[Firehol-support] trouble with limit 1000/s 1000

[Marcel Gsteiger]

Hi all

After upgrading firehol 1.226 to 1.256, I have severe troubles when using the "with limit" directive.

First, this directive generated names that were too long for iptables when the value exceeded 3 digits (e.g. "with limit 1000/s 1000").

But other limit directives generate errors like:

--------------------------------------------------------------------------------
ERROR   : # 1.
WHAT    : A runtime command failed to execute (returned error 1).
SOURCE  : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_pub_v35_http_s2 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW\,ESTABLISHED -j ACCEPT_LIMIT_100_s_100_REJECT
OUTPUT  :

iptables: No chain/target/match by that name

My script contains a base script that "calls" several sub-scripts by using ".", e.g.

. /etc/firehol/common/services

Unfortunately, my script is rather long (it's a linux-vserver host having lots of virtual interfaces, 802.1q, NAT etc; firehol generates about 9000 IPTables entries). But 1.226 works without any problems, while 1.256 causes these errors. What may be wrong here?

Here is the part of my firehol script that generates the error:

interface vlan47+ pub_v35 src not "${UNROUTABLE_IPS}" dst "${v_web_priv}"
# priv = after NAT
        protection strong
        server ssh accept src "${v_web_clients}"
        server http accept with limit 100/s 100   # this limit directive causes the error
        server ftp accept with limit 100/s 100 src "${v_web_ftpclients}"
        server postgres accept src "${postgres_clients_193} ${pub_mgpriv}"
        client smtp accept with limit 2/s 4 dst "${v_web_smtp_recipients}" 
        client http accept dst "${pear_extension_repository}"
        server icmp accept with limit 10/s 10
        client icmp accept with limit 10/s 10

Any help would much be appreciated.

Regards
--Marcel