netfilter buglog - May 2003 - [Bug 95] New: inverse limit match doesn't work

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=95

           Summary: inverse limit match doesn't work
           Product: netfilter/iptables
           Version: linux-2.4.x
          Platform: i386
        OS/Version: Mandrake Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ip_tables (kernel)
        AssignedTo: laforge@netfilter.org
        ReportedBy: email@cs-ware.de
                CC: netfilter-buglog@lists.netfilter.org


The inverse limit match seems to be broken:

#iptables -A INPUT -m limit ! --limit 1/sec -j DROP
seems to be the same as
#iptables -A INPUT -m limit --limit 1/sec -j DROP

Both result in:
#iptables --list -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 1/sec 
burst 5

But in the iptables Tutorial 1.1.19 by Oskar Andreasson (http://iptables-
tutorial.frozentux.net/chunkyhtml/matches.html#TABLE.LIMITMATCH) there is 
written:
"The limit match may also be inverted by adding a ! flag in front of the
limit match. It would then be expressed as -m ! limit. This means that all
packets will be matched after they have broken the limit."
And in the iptables man-page there is written:
"A rule using this extension will match until this limit is reached (unless
the '!' flag is used)."

My configuration:
iptables/1.2.8, Kernel 2.4.20 with POM 20030107 and grsecurity-1.9.9h

Regards
Sven Strickroth



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.