Connlimit and linux-2.6.17

Connlimit and linux-2.6.17

[Andrew Beverley]

I am having trouble using connlimit with kernel 2.6.17.4 and
iptables-1.3.5-20060508. When I run:

iptables -t mangle -A PREROUTING -p tcp -i eth0 -m \
	connlimit --connlimit-above 5 -j LOG

I get "iptables: Invalid argument"

The kernel and iptables are patched with patch-o-matic-ng-20060626,
which in turn is patched as per
http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=3456 to
uupdate the connlimit patch

I have noticed that when compiling the kernel I get error messages as
follows when compiling connlimit:

net/ipv4/netfilter/ipt_connlimit.c:211: warning: initialization from
incompatible pointer type
net/ipv4/netfilter/ipt_connlimit.c:212: warning: initialization from
incompatible pointer type
net/ipv4/netfilter/ipt_connlimit.c:213: warning: initialization from
incompatible pointer type

The above error messages do not appear when using 2.6.15, and connlimit
works.

Any ideas?

On another note, will connlimit ever form part of the stable kernel? It
is a real pain having to mess around patching each time I get a new
kernel, especially as currently the patch-o-matic also requires patching!

Andy Beverley

Connlimit and linux-2.6.17

[Adlan]

Hi.
I got similar problems after I moved to 2.6.17.6 from 2.6.14
I've downloaded latest POM and patched kernel manually
I didn't notice if there were any warnings when building kernel.
Iptables version is 1.3.5, built against 2.5.17.6 kernel


This is what I get when I try to use connlimit match

m64:~# iptables -A INPUT -p tcp --dport 80 -m connlimit
--connlimit-above 10 -j REJECT
iptables: Unknown error 18446744073709551615
m64:~# iptables -I INPUT -p tcp --syn --dport 80 -j DROP -m connlimit
--connlimit-above 10
iptables: Unknown error 18446744073709551615

Architecture is x86_64, actually amd64

here's a part of lsmod output:

Module                  Size  Used by
xt_MARK                 3456  0
xt_multiport            4288  0
ipt_connlimit           4032  0
ip_conntrack           68020  1 ipt_connlimit
nfnetlink               9096  1 ip_conntrack
xt_tcpudp               4352  0
iptable_filter          3840  0
ip_tables              23648  1 iptable_filter
x_tables               20488  5
xt_MARK,xt_multiport,ipt_connlimit,xt_tcpudp,ip_tables
ipv6                  312128  28

Kernel config:

# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
CONFIG_IP_NF_CONNTRACK_NETLINK=m
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_NETBIOS_NS=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
CONFIG_IP_NF_H323=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_NAT_H323=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP_NF_MATCH_CONNLIMIT=m


and, finally dmesg tells me:

ip_tables: connlimit match: invalid size 0 != 24
ip_tables: connlimit match: invalid size 0 != 24


Thank you.
Adlan

Re: Connlimit and linux-2.6.17

[Andrew Beverley]

> I got similar problems after I moved to 2.6.17.6 from 2.6.14
> I've downloaded latest POM and patched kernel manually
> I didn't notice if there were any warnings when building kernel.

I suspect the warnings I got means it's got problems - but I am not a C programmer!

The code in question is the highlighted lines below:

static struct ipt_match connlimit_match = {
         .name = "connlimit",
         .match = &match,               <--
         .checkentry = &check,          <--
         .destroy = &destroy,           <--
         .me = THIS_MODULE
};

> This is what I get when I try to use connlimit match
 >
> iptables: Unknown error 18446744073709551615

I was getting a very similar error when using iptables 1.3.5. The error changed to 
"iptables: Invalid argument" when I used iptables-1.3.5-20060508.

> and, finally dmesg tells me:
> 
> ip_tables: connlimit match: invalid size 0 != 24
> ip_tables: connlimit match: invalid size 0 != 24

I get 'connlimit match: invalid size 0 != 16'

I will email netfilter-devel and see if I can get an answer there. It looks like 
no one is maintaining connlimit - last date in the code is 2002!

