bugzilla-daemon at netfilter.org
2013-Oct-09 09:12 UTC
[Bug 857] New: ConnLimit unable to work properly
https://bugzilla.netfilter.org/show_bug.cgi?id=857
Summary: ConnLimit unable to work properly
Product: iptables
Version: 1.4.x
Platform: All
OS/Version: RedHat Linux
Status: NEW
Severity: critical
Priority: P5
Component: iptables
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: priyaja at cisco.com
Estimated Hours: 0.0
Hi,
I have used connLimit to limit the no. of connections on specific port, but it
unable to limit number of connections. It have run 2 scenarios and in both,
connLimit works different:
Case 1:
Set the connLimit value to 20000, run the tcp flood at slow rate(say 100
packets/sec). In this case connLimit work properly and stop creating
connections more than 20000.
Case 2:
Set the connLimit value to 20000, run the tcp flood at high rate(say 400
packets/sec). In this case connLimit doesn't work and unable to stop number
of
connections when cross the limit.
As per my understanding, iptables rule are used to prevent DoS attack, so rules
should be work irrespective of no. of packets sent or connLimit value.
Using iptables version: v1.4.7
OS used: Red Hat Enterprise Linux Server release 6.2
Please let me know, if I have miss some configuration, or it is know bug.
Thanks & Regards,
Priya Jain
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-13 15:04 UTC
[Bug 857] ConnLimit unable to work properly
https://bugzilla.netfilter.org/show_bug.cgi?id=857
Phil Oester <netfilter at linuxace.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |netfilter at linuxace.com
--- Comment #1 from Phil Oester <netfilter at linuxace.com> 2013-10-13
17:04:35 CEST ---
What kernel version? Have you tested with a recent kernel.org kernel?
Also - what does your ruleset look like?
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Oct-21 20:53 UTC
[Bug 857] ConnLimit unable to work properly
https://bugzilla.netfilter.org/show_bug.cgi?id=857 --- Comment #2 from Phil Oester <netfilter at linuxace.com> 2013-10-21 22:53:42 CEST --- Priyaja: please respond to follow up questions. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Nov-30 22:06 UTC
[Bug 857] ConnLimit unable to work properly
https://bugzilla.netfilter.org/show_bug.cgi?id=857
Phil Oester <netfilter at linuxace.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WORKSFORME
--- Comment #3 from Phil Oester <netfilter at linuxace.com> 2013-11-30
23:06:49 CET ---
Giving up on receiving an answer to multiple requests for additional
information. Closing.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Reasonably Related Threads
- [Bug 676] connlimit doesn't work properly
- [Bug 515] connlimit filter doesn't work in 1.3.5 version of iptables
- [Bug 849] New: 172.245.13.X doesn't appear properly in output of iptables -L
- [Bug 823] New: IPv6 NAT memory leaking
- [Bug 877] New: nftables - Set - define core dumps