4/netfilter/ipt_connlimit.c:68: error: structure has no member
named `proto'
net/ipv4/netfilter/ipt_connlimit.c:94: error: structure has no member
named `infos'
net/ipv4/netfilter/ipt_connlimit.c:101: error: structure has no member
named `infos'
make[3]: *** [net/ipv4/netfilter/ipt_connlimit.o] Error 1
make[2]: *** [net/ipv4/netfilter] Error 2
make[1]: *** [net/ipv4] Error 2
make: *** [net] Error 2
----------------------------------------------------------
I don't know what's wrong with it . version conflict? or GCC version
not right? or other reason? I don't know why, can you help me?
thanks



2005/10/28, Rob Sterenborg <rob@sterenborg.info>:
> On Fri, October 28, 2005 08:19, Buddy wu wrote:
> >    I want to use connlimit to set the connections of each person to a
> > certain number, but when I add a rule using iptables, error occured
> > like these:
> >
> > [root@server1 linux]# /sbin/iptables -A INPUT -m connlimit
> > --connlimit-above 6 -j DROP
> > iptables: No chain/target/match by that name
> >
> >    I have searched for this problem, someone said it maybe need to
> > load the ipt_connlimit module. I tried it, but it can not work. I
> > doubted that I have the wrong command.
> >    first I use '/sbin/modprobe ipt_connlimit' command ,and then I
> > reaceive the error 'FATAL: Module ipt_connlimit not found.'
> >    second, I use '/sbin/modprobe /lib/iptables/libipt_connlimit.so'
> > and then error comes again 'FATAL: Module
> > /lib/iptables/libipt_connlimit.so not found.'
>
> Do you *have* ipt_connlimit ? (Try : "locate ipt_connlimit")
>
> Also, AFAIK such module would be in
> "/lib/modules/<kernel-version>/kernel/net/ipv4/netfilter".
>
>
> Gr,
> Rob
>
>
>
>

Re: why can't use connlimit ??

[Rob Sterenborg]

On Fri, October 28, 2005 09:27, Buddy wu wrote:
> In the System It has libipt_connlimit.so file. but don't have

In "the System" ? Where is that ?

> ipt_connlimit.ko or .o file. Is this the reason why can't load the
> connlimit module?

The .ko is for 2.6 kernels. For 2.4 it should be .o.

>      If it's the reason , then need I recombile the kernel?
>      I have done so, but When I patch the kernel with the latest patch
> of POM, and comblie the kernel. errors occured. Just like I have said
> -----------------------------------------------------------------
> CC      net/ipv4/netfilter/ipt_connlimit.o
> net/ipv4/netfilter/ipt_connlimit.c: In function `count_them':
> net/ipv4/netfilter/ipt_connlimit.c:68: error: structure has no member
> named `proto'
> net/ipv4/netfilter/ipt_connlimit.c:94: error: structure has no member
> named `infos'
> net/ipv4/netfilter/ipt_connlimit.c:101: error: structure has no member
> named `infos'
> make[3]: *** [net/ipv4/netfilter/ipt_connlimit.o] Error 1
> make[2]: *** [net/ipv4/netfilter] Error 2
> make[1]: *** [net/ipv4] Error 2
> make: *** [net] Error 2
> ----------------------------------------------------------
> I don't know what's wrong with it . version conflict? or GCC version
> not right? or other reason? I don't know why, can you help me?
> thanks

- So, what kernel version are you using ?
- What kernel did you try to patch ? If it's a distro kernel (like
RedHat, etc), try a vanilla kernel from www.kernel.org.
Other problems can arise if you use conflicting POM patches (some do
not play nice when used together).

Maybe this thread can be of help to you (if you use a 2.4 kernel) :
https://lists.netfilter.org/pipermail/netfilter/2004-January/050227.html


Gr,
Rob

Re: why can't use connlimit ??

