netfilter buglog - Aug 2017 - [Bug 1170] New: limit-burst is not fully consumed and rule stops matching

https://bugzilla.netfilter.org/show_bug.cgi?id=1170

            Bug ID: 1170
           Summary: limit-burst is not fully consumed and rule stops
                    matching
           Product: netfilter/iptables
           Version: unspecified
          Hardware: x86_64
                OS: Ubuntu
            Status: NEW
          Severity: major
          Priority: P5
         Component: ip_tables (kernel)
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: emailsummerhome at gmail.com

Using the limit module, with the limit-burst option, I can successfully enter a
rule that contains a limit and limit-burst.  However, when I then send
connections to this server, the rule only matches for a fraction of the
specified limit-burst connections.  Then the rule stops matching.

EXAMPLE:  Apache keepalives are off and I want to limit connections to around a
maximum of 500 per month.  I specify limit 18/day, limit-burst 500 

Rules are added as follows:

sudo ipset create TESTCLIENT hash:net
sudo ipset add TESTCLIENT 165.227.31.204
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -m set --match-set TESTCLIENT src -m tcp --dport
80 -m limit --limit 18/day --limit-burst 500 -j ACCEPT
sudo iptables -A INPUT -p tcp -m set --match-set TESTCLIENT src -m tcp --dport
80 -m comment --comment "over test quota" -j LOG
sudo iptables -A INPUT -p tcp -m tcp --dport 80 -m comment --comment "fast
failures" -j REJECT --reject-with tcp-reset

I wrote a simple bash script on my TESTCLIENT system which uses curl to connect
and download the index page on this webserver in a loop.  


EXPECTED RESULTS:  I expect to be able to fairly quickly use all 500
connections (keepalives are off) and then after a day passes, have 18 new
connections available for use again.  If no more connections are made, then
after 28 days, all 500 connections are available (the burst is completely
refilled).


ACTUAL RESULTS:  What actually happened is that my test script made 24
successful connections and the rest of the connections were rejected.  I can
also see on the server's iptables listing that the ACCEPT rule matched 24
times, but no more, even though the limit-burst was set to 500.

TESTED PLATFORMS:  CentOS 6.8 x64 (iptables  v1.4.7) and Ubuntu 16.04 x64
(iptables v1.6.0) - behavior is the same on both with these same limit and
limit-burst options.  Both are VMs running in DigitalOcean datacenter SFO2.


ADDITIONAL INFO:  Interesting enough, using different values for limit and
limit-burst, I'm able to get expected results.  

In the first case I used --limit 10/hour --limit-burst 50.  I was able to make
50 successful connections to this server (same Ubuntu server previously
mentioned) and the 51st connection was rejected.

In the second case, I used --limit 500/day --limit-burst 500.  I was able to
make 500 successful connections to this server (same Ubuntu server previously
mentioned) and the 501st connection was rejected.  However,
"recharging" the
burst in a single day is not desired.  


Thanks in advance

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170817/25141492/attachment.html>