[Firehol-support] Antw: Re: trouble with limit 1000/s 1000

Marcel Gsteiger Marcel.Gsteiger at milprog.ch
Wed Dec 19 09:06:00 CET 2007


Sorry for the delay, only now I found the time to check the issue further.

After using debug, I get

# === CONFIGURATION STATEMENT =================================================
# CONF:INIT>>>          server http accept with limit 100/s 100

in 1.226:
# INFO>>> Running simple rules for  server 'http'
/sbin/iptables -t filter -N ACCEPT_100_s_100_REJECT
/sbin/iptables -t filter -A ACCEPT_100_s_100_REJECT -m state \! --state NEW -j ACCEPT
/sbin/iptables -t filter -A ACCEPT_100_s_100_REJECT -m limit --limit 100/s --limit-burst 100 -j ACCEPT
/sbin/iptables -t filter -A ACCEPT_100_s_100_REJECT -m limit --limit 1/second --limit-burst 10 -j LOG --log-tcp-options --log-ip-options --log-level warning --log-prefix=OVERFLOW:
/sbin/iptables -t filter -A ACCEPT_100_s_100_REJECT -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -t filter -A ACCEPT_100_s_100_REJECT -j REJECT
/sbin/iptables -t filter -A in_pub_v35_http_s2 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW\,ESTABLISHED -j ACCEPT_100_s_100_REJECT
/sbin/iptables -t filter -A out_pub_v35_http_s2 -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

in 1.256:
# INFO>>> Running simple rules for  server 'http'
/sbin/iptables -t filter -N ACCEPT_LIMIT_100_s_100_REJECT   
/sbin/iptables -t filter -A ACCEPT_LIMIT_100_s_100_REJECT -m state \! --state NEW -j ACCEPT 
/sbin/iptables -t filter -A ACCEPT_LIMIT_100_s_100_REJECT -m limit --limit 100/s --limit-burst 100 -j ACCEPT 
/sbin/iptables -t filter -A ACCEPT_LIMIT_100_s_100_REJECT -m limit --limit 1/second --limit-burst 10 -j LOG --log-tcp-options --log-ip-options --log-level warning --log-prefix=LIMIT_OVERFLOW:
/sbin/iptables -t filter -A ACCEPT_LIMIT_100_s_100_REJECT -p tcp -j REJECT --reject-with tcp-reset 
/sbin/iptables -t filter -A ACCEPT_LIMIT_100_s_100_REJECT -j REJECT 
/sbin/iptables -t filter -A in_pub_v35_http_s2 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW\,ESTABLISHED -j ACCEPT_LIMIT_100_s_100_REJECT 
/sbin/iptables -t filter -A out_pub_v35_http_s2 -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT 

I found article http://lists.netfilter.org/pipermail/netfilter/2006-February/064742.html which states that if you create a chain name with 29 characters you can't use this chain name as a jump target. This is exactly what happens here. 1.256 creates _LIMIT additionally for these chain names which makes them exactly 29 characters long. Perhaps this does not happen with all versions of iptables, mine is 1.3.0-2 (kernel 2.6.17-1.2147_FC4-vs2.0.2.2smp x86_64).

I already had problems switching from 1.226 to 1.256 with statements containing " limit 1000/s 1000", but I could resolve this by writing 999/s 999 instead. Obviously this is the same issue: firehol 1.256 generates chain names that are too long compared with 1.226.

I suggest that chain names generated by firehol contain abreviations for ACCEPT, LIMIT and REJECT, e.g. ACC LIM REJ when generating chain names, this would definitely resolve these issues. Perhaps this could be done with a configuration variable/switch that preserves backward compatibility.

Regards
--Marcel

>>> Costa Tsaousis <costa at tsaousis.gr> 08.12.2007 11:26 >>>
Marcel Gsteiger wrote:
> Hi all
>
> After upgrading firehol 1.226 to 1.256, I have severe troubles when using the "with limit" directive.
>
> First, this directive generated names that were too long for iptables when the value exceeded 3 digits (e.g. "with limit 1000/s 1000").
>
> But other limit directives generate errors like:
>
> --------------------------------------------------------------------------------
> ERROR   : # 1.
> WHAT    : A runtime command failed to execute (returned error 1).
> SOURCE  : line INIT of /etc/firehol/firehol.conf
> COMMAND : /sbin/iptables -t filter -A in_pub_v35_http_s2 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW\,ESTABLISHED -j ACCEPT_LIMIT_100_s_100_REJECT
> OUTPUT  :
>
> iptables: No chain/target/match by that name
>
> My script contains a base script that "calls" several sub-scripts by using ".", e.g.
>
> . /etc/firehol/common/services
>
> Unfortunately, my script is rather long (it's a linux-vserver host having lots of virtual interfaces, 802.1q, NAT etc; firehol generates about 9000 IPTables entries). But 1.226 works without any problems, while 1.256 causes these errors. What may be wrong here?
>
> Here is the part of my firehol script that generates the error:
>
> interface vlan47+ pub_v35 src not "${UNROUTABLE_IPS}" dst "${v_web_priv}"
> # priv = after NAT
>         protection strong
>         server ssh accept src "${v_web_clients}"
>         server http accept with limit 100/s 100   # this limit directive causes the error
>         server ftp accept with limit 100/s 100 src "${v_web_ftpclients}"
>         server postgres accept src "${postgres_clients_193} ${pub_mgpriv}"
>         client smtp accept with limit 2/s 4 dst "${v_web_smtp_recipients}" 
>         client http accept dst "${pear_extension_repository}"
>         server icmp accept with limit 10/s 10
>         client icmp accept with limit 10/s 10
>
> Any help would much be appreciated.
>
> Regards
> --Marcel
>   

Marcel,

1. Could you please run both versions of firehol with 'debug' and check 
the diff of the two outputs?
Can you scramble all IP addresses and post the diff?
 
2. To focus to the problem, in the output of the later version (1.256 
with 'debug') can you confirm that the chains  'in_pub_v35_http_s2' and 
'ACCEPT_LIMIT_100_s_100_REJECT' have been created before the statement 
that fails?

Costa




More information about the Firehol-support mailing list