[Shorewall-users] LOGRATE and LOGBURST does not work if -m is after -j

Henry Yang shorewall at mesotech.ca
Thu Aug 21 20:06:15 PDT 2003


>> I'm using Shorewall 1.4.6b with iptables 1.2.8 on Gentoo Linux
>>
>> For some reason my iptables has a weird bug that prevents --limit
>> and --limit-rate from working properly if it is placed after -j
>>

>Please explain why this is a Shorewall problem.

>-Tom

Scratch the part I said it's a bug iptables then. I just ran "shorewall debug
restart" and found the line:

====  shorewall debug output
++ iptables -A newnotsyn -j ULOG --match limit --limit 20/minute --limit-burst
5 --ulog-prefix Shorewall:newnotsyn:DROP:
====

When iptables first encounters "-j", it will consume all of the addtional
options, valid or not, and in this case "--limit 20/minute --limit-burst
5 --ulog-prefix Shorewall:newnotsyn:DROP"  is be consumed by "-j ULOG"

Same if you put all the additional options in the -m part:
==== homemade example code
 iptables -A test  --match limit --limit 20/minute --limit-burst
5 --ulog-prefix 'Shorewall:INPUT:DROP:' -j ULOG
====

iptable will spit out an error message because "limit" does not have an option
"--ulog-prefix"

I don't know if this particular  behavior of iptables is a bug or not, but it
certainly breaks Shorewall. To work around the problem, a more precise
ordering of the options is needed.

The line
====
++ iptables -A newnotsyn -j ULOG --match limit --limit 20/minute --limit-burst
5 --ulog-prefix Shorewall:newnotsyn:DROP:
====

should be changed to
====
++ iptables -A newnotsyn --match limit --limit 20/minute --limit-burst 5  -j
ULOG  --ulog-prefix Shorewall:newnotsyn:DROP:
====

Hope this explains the problem clearly. Sorry for lack of details in the first
message.

Henry




More information about the Shorewall-users mailing list