bugzilla-daemon at netfilter.org
2018-Jul-26 01:01 UTC
[Bug 1273] New: hashlimit never appears to fail to match under 4.9.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1273 Bug ID: 1273 Summary: hashlimit never appears to fail to match under 4.9.x Product: netfilter/iptables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: major Priority: P5 Component: ip_tables (kernel) Assignee: netfilter-buglog at lists.netfilter.org Reporter: bugzilla-nf20180726 at ta.grue.cc I have the same rules under both 4.9.111 and 4.8.3. The 4.8.3 kernel works as expected but not under 4.9.111. The rules are as follows: 4.8.3: [825033:522252112] -A m.voip.asterisk.reg -m hashlimit --hashlimit-upto 100/min --hashlimit-burst 70 --hashlimit-mode srcip,dstport --hashlimit-name m.voip.sip_r_li -j ACCEPT [366031:149053285] -A m.voip.asterisk.reg -m limit --limit 5/sec -j LOG --log-prefix "FW: SIP.REG LIMIT IN: " --log-level 6 [49357657:18457587442] -A m.voip.asterisk.reg -j DROP 4.9.111: [44798:20928681] -A m.voip.asterisk.reg -m hashlimit --hashlimit-upto 100/min --hashlimit-burst 70 --hashlimit-mode srcip,dstport --hashlimit-name m.voip.sip_r_limit -j ACCEPT [0:0] -A m.voip.asterisk.reg -m limit --limit 5/sec -j LOG --log-prefix "FW: SIP.REG LIMIT IN: " --log-level 6 [0:0] -A m.voip.asterisk.reg -j DROP Sample of the content of /proc/net/ipt_hashlimit/m.voip.sip_r_li* is as follows: 4.8.3: ... 60 37.49.231.72:0->0.0.0.0:5060 3328 1344000 19200 59 37.49.231.70:0->0.0.0.0:5060 2048 1344000 19200 60 37.49.231.86:0->0.0.0.0:5060 17920 1344000 19200 ... 4.9.111: ... 59 37.49.231.117:0->0.0.0.0:5060 5772436045824000 5772436045824000 0 44 37.49.231.72:0->0.0.0.0:5060 5772436045824000 5772436045824000 0 56 37.49.231.103:0->0.0.0.0:5060 5772436045824000 5772436045824000 0 53 37.49.231.70:0->0.0.0.0:5060 5772436045824000 5772436045824000 0 ... End result is that under 4.8.3 attacks on the sip service don't get far whereas under 4.9.111 they can go full throttle, completely unhindered. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180726/5647f051/attachment.html>
bugzilla-daemon at netfilter.org
2018-Jul-26 01:04 UTC
[Bug 1273] hashlimit never appears to fail to match under 4.9.x
https://bugzilla.netfilter.org/show_bug.cgi?id=1273 bugzilla-nf20180726 at ta.grue.cc changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugzilla-nf20180726 at ta.grue | |.cc -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180726/d17eecf1/attachment.html>
Apparently Analagous Threads
- [Bug 1740] New: hashlimit limit: reduction to lowest terms in the output is confusing
- [Bug 1320] New: iptables hashlimit - problem with traffic limitation
- [Bug 650] --hashlimit-burst does not update when using --hashlimit-name for a second time
- [Bug 568] New: iptables-save saves option hashlimit-htable-gcinterval with error
- [Bug 1235] New: Error Message "Memory allocation problem" using hashlimit match