Henry Yang
2003-Aug-21 18:35 UTC
[Shorewall-users] LOGRATE and LOGBURST does not work if -m is after -j
I''m using Shorewall 1.4.6b with iptables 1.2.8 on Gentoo Linux For some reason my iptables has a weird bug that prevents --limit and --limit-rate from working properly if it is placed after -j for example iptables -N test iptables -A test -j ULOG --match limit --limit 20/minute --limit-burst 5 --ulog-prefix ''Shorewall:INPUT:DROP:'' #RULE1 iptables -A test -m limit --limit 20/minute --limit-rate 4 -j ULOG --ulog-prefix ''Shorewall:INPUT:DROP:'' #RULE2 iptables -L test Chain test (0 references) target prot opt source destination ULOG all -- anywhere anywhere limit: avg 3/hour burst 5 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:INPUT:DROP:'' queue_threshold 1 ULOG all -- anywhere anywhere limit: avg 20/min burst 5 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:INPUT:DROP:'' queue_threshold 1 RULE1 and RULE2 are supposed to be the same however RULE1 uses the defualt values for the limit because -m is placed after -j. Shorewall uses the same command line format as RULE1, and thus does not work on my machine. Does anybody have the same problem? And is it posible to have Shorewall change the formatting of the commands for the next version? Henry
Tom Eastep
2003-Aug-21 18:40 UTC
[Shorewall-users] LOGRATE and LOGBURST does not work if -m is after -j
On Thu, 21 Aug 2003 18:34:11 -0700, Henry Yang <shorewall@mesotech.ca> wrote:> I''m using Shorewall 1.4.6b with iptables 1.2.8 on Gentoo Linux > > For some reason my iptables has a weird bug that prevents --limit > and --limit-rate from working properly if it is placed after -j >Please explain why this is a Shorewall problem. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Aug-21 19:04 UTC
[Shorewall-users] LOGRATE and LOGBURST does not work if -m is after -j
On Thu, 21 Aug 2003 18:40:27 -0700, Tom Eastep <teastep@shorewall.net> wrote:> On Thu, 21 Aug 2003 18:34:11 -0700, Henry Yang <shorewall@mesotech.ca> > wrote: > >> I''m using Shorewall 1.4.6b with iptables 1.2.8 on Gentoo Linux >> >> For some reason my iptables has a weird bug that prevents --limit >> and --limit-rate from working properly if it is placed after -j >> > > Please explain why this is a Shorewall problem. >What I mean is, if your iptables accepts a command and does the wrong thing, it IS NOT A SHOREWALL PROBLEM. You should be posting this to the netfilter list; if it turns out that the iptables command that Shorewall is creating is not valid then the Netfilter team should fix the bug in iptables/Netfilter and THEN I will change Shorewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Henry Yang
2003-Aug-21 19:09 UTC
[Shorewall-users] LOGRATE and LOGBURST does not work if -m is after -j
>> I''m using Shorewall 1.4.6b with iptables 1.2.8 on Gentoo Linux >> >> For some reason my iptables has a weird bug that prevents --limit >> and --limit-rate from working properly if it is placed after -j >>>Please explain why this is a Shorewall problem.>-TomScratch the part I said it''s a bug iptables then. I just ran "shorewall debug restart" and found the line: ==== shorewall debug output ++ iptables -A newnotsyn -j ULOG --match limit --limit 20/minute --limit-burst 5 --ulog-prefix Shorewall:newnotsyn:DROP: === When iptables first encounters "-j", it will consume all of the addtional options, valid or not, and in this case "--limit 20/minute --limit-burst 5 --ulog-prefix Shorewall:newnotsyn:DROP" is be consumed by "-j ULOG" Same if you put all the additional options in the -m part: ==== homemade example code iptables -A test --match limit --limit 20/minute --limit-burst 5 --ulog-prefix ''Shorewall:INPUT:DROP:'' -j ULOG === iptable will spit out an error message because "limit" does not have an option "--ulog-prefix" I don''t know if this particular behavior of iptables is a bug or not, but it certainly breaks Shorewall. To work around the problem, a more precise ordering of the options is needed. The line ===++ iptables -A newnotsyn -j ULOG --match limit --limit 20/minute --limit-burst 5 --ulog-prefix Shorewall:newnotsyn:DROP: === should be changed to ===++ iptables -A newnotsyn --match limit --limit 20/minute --limit-burst 5 -j ULOG --ulog-prefix Shorewall:newnotsyn:DROP: === Hope this explains the problem clearly. Sorry for lack of details in the first message. Henry
Tom Eastep
2003-Aug-21 19:31 UTC
[Shorewall-users] LOGRATE and LOGBURST does not work if -m is after -j
On Thu, 21 Aug 2003 19:06:15 -0700, Henry Yang <shorewall@mesotech.ca> wrote:> > The line > ===> ++ iptables -A newnotsyn -j ULOG --match limit --limit 20/minute --limit- > burst > 5 --ulog-prefix Shorewall:newnotsyn:DROP: > ===> > should be changed to > ===> ++ iptables -A newnotsyn --match limit --limit 20/minute --limit-burst 5 > -j > ULOG --ulog-prefix Shorewall:newnotsyn:DROP: > ===> > Hope this explains the problem clearly. Sorry for lack of details in the > first message. >Yes -- If you would like to see this corrected, please create a patch (using diff -au) against the current CVS Shorewall version (Project \Shoreawll), test it then send it to me. I''ll be happy to apply it. It that''s too much work for you then report this problem to the Netfilter list (and don''t mention Shorewall -- the fact that iptables discards parameters has nothing to do with Shorewall). When I see your report on the Netfilter list, I will create a change to Shorewall to work around this iptables bug. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net