hi i have problem about iptables. my system(fedora13 kernel 2.6.38.8) and iptables(v1.4.11.1) can't match multiple extended modules(-m tcp, -m hashlimit) iptables rule is following line iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 --tcp-flags SYN SYN \ -m hashlimit --hashlimit-above 10/sec --hashlimit-burst 500 --hashlimit-mode srcip \ --hashlimit-name Syn_Svc1 -j DROP test packets is generated by following command(generate 50 HTTP Syn packets per second, while 10 secs) # hping -n 192.168.2.222 -i u20000 -p 80 -S -c 500 [Env] hping(192.168.2.1) <--> iptable system(192.168.2.200) <--> web server(192.168.2.222) I can see the following result iptables -t mangle -nvL PREROUTING Chain PREROUTING (policy ACCEPT 1519 packets, 62760 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 tcpflags: 0x02/0x02 limit: above 10/sec burst 500 mode srcip Sometimes, detect some, but not exact But another system(fedora 13, kernel 2.6.33.3-85) have detected exactly I don’t know the difference between two systems. (diff “sysctl -a result” and lsmod) why iptable can’t match multiple modules? What’s wrong? What should do I ? Help me!! I’ll give any data what you want to see. thx -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html