[Shorewall-users] RE - Possible issue with --match limit on sparc64(sun4u)

Tavis Paquette tavis at galaxytelecom.net
Fri Dec 5 10:06:51 PST 2003


just in case any are curious, the temporary solution to my problem was this

remove the "$limit" variable on line 993 & 1010 of /usr/share/firewall
(shorewall version 1.4.8)
this, of course, disables log rate limitation in those two instances and
should not be considered a viable solution.

the problem seems to be related to --match limit support on sun4u (sparc64)
i've not looked into this much however so this statement doesn't hold
much weight, --match limit seems to work as expected elsewhere in
shorewall so i suspect that it may be related to specific usage in the
previously mentioned situations.

-------------------------------------------------------------------------
i'm currently not subscribed to this mailing list so please CC any
response to me directly

For some reason this line is failing when i start shorewall, apparently
due to "--match limit"

--
iptables -A newnotsyn --match limit --limit 15/minute --limit-burst 10
-j LOG --log-level warning --log-prefix Shorewall:newnotsyn:DROP:
iptables: Invalid argument
--

system is a sun4u (ultrasparc IIi - sparc64)
running the exact same configuration on an x86 box, same version of:
shorewall, iptables, kernel; with the same kernel networking config
works without issue

has anyone experienced something similar to this before?

iptables version is 1.2.9

kernel is stock 2.4.22 w/grsecurity-1.9.12

Relevant Kernel Configuration (Netfilter has been statically compiled
into the kernel)
# Networking options
#
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
CONFIG_NETLINK_DEV=y
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
# CONFIG_NET_IPGRE_BROADCAST is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
# CONFIG_INET_ECN is not set
# CONFIG_SYN_COOKIES is not set

#
#   IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_AMANDA=y
CONFIG_IP_NF_TFTP=y
CONFIG_IP_NF_IRC=y
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y #its been compiled in..
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_STEALTH=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_UNCLEAN=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_MIRROR=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_AMANDA=y
CONFIG_IP_NF_NAT_LOCAL=y
CONFIG_IP_NF_NAT_SNMP_BASIC=y
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
# CONFIG_IPV6 is not set
# CONFIG_KHTTPD is not set
# CONFIG_ATM is not set
# CONFIG_VLAN_8021Q is not set
# CONFIG_IPX is not set
# CONFIG_ATALK is not set



root at vm1.van| shorewall start
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Not available
Determining Zones...
   Zones: eth0
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   eth0 Zone: eth0:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Setting up Accounting...
iptables: Invalid argument
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/stopped ...
Terminated


+ eval iptables -A newnotsyn --match limit --limit 15/minute
--limit-burst 10 -j LOG --log-level warning --log-prefix '"`printf
"$LOGFORMAT" $chain $disposition`"'
+++ printf Shorewall:%s:%s: newnotsyn DROP
++ iptables -A newnotsyn --match limit --limit 15/minute --limit-burst
10 -j LOG --log-level warning --log-prefix Shorewall:newnotsyn:DROP:
iptables: Invalid argument





root at vm1.van| shorewall version
1.4.8

root at vm1.van| ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 08:00:20:d9:d7:c0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.65/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100
    link/ether 08:00:20:d9:d7:c0 brd ff:ff:ff:ff:ff:ff

root at vm1.van| ip route show
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.65
default via 192.168.0.254 dev eth0







More information about the Shorewall-users mailing list