bugzilla-daemon at netfilter.org
2018-Jul-26 01:01 UTC
[Bug 1273] New: hashlimit never appears to fail to match under 4.9.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1273
Bug ID: 1273
Summary: hashlimit never appears to fail to match under 4.9.x
Product: netfilter/iptables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: major
Priority: P5
Component: ip_tables (kernel)
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: bugzilla-nf20180726 at ta.grue.cc
I have the same rules under both 4.9.111 and 4.8.3. The 4.8.3 kernel works as
expected but not under 4.9.111. The rules are as follows:
4.8.3:
[825033:522252112] -A m.voip.asterisk.reg -m hashlimit --hashlimit-upto 100/min
--hashlimit-burst 70 --hashlimit-mode srcip,dstport --hashlimit-name
m.voip.sip_r_li -j ACCEPT
[366031:149053285] -A m.voip.asterisk.reg -m limit --limit 5/sec -j LOG
--log-prefix "FW: SIP.REG LIMIT IN: " --log-level 6
[49357657:18457587442] -A m.voip.asterisk.reg -j DROP
4.9.111:
[44798:20928681] -A m.voip.asterisk.reg -m hashlimit --hashlimit-upto 100/min
--hashlimit-burst 70 --hashlimit-mode srcip,dstport --hashlimit-name
m.voip.sip_r_limit -j ACCEPT
[0:0] -A m.voip.asterisk.reg -m limit --limit 5/sec -j LOG --log-prefix
"FW:
SIP.REG LIMIT IN: " --log-level 6
[0:0] -A m.voip.asterisk.reg -j DROP
Sample of the content of /proc/net/ipt_hashlimit/m.voip.sip_r_li* is as
follows:
4.8.3:
...
60 37.49.231.72:0->0.0.0.0:5060 3328 1344000 19200
59 37.49.231.70:0->0.0.0.0:5060 2048 1344000 19200
60 37.49.231.86:0->0.0.0.0:5060 17920 1344000 19200
...
4.9.111:
...
59 37.49.231.117:0->0.0.0.0:5060 5772436045824000 5772436045824000 0
44 37.49.231.72:0->0.0.0.0:5060 5772436045824000 5772436045824000 0
56 37.49.231.103:0->0.0.0.0:5060 5772436045824000 5772436045824000 0
53 37.49.231.70:0->0.0.0.0:5060 5772436045824000 5772436045824000 0
...
End result is that under 4.8.3 attacks on the sip service don't get far
whereas
under 4.9.111 they can go full throttle, completely unhindered.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180726/5647f051/attachment.html>
bugzilla-daemon at netfilter.org
2018-Jul-26 01:04 UTC
[Bug 1273] hashlimit never appears to fail to match under 4.9.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1273
bugzilla-nf20180726 at ta.grue.cc changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bugzilla-nf20180726 at ta.grue
| |.cc
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180726/d17eecf1/attachment.html>
Apparently Analagous Threads
- [Bug 1740] New: hashlimit limit: reduction to lowest terms in the output is confusing
- [Bug 1320] New: iptables hashlimit - problem with traffic limitation
- [Bug 650] --hashlimit-burst does not update when using --hashlimit-name for a second time
- [Bug 568] New: iptables-save saves option hashlimit-htable-gcinterval with error
- [Bug 1235] New: Error Message "Memory allocation problem" using hashlimit match