[Shorewall-users] LOGRATE and LOGBURST does not work if -m is after -j

Henry Yang shorewall at mesotech.ca
Thu Aug 21 20:06:15 PDT 2003

>> I'm using Shorewall 1.4.6b with iptables 1.2.8 on Gentoo Linux
>> For some reason my iptables has a weird bug that prevents --limit
>> and --limit-rate from working properly if it is placed after -j

>Please explain why this is a Shorewall problem.


Scratch the part I said it's a bug iptables then. I just ran "shorewall debug
restart" and found the line:

====  shorewall debug output
++ iptables -A newnotsyn -j ULOG --match limit --limit 20/minute --limit-burst
5 --ulog-prefix Shorewall:newnotsyn:DROP:

When iptables first encounters "-j", it will consume all of the addtional
options, valid or not, and in this case "--limit 20/minute --limit-burst
5 --ulog-prefix Shorewall:newnotsyn:DROP"  is be consumed by "-j ULOG"

Same if you put all the additional options in the -m part:
==== homemade example code
 iptables -A test  --match limit --limit 20/minute --limit-burst
5 --ulog-prefix 'Shorewall:INPUT:DROP:' -j ULOG

iptable will spit out an error message because "limit" does not have an option

I don't know if this particular  behavior of iptables is a bug or not, but it
certainly breaks Shorewall. To work around the problem, a more precise
ordering of the options is needed.

The line
++ iptables -A newnotsyn -j ULOG --match limit --limit 20/minute --limit-burst
5 --ulog-prefix Shorewall:newnotsyn:DROP:

should be changed to
++ iptables -A newnotsyn --match limit --limit 20/minute --limit-burst 5  -j
ULOG  --ulog-prefix Shorewall:newnotsyn:DROP:

Hope this explains the problem clearly. Sorry for lack of details in the first


More information about the Shorewall-users mailing list