[Buddy wu]

2005/10/28, Rob Sterenborg <rob@sterenborg.info>:
> On Fri, October 28, 2005 09:27, Buddy wu wrote:
> > In the System It has libipt_connlimit.so file. but don't have
>
> In "the System" ? Where is that ?
  In /lib/iptables  the system is just a new installation. it is
centos4 and the same to redhat as4. When i install the system, I can
found it in /lib/iptables directory

>
> > ipt_connlimit.ko or .o file. Is this the reason why can't load the
> > connlimit module?
>
> The .ko is for 2.6 kernels. For 2.4 it should be .o.
ya, thanks . and can you tell me the diffrent with .so files?
>
> >      If it's the reason , then need I recombile the kernel?
> >      I have done so, but When I patch the kernel with the latest patch
> > of POM, and comblie the kernel. errors occured. Just like I have said

>
> - So, what kernel version are you using ?
> - What kernel did you try to patch ? If it's a distro kernel (like
> RedHat, etc), try a vanilla kernel from www.kernel.org.
kernel version is 2.6.10, and I download from www.kernel.org
use the POM-20050801 or 20051025. they have the same problem

> Other problems can arise if you use conflicting POM patches (some do
> not play nice when used together).
But I'm puzzled with the errors. it said that the object don't have
'proto' member(the conflicting POM patches can make out these errors?
I think the structure should be same ).
>
> Maybe this thread can be of help to you (if you use a 2.4 kernel) :
> https://lists.netfilter.org/pipermail/netfilter/2004-January/050227.html
>
>
> Gr,
> Rob
>
>
>

Re: why can't use connlimit ??

[Rob Sterenborg]

On Fri, October 28, 2005 09:51, Buddy wu wrote:
...
> kernel version is 2.6.10, and I download from www.kernel.org
> use the POM-20050801 or 20051025. they have the same problem
...
> But I'm puzzled with the errors. it said that the object don't have
> 'proto' member(the conflicting POM patches can make out these errors?
> I think the structure should be same ).

What if you try with the latest POM and kernel (20051027 and 2.6.14
resp.) ?

I'm not a programmer so if this won't work, I don't know. I also find
it strange that you do have a .so, but not a .ko file.


Gr,
Rob

Re: why can't use connlimit ??

[Buddy wu]

>
> What if you try with the latest POM and kernel (20051027 and 2.6.14
> resp.) ?
>
> I'm not a programmer so if this won't work, I don't know. I also find
> it strange that you do have a .so, but not a .ko file.
>
>
> Gr,
> Rob

Thanks anyway.
I will try it, but i Don't think it can be work. Justnow I have read
an article, It paste parts of the source, but i found it is diffrent
with that in my machine. I don't know which is the 'right'. but that's
code not the latest, it maybe may or jul's.

here's the code of him
  if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
    found != NULL && (found_ct = tuplehash_to_ctrack(found)) != NULL &&
    found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {

anzhen then is in my machine
  if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
    found != NULL &&
    found->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {

you can found the diffrent with them. I think it is big. but I don't
know which will be right.
And He said he's code was not right too, should be modify to these:
  if (found != NULL && (found_ct = tuplehash_to_ctrack(found)) != NULL &&
    0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
    found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
or else it will be let the linux crazy, and the errors were (
<0>Kernel panic - not syncing: Fatal exception in interrupt)  ^_^

Re: why can't use connlimit ??

[/dev/rob0]

On Friday 2005-October-28 04:02, Rob Sterenborg wrote:
> I also find it strange that you do have a .so, but not a .ko file.

The .so is iptables(8)'s library (SO="shared object). The .ko is a 
kernel 2.6.x kernel module. Never having compiled iptables myself, I 
don't know for certain, but it seems that the iptables libraries are 
independent of the netfilter drivers. One could probably compile a 
fully-functional[1] iptables on a system with CONFIG_NETFILTER=n ... 
the only requirement being access to appropriate kernel sources.


[1] Fully-functional only under a kernel with CONFIG_NETFILTER=y, of 
course.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

RE: why can't use connlimit ??

