Throttling by 'limit' in one chain fails whenever a *different* chain is modified

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Throttling by 'limit' in one chain fails whenever a *different* chain is modified
@ 2004-12-15 23:44 Paul Kosinski
  0 siblings, 0 replies; only message in thread
From: Paul Kosinski @ 2004-12-15 23:44 UTC (permalink / raw)
  To: netfilter

Hi,

I have set up a moderately complicated firewall which has (among other things) two dynamic chains whose rules are changed several times per hour. The rule changing is done by first flushing the chain and then adding the new rules. Let's call these two chains DYNAMIC1 and DYNAMIC2, so the script reads thus (details of rules omitted):

  iptables -F DYNAMIC1
  iptables -F DYNAMIC2

  if [proper time of hour]; then
    iptables -A DYNAMIC1 [allow some packets]
    iptables -A DYNAMIC2 [allow other packets]
  fi

In another section of the firewall, I have the following chain whose purpose is to log very occasionally some continually arriving tunnel packets (just to see when the tunnel is active).

  iptables -A TUNLOG                                 \
           -m state --state ESTABLISHED              \
           -m limit --limit 1/hour --limit-burst 1   \
           -j LOG --log-prefix "iptables: Tun ...  "

  iptables -A TUNLOG                                 \
           -m state --state NEW                      \
           -m limit --limit 1/minute --limit-burst 1 \
           -j LOG --log-prefix "iptables: Tun-New  "

  iptables -A TUNLOG                                 \
           -m state --state RELATED                  \
           -m limit --limit 1/minute --limit-burst 1 \
           -j LOG --log-prefix "iptables: Tun-Rel  "

  iptables -A TUNLOG                                 \
           -m state --state INVALID                  \
           -m limit --limit 1/minute --limit-burst 1 \
           -j LOG --log-prefix "iptables: Tun-Bad  "

  iptables -A TUNLOG                                 \
           -j ACCEPT

The problem I experience is that whenever the dynamic-rule script fires, I get a log entry for an established-tunnel packet. Since the first script fires N times per hour, I get N times as many log entries for the tunnel as I want. This makes my examination of the firewall log more tedious and error prone than it should be.

This seems to me to be a bug in iptables/netfilter. I am using iptables 1.2.11 and kernel 2.4.28 with the ebtables patch 'ebtables-brnf-8_vs_2_4_28_diff'.

Paul Kosinski

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2004-12-15 23:44 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-15 23:44 Throttling by 'limit' in one chain fails whenever a *different* chain is modified Paul Kosinski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox