Dear Netfilter Team,
I was testing the ipt_iplimit module (extension) while I encountered the following problem: I loaded the module with #iptables -A INPUT -p tcp --syn --dport 1234 -m iplimit --iplimit-above 2 -j REJECT Suppose there are two established connections to port 1234 and there is a new (incoming) one. It sends a SYN. The module finds that there are too many connections (2 established+1 new) and an ICMP_PORT_UNREACHABLE is sent back to the source. Now on a Mandrake 8.1/i386 box, #telnet some-host 1234 sends the SYN, the ICMP comes back, telnet sleeps about a second and it sends another SYN. The next code should find the connection: found = ip_conntrack_find_get(&conn->tuple,ct); but it excludes the current connecton (ct), which is handled as a new (incoming connection) but it is not new, it is an old one sending a second SYN-s. The code doesn't count this connection and therefore it is not rejected. So any connection will be accepted which will send two consecutive SYN packets. If the mentioned line is replaced with found = ip_conntrack_find_get(&conn->tuple,NULL); the connection is found and it can be counted or not according to wether it is open or not (it is open if its state is ESTABLISHED, SYN_RECV, SYN_SENT, otherwise it is closed or it is going to be closed)(hope I'm not wrong). This is the main idea of the fix. There are a few minor changes in the module; see the attached file. 2. Does anyone know how can I set the matching netmask to zero? i.e. #iptables -A INPUT -p tcp --syn --dport 1234 -m iplimit --iplimit-above 2 --iplimit-mask 0 -j REJECT If I try to set the matching netmask to 0, it treats it as it were 32. Setting it to 24, I can limit the connections from the whole class C network. Is there a way to limit all the connections to the port? Sincerely, Laszlo Hermann
=?windows-1252?Q?ipt=5Fiplimit.zip?=
Description: Zip archive
