Re: [Fwbuilder-discussion] "No chain/target/match by that name" ... huh?
Brought to you by:
mikehorn
From: snowcrash+fwbuilder <sch...@gm...> - 2006-12-24 18:26:34
|
> > given my recent track-record, i'm betting this issue is "me" again :-/ > > currently in the debug/verbose output @ load of my firewall, i see, > > ... > does your installation of iptables have module hashlimit ? Try > > iptables -m hashlimit --help well, i've been learning-by-googling. 1st to answer *your* question, # iptables -m hashlimit -h hashlimit v1.3.6 options: --hashlimit <avg> max average match rate [Packets per second unless followed by /sec /minute /hour /day postfixes] --hashlimit-mode <mode> mode is a comma-separated list of dstip,srcip,dstport,srcport --hashlimit-name <name> name for /proc/net/ipt_hashlimit/ [--hashlimit-burst <num>] number to match in a burst, default 5 [--hashlimit-htable-size <num>] number of hashtable buckets [--hashlimit-htable-max <num>] number of hashtable entries [--hashlimit-htable-gcinterval] interval between garbage collection runs [--hashlimit-htable-expire] after which time are idle entries expired? so, yes, it seems to. but, a similar issue with 'connlimit' has popped up ... let me share that here 1st. again, i don't know whether this is a firewall, fwbuilder, or 'me' issue. i'm *suspecting* that the support is not properly "in" the linksys/sveasoft software. but i can't convincingly prove it to myself (yet). i presumed -- maybe badly -- that because fwb *has* the support, that it *is* is sveasoft/linksys. we'll see ... checking @ my linksys router, # iptables -m connlimit -h | grep connlimit connlimit v1.3.6 options: [!] --connlimit-above n match if the number of existing tcp connections is (not) above n --connlimit-mask n group hosts using mask looks like connlimit is 'there'. but, #ls -R1 /lib/modules/`uname -r`/ | grep conn ip_conntrack_h323.o ip_conntrack_mms.o ip_conntrack_pptp.o ip_conntrack_proto_gre.o ip_conntrack_rtsp.o ip_conntrack_sip.o # hmm ... no *connlimit* ? also, # modprobe ipt_connlimit modprobe: module ipt_connlimit not found. modprobe: failed to load module ipt_connlimit but, testing with, # iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 2 -j REJECT # that seems to work @ the firewall; at least, it doesn't complain. but, when loading the fwb-generated firewall in verbose/debug mode, i see, + echo Rule 37 (global) Rule 37 (global) + /usr/sbin/iptables -N RULE_37 + /usr/sbin/iptables -A OUTPUT -m connlimit --connlimit-above 2 -j RULE_37 iptables: Invalid argument + /usr/sbin/iptables -A INPUT -m connlimit --connlimit-above 2 -j RULE_37 iptables: Invalid argument + /usr/sbin/iptables -A FORWARD -m connlimit --connlimit-above 2 -j RULE_37 iptables: Invalid argument + /usr/sbin/iptables -A RULE_37 -m limit --limit 5/second -j LOG --log-level debug --log-prefix (CATCH:global(37):DENY) + /usr/sbin/iptables -A RULE_37 -j DROP + echo 1 that's conflicting info. i'm confused. is "connlimit" supported, or not? i can repeate all this for hashlimit as well ... thanks. |