Andy Beverley

Re: Connlimit and linux-2.6.17

[Andrew Beverley]

>> I (and others, see netfilter list) are having trouble compiling kernel 
>> 2.6.17.4 and iptables-1.3.5-20060508 to use connlimit. Once compiled 
>> in and I run:

<snip>

> Yes, the API was changed in 2.6.17, so small fixes are required to allow 
> extensions to work. I'm currently traveling a lot so connlimit & TARPIT 
> is still on my TODO list. I'm going to finish it ASAP but with limited 
> GPRS/EDGE access it is not so simple.

Many thanks. I do not envy you working through GPRS - very tedious!

Will it still be a patch or is it possible to get it in the stable kernel?

Andy Beverley

Re: Connlimit and linux-2.6.17

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1124 bytes --]



On Wed, 19 Jul 2006, Andrew Beverley wrote:

>>> I (and others, see netfilter list) are having trouble compiling kernel 
>>> 2.6.17.4 and iptables-1.3.5-20060508 to use connlimit. Once compiled in 
>>> and I run:
>
> <snip>
>
>> Yes, the API was changed in 2.6.17, so small fixes are required to allow 
>> extensions to work. I'm currently traveling a lot so connlimit & TARPIT is 
>> still on my TODO list. I'm going to finish it ASAP but with limited 
>> GPRS/EDGE access it is not so simple.
>
> Many thanks.

OK, I fixed the connlimit extension. Please:

  - download recent version of patch-o-matic-ng

  - remove "patchlets/connlimit" directory from extracted pom-ng

  - run "./runme --download"

  - patch & recompile your kernel, as always

  - tell me if it works (or not).

> I do not envy you working through GPRS - very tedious!

GPRS/EDGE is not so bad, especially if you don't have anything better. ;)

> Will it still be a patch or is it possible to get it in the stable kernel?

Connlimit goes to my external pom-ng repository.

Best regards,

 				Krzysztof Olędzki

Re: Connlimit and linux-2.6.17

[Andrew Beverley]

>>>> I (and others, see netfilter list) are having trouble compiling 
>>>> kernel 2.6.17.4 and iptables-1.3.5-20060508 to use connlimit. Once 
>>>> compiled in and I run:
> 
> OK, I fixed the connlimit extension.

Excellent!

> 
>  - download recent version of patch-o-matic-ng
> 
>  - remove "patchlets/connlimit" directory from extracted pom-ng
> 
>  - run "./runme --download"

I've downloaded 20060720 but when I run --download I get:

could not get /index
could not get http://mynodes.net/pub/linux/netfilter/patchlets/index
could not get /index
could not get http://www.nucleus.it/pom-repo/index
could not get /index
could not get http://people.netfilter.org/ole/pom//index

and connlimit does not appear. Am I doing something stupid?

>> Will it still be a patch or is it possible to get it in the stable 
>> kernel?
> 
> Connlimit goes to my external pom-ng repository.
> 

Ok, but I would *really* like to see this in the stable kernel! Who do I contact 
to encourage it to be included? IMHO it's been stable for years!

Many thanks,

Andy

Re: Connlimit and linux-2.6.17

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 991 bytes --]



On Fri, 21 Jul 2006, Andrew Beverley wrote:

>>>>> I (and others, see netfilter list) are having trouble compiling kernel 
>>>>> 2.6.17.4 and iptables-1.3.5-20060508 to use connlimit. Once compiled in 
>>>>> and I run:
>> 
>> OK, I fixed the connlimit extension.
>
> Excellent!
>
>>
>>  - download recent version of patch-o-matic-ng
>>
>>  - remove "patchlets/connlimit" directory from extracted pom-ng
>>
>>  - run "./runme --download"
>
> I've downloaded 20060720 but when I run --download I get:
>
> could not get /index
> could not get http://mynodes.net/pub/linux/netfilter/patchlets/index
> could not get /index
> could not get http://www.nucleus.it/pom-repo/index
> could not get /index
> could not get http://people.netfilter.org/ole/pom//index
>
> and connlimit does not appear. Am I doing something stupid?

It seems you don't have curl installed, which is required to use external 
pom-ng repositories.


Best regards,

 				Krzysztof Olędzki

Re: Connlimit and linux-2.6.17

[Andrew Beverley]

>>>> I (and others, see netfilter list) are having trouble compiling 
>>>> kernel 2.6.17.4 and iptables-1.3.5-20060508 to use connlimit. Once 
>>>> compiled in and I run:
>>
>> <snip>
>>
>>> Yes, the API was changed in 2.6.17, so small fixes are required to 
>>> allow extensions to work. I'm currently traveling a lot so connlimit 
>>> & TARPIT is still on my TODO list. I'm going to finish it ASAP but 
>>> with limited GPRS/EDGE access it is not so simple.
> 
> OK, I fixed the connlimit extension. Please:
>  - tell me if it works (or not).

