Re: [Fwbuilder-discussion] "No chain/target/match by that name" ... huh?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

> > given my recent track-record, i'm betting this issue is "me" again :-/
> > currently in the debug/verbose output @ load of my firewall, i see,
> > ...
> does your installation of iptables have module hashlimit ? Try
>
> iptables -m hashlimit --help

well, i've been learning-by-googling.

1st to answer *your* question,

	# iptables -m hashlimit -h
		hashlimit v1.3.6 options:
		--hashlimit <avg>               max average match rate
										[Packets per second unless followed by
										/sec /minute /hour /day postfixes]
		--hashlimit-mode <mode>         mode is a comma-separated list of
												dstip,srcip,dstport,srcport
		--hashlimit-name <name>         name for /proc/net/ipt_hashlimit/
		[--hashlimit-burst <num>]       number to match in a burst, default 5
		[--hashlimit-htable-size <num>] number of hashtable buckets
		[--hashlimit-htable-max <num>]  number of hashtable entries
		[--hashlimit-htable-gcinterval] interval between garbage collection runs
		[--hashlimit-htable-expire]     after which time are idle entries expired?

so, yes, it seems to.

but, a similar issue with 'connlimit' has popped up ... let me share
that here 1st.

again, i don't know whether this is a firewall, fwbuilder, or 'me'
issue.  i'm *suspecting* that the support is not properly "in" the
linksys/sveasoft software. but i can't convincingly prove it to myself
(yet).  i presumed -- maybe badly -- that because fwb *has* the
support, that it *is* is sveasoft/linksys. we'll see ...

checking @ my linksys router,

	# iptables -m connlimit -h | grep connlimit
		connlimit v1.3.6 options:
		[!] --connlimit-above n         match if the number of existing tcp
connections is (not) above n
		 --connlimit-mask n             group hosts using mask

looks like connlimit is 'there'.

but,

	#ls -R1 /lib/modules/`uname -r`/ | grep conn
		ip_conntrack_h323.o
		ip_conntrack_mms.o
		ip_conntrack_pptp.o
		ip_conntrack_proto_gre.o
		ip_conntrack_rtsp.o
		ip_conntrack_sip.o
	#

hmm ... no *connlimit* ?

also,

	# modprobe ipt_connlimit
		modprobe: module ipt_connlimit not found.
		modprobe: failed to load module ipt_connlimit

but, testing with,

	# iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above
2 -j REJECT
	#

that seems to work @ the firewall; at least, it doesn't complain.

but, when loading the fwb-generated firewall in verbose/debug mode, i see,

	+ echo Rule 37 (global)
	Rule 37 (global)
	+ /usr/sbin/iptables -N RULE_37
	+ /usr/sbin/iptables -A OUTPUT -m connlimit --connlimit-above 2 -j RULE_37
	iptables: Invalid argument
	+ /usr/sbin/iptables -A INPUT -m connlimit --connlimit-above 2 -j RULE_37
	iptables: Invalid argument
	+ /usr/sbin/iptables -A FORWARD -m connlimit --connlimit-above 2 -j RULE_37
	iptables: Invalid argument
	+ /usr/sbin/iptables -A RULE_37 -m limit --limit 5/second -j LOG
--log-level debug --log-prefix (CATCH:global(37):DENY)
	+ /usr/sbin/iptables -A RULE_37 -j DROP
	+ echo 1

that's conflicting info.  i'm confused. is "connlimit" supported, or
not?  i can repeate all this for hashlimit as well ...

thanks.