RE: connlimit / iplimit patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: connlimit / iplimit patch
I figured out the issue after a lot of trial and error.  I had to edit the Makefile under the extensions directory for the iptables source.  I also had to go to the CVS and download the libipt_connlimit.c code and stick it in the extensions directory.  In the Makefile, edit the PF_EXT_SLIB: line (about the 8th down), where you see a list of the other extensions (ah conntrack dscp ecn esp helper etc...).  Somewhere in there add connlimit.
 
At this point you should be able to compile iptables and use the connlimit match if you have already patched the kernel and compiled it properly.
 
Hope this helps.
-----Original Message-----
From: Brett Mueller [mailto:Brett.Mueller@xxxxxxxxx]
Sent: Thu 10/2/2003 6:20 PM
To: Berry, Josh (jberry); Brett Mueller
Cc:
Subject: connlimit / iplimit patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Josh,

I wonder if you ever solved this situation:

On August 11, 2003, you wrote:
> I am trying to use the connlimit patch.  I added the patch, compiled
> and installed the kernel, compiled and installed iptables v1.2.8,
> used: insmod ipt_connlimit to load the module.
>
> When I try to use it with a match:
> /usr/sbin/iptables -A FORWARD -p tcp --syn --dport 23 -m connlimit
> --connlimit-above 2 -j DROP
>
> I get the error:
> Iptables v1.2.8: Couldn't load match
> 'connlilmit':/usr/local/lib/iptables/libipt_connlimit.so: cannot open
> shared object library
>
> Then I noticed that there is nothing in the extensions directory for
> connlimit.  Where do I get the shared library?

I have the same problem.  I found that the Patch-O-Matic puts in a
kernel patch for connlimit, while iptables 1.2.8 still has the old
extensions for iplimit.  If I try using "-m iplimit --iplimit-above" in
a line similar to yours above, I get back "iptables: No
chain/target/match by that name".  It almost looks to me like the kernel
wants one thing and iptables wants the other, but they won't work
together.  I've done a lot of searching and found no solutions.  [argh!]
Any new ideas?

Thanks...

- --
Brett E. Mueller (WA7V)    <><    System Administrator / Network Analyst
Umatilla County Emergency Management                http://www.csepp.net
4700 NW Pioneer Place                                       541-966-3707
Pendleton, OR 97801                                    FAX: 541-966-3760

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE/fLK57K5JOxeDDkoRAvc6AJ47pmg8hX2Zl+RIXTnJZGYGNOv/qQCeKjEA
kP823XeaZ3lldaeDpiH8GE8=
=/OaZ
-----END PGP SIGNATURE-----


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux