Tavis Paquette
2003-Nov-28 15:58 UTC
[Shorewall-users] Possible issue with --match limit on sparc64(sun4u)
i''m currently not subscribed to this mailing list so please CC any
response to me directly
For some reason this line is failing when i start shorewall, apparently
due to "--match limit"
--
iptables -A newnotsyn --match limit --limit 15/minute --limit-burst 10
-j LOG --log-level warning --log-prefix Shorewall:newnotsyn:DROP:
iptables: Invalid argument
--
system is a sun4u (ultrasparc IIi - sparc64)
running the exact same configuration on an x86 box, same version of:
shorewall, iptables, kernel; with the same kernel networking config
works without issue
has anyone experienced something similar to this before?
iptables version is 1.2.9
kernel is stock 2.4.22 w/grsecurity-1.9.12
Relevant Kernel Configuration (Netfilter has been statically compiled
into the kernel)
# Networking options
#
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
CONFIG_NETLINK_DEV=y
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
# CONFIG_NET_IPGRE_BROADCAST is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
# CONFIG_INET_ECN is not set
# CONFIG_SYN_COOKIES is not set
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_AMANDA=y
CONFIG_IP_NF_TFTP=y
CONFIG_IP_NF_IRC=y
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y #its been compiled in..
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_STEALTH=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_UNCLEAN=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_MIRROR=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_AMANDA=y
CONFIG_IP_NF_NAT_LOCAL=y
CONFIG_IP_NF_NAT_SNMP_BASIC=y
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
# CONFIG_IPV6 is not set
# CONFIG_KHTTPD is not set
# CONFIG_ATM is not set
# CONFIG_VLAN_8021Q is not set
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
root@vm1.van| shorewall start
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Not available
Determining Zones...
Zones: eth0
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
eth0 Zone: eth0:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Setting up Accounting...
iptables: Invalid argument
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/stopped ...
Terminated
+ eval iptables -A newnotsyn --match limit --limit 15/minute
--limit-burst 10 -j LOG --log-level warning --log-prefix ''"`printf
"$LOGFORMAT" $chain $disposition`"''
+++ printf Shorewall:%s:%s: newnotsyn DROP
++ iptables -A newnotsyn --match limit --limit 15/minute --limit-burst
10 -j LOG --log-level warning --log-prefix Shorewall:newnotsyn:DROP:
iptables: Invalid argument
root@vm1.van| shorewall version
1.4.8
root@vm1.van| ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 08:00:20:d9:d7:c0 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.65/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100
link/ether 08:00:20:d9:d7:c0 brd ff:ff:ff:ff:ff:ff
root@vm1.van| ip route show
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.65
default via 192.168.0.254 dev eth0
Tom Eastep
2003-Nov-28 16:39 UTC
[Shorewall-users] Possible issue with --match limit on sparc64(sun4u)
On Fri, 28 Nov 2003, Tavis Paquette wrote:> i''m currently not subscribed to this mailing list so please CC any > response to me directly > > For some reason this line is failing when i start shorewall, apparently > due to "--match limit" > > -- > iptables -A newnotsyn --match limit --limit 15/minute --limit-burst 10 > -j LOG --log-level warning --log-prefix Shorewall:newnotsyn:DROP: > iptables: Invalid argument > -- > > system is a sun4u (ultrasparc IIi - sparc64) > running the exact same configuration on an x86 box, same version of: > shorewall, iptables, kernel; with the same kernel networking config > works without issue > > has anyone experienced something similar to this before? >Afraid not -- no Sparcs here. Given that this works on X86, I would post on the Netfilter list. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net