Yes, many thanks, I've just compiled the patched kernel and connlimit seems to 
work fine.

Andy

Re: Connlimit and linux-2.6.17

[Andrew Beverley]

>>>> I (and others, see netfilter list) are having trouble compiling 
>>>> kernel 2.6.17.4 and iptables-1.3.5-20060508 to use connlimit. Once 
>>>> compiled in and I run:
>>
>> <snip>
>>
>>> Yes, the API was changed in 2.6.17, so small fixes are required to 
>>> allow extensions to work. I'm currently traveling a lot so connlimit 
>>> & TARPIT is still on my TODO list. I'm going to finish it ASAP but 
>>> with limited GPRS/EDGE access it is not so simple.
> 
> OK, I fixed the connlimit extension. Please:
> 
>  - tell me if it works (or not).
> 

I forgot to mention - I get a lot of 'ipt_connlimit: Oops: invalid ct state' error 
messages scrolling up the screen. Is it safe for me to edit ipt_connlimit.c to not 
print them? Or are they telling me there is something wrong with my setup?

Thanks,

Andy

Re: Connlimit and linux-2.6.17

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1082 bytes --]



On Sat, 22 Jul 2006, Andrew Beverley wrote:

>>>>> I (and others, see netfilter list) are having trouble compiling kernel 
>>>>> 2.6.17.4 and iptables-1.3.5-20060508 to use connlimit. Once compiled in 
>>>>> and I run:
>>> 
>>> <snip>
>>> 
>>>> Yes, the API was changed in 2.6.17, so small fixes are required to allow 
>>>> extensions to work. I'm currently traveling a lot so connlimit & TARPIT 
>>>> is still on my TODO list. I'm going to finish it ASAP but with limited 
>>>> GPRS/EDGE access it is not so simple.
>> 
>> OK, I fixed the connlimit extension. Please:
>>
>>  - tell me if it works (or not).
>> 
>
> I forgot to mention - I get a lot of 'ipt_connlimit: Oops: invalid ct state' 
> error messages scrolling up the screen.

But when did it start? In 2.6.17?

> Is it safe for me to edit 
> ipt_connlimit.c to not print them? Or are they telling me there is something 
> wrong with my setup?

Plase try adding "-m conntrack --ctstate INVALID -j DROP" before "-m 
connlimit (...)". Did it help?


Best regards,

 				Krzysztof Olędzki

Re: Connlimit and linux-2.6.17

[Andrew Beverley]

Krzysztof Oledzki wrote:
> 
> 
> On Sat, 22 Jul 2006, Andrew Beverley wrote:
> 
>>>>>> I (and others, see netfilter list) are having trouble compiling 
>>>>>> kernel 2.6.17.4 and iptables-1.3.5-20060508 to use connlimit. Once 
>>>>>> compiled in and I run:
>>>>
>>>> <snip>
>>>>
>>>>> Yes, the API was changed in 2.6.17, so small fixes are required to 
>>>>> allow extensions to work. I'm currently traveling a lot so 
>>>>> connlimit & TARPIT is still on my TODO list. I'm going to finish it 
>>>>> ASAP but with limited GPRS/EDGE access it is not so simple.
>>>
>>> OK, I fixed the connlimit extension. Please:
>>>
>>>  - tell me if it works (or not).
>>>
>>
>> I forgot to mention - I get a lot of 'ipt_connlimit: Oops: invalid ct 
>> state' error messages scrolling up the screen.
> 
> But when did it start? In 2.6.17?

Sorry - should have said. It has always done it. I thought I'd take the 
opportunity to ask as I've never found the answer.

> 
>> Is it safe for me to edit ipt_connlimit.c to not print them? Or are 
>> they telling me there is something wrong with my setup?
> 
> Plase try adding "-m conntrack --ctstate INVALID -j DROP" before "-m 
> connlimit (...)". Did it help?

Yes, that sorts it. I have a lot of clients on my network and these look like 
they're generated by some p2p software of one PC.

Many thanks,

Andy