Hey, The algorithm used in iptables for the limit feature is incorrect and so for example the value for the $time is only estimated and also cannot go above 1000 packets per second unless u use a limit of 10000 and a burst of 500 which estimates to give you around 10,000 pps. Ive tried fixing it but ive had no luck better luck to you -- Payam Tarverdyan Chychi Network Security Specialist / Network Engineer On Wed, Dec 17, 2008 at 1:44 AM, Mart Frauenlob <mart.frauenlob@xxxxxxxxx> wrote: > Hello netfilter user mailing list! > > I think i discovered a small problem with the limit match of iptables: > > eris:~# iptables -A INPUT -i eth2 -s 123.123.123.123 -m limit --limit 1/day > -j LOG > iptables: Invalid argument > eris:~# > > eris:~# iptables -A INPUT -i eth2 -s 123.123.123.123 -m limit --limit 2/day > -j LOG > eris:~# echo $? > 0 > eris:~# > > eris:~# iptables -A INPUT -i eth2 -s 123.123.123.123 -m limit --limit 3/day > -j LOG > iptables: Invalid argument > eris:~# > > eris:~# iptables -A INPUT -i eth2 -s 123.123.123.123 -m limit --limit 4/day > -j LOG > eris:~# echo $? > 0 > eris:~# > > the invalid argument error, happens with 1/d(ay) or 3/d(ay) limt rate value. > not that i really want to log 1 or 3 packets a day, but... looks like a bug > to me. > > eris:~# iptables -V > iptables v1.3.6 > > debian etch: > eris:~# uname -a > Linux eris 2.6.18-6-686 #1 SMP Mon Oct 13 16:13:09 UTC 2008 i686 GNU/Linux > > > Also the man page says: > A rule using this extension will match until this limit is reached (unless > the `!' flag is used). > > well...: > > eris:~# iptables -A INPUT -i eth2 -s 123.123.123.123 -m limit ! --limit 3/s > -j LOG > iptables v1.3.6: limit does not support invert > Try `iptables -h' or 'iptables --help' for more information. > eris:~# > > eris:~# iptables -A INPUT -i eth2 -s 123.123.123.123 -m limit --limit ! 3/s > -j LOG > iptables v1.3.6: limit does not support invert > Try `iptables -h' or 'iptables --help' for more information. > eris:~# > > Either the man page, or the program is wrong. Or does the man page refer to > negating any other value in the rule? I could not think about anything > reverting the limit match. > > Please correct me if i'm wrong! > If this should be bug reported, what would I need to do? > Maybe this is fixed in newer releases of iptables. I don't know. > > Good day > > Mart > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