[Rob Sterenborg]

>> I also find it strange that you do have a .so, but not a .ko file.
> 
> The .so is iptables(8)'s library (SO="shared object). The .ko
> is a kernel 2.6.x kernel module. Never having compiled

Yes I knew that (although I didn't mention this).
I just think it's strange that compiling iptables would produce a .so
file when compiling the kernel does not produce an accompanying .ko file
(except maybe when ipt_connlimit is not compiled as module, but that is
something we don't know ;-))


Gr,
Rob

Re: why can't use connlimit ??

[Buddy wu]

2005/10/29, /dev/rob0 <rob0@gmx.co.uk>:
> On Friday 2005-October-28 04:02, Rob Sterenborg wrote:
> > I also find it strange that you do have a .so, but not a .ko file.
>
> The .so is iptables(8)'s library (SO="shared object). The .ko is a
> kernel 2.6.x kernel module. Never having compiled iptables myself, I
> don't know for certain, but it seems that the iptables libraries are
> independent of the netfilter drivers. One could probably compile a
> fully-functional[1] iptables on a system with CONFIG_NETFILTER=n ...
> the only requirement being access to appropriate kernel sources.
>
do you mean iptalbes can work without netfilter? or I can use
connlimit function just only with a libipt_connlimit.so file? then how
to do it. I try to use modprobe to load the library, but it said to me
that no such module could be found. to load a .so fromat module need a
diffrent way?
>
> [1] Fully-functional only under a kernel with CONFIG_NETFILTER=y, of
> course.
> --
>     mail to this address is discarded unless "/dev/rob0"
>     or "not-spam" is in Subject: header
>
>

Re: why can't use connlimit ??

[Buddy wu]

> I just think it's strange that compiling iptables would produce a .so
> file when compiling the kernel does not produce an accompanying .ko file
> (except maybe when ipt_connlimit is not compiled as module, but that is
> something we don't know ;-))
>
   I want to tell you that the .so file is not produced when I combile
the iptables, but it born with the installation with the linux system.
And I try to complie the kernel with the latest POM, but I failed, it
tell me he can't find proto member in found object when he compile the
ipt_connlimit.c file. Is it want corresponding header(.h) file, but it
can't find in my source files?

RE: why can't use connlimit ??

[Rob Sterenborg]

> do you mean iptalbes can work without netfilter? or I can use

No. iptables is the userspace utility to set rules for netfilter.

> connlimit function just only with a libipt_connlimit.so file?
> then how to do it. I try to use modprobe to load the library,
> but it said to me that no such module could be found. to load
> a .so fromat module need a diffrent way?

The .so is not a kernel module but a shared object. You don't load
shared objects yourself.


Gr,
Rob

Re: why can't use connlimit ??

[Jozsef Kadlecsik]

On Sat, 29 Oct 2005, Buddy wu wrote:

> > I just think it's strange that compiling iptables would produce a .so
> > file when compiling the kernel does not produce an accompanying .ko file
> > (except maybe when ipt_connlimit is not compiled as module, but that is
> > something we don't know ;-))
> >
>    I want to tell you that the .so file is not produced when I combile
> the iptables, but it born with the installation with the linux system.
> And I try to complie the kernel with the latest POM, but I failed, it
> tell me he can't find proto member in found object when he compile the
> ipt_connlimit.c file. Is it want corresponding header(.h) file, but it
> can't find in my source files?

It seems that connlimit is unmaintained then.

You can try to find a kernel release which works with the patch in
pom-ng, i.e. uses the same structures. If that's done, then you should
definitely compile an iptables binary from source with the given patched
kernel.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: why can't use connlimit ??

[Buddy wu]

> The .so is not a kernel module but a shared object. You don't load
> shared objects yourself.
do you mean  if want to load a .so file, It must load be a programe?
just like the apache extensions?

>
> Gr,
> Rob
>
>
>