[pkg-netfilter-team] Bug#872907: iptables: hashlimit, Numerical result out of range
T. Simonaitis
tomas.simonaitis at gmail.com
Tue Aug 22 10:28:37 UTC 2017
Package: iptables
Version: 1.6.0+snapshot20161117-6
Severity: normal
Dear Maintainer,
hashlimit module in post 1.6.0-1 versions does not work
with a specific hashlimits, tryint to add rule results in
error
"iptables: Numerical result out of range."
tried iptables versions 1.6.0+snapshot20161117-6 and 1.6.0+snapshot20161117-5
with a command:
iptables -I INPUT -m hashlimit --hashlimit-above 15/second
--hashlimit-mode srcip --hashlimit-name test
--hashlimit-htable-max 2097152 --hashlimit-htable-size 2097152
results in error (iptables: Numerical result out of range.)
however, versions 1.6.0-1 and below work without error.
Example of /proc/net/ipt_hashlimit/test contains
1 11.11.11.11:0->0.0.0.0:0 5116 8524 1704
if on newer versions hashlimit-above is reduced to 5/second, iptables command
succeeds, but /proc/net/ipt_hashlimit/test contains
large numbers, e.g.:
0 11.11.11.11:0->0.0.0.0:0 109951162777600 109951162777600 0
-- System Information:
Debian Release: 9.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.44-kvm (SMP w/4 CPU cores)
Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8), LANGUAGE=lt_LT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages iptables depends on:
ii libc6 2.24-11+deb9u1
ii libip4tc0 1.6.0+snapshot20161117-6
ii libip6tc0 1.6.0+snapshot20161117-6
ii libiptc0 1.6.0+snapshot20161117-6
ii libnetfilter-conntrack3 1.0.6-2
ii libnfnetlink0 1.0.1-3
ii libxtables12 1.6.0+snapshot20161117-6
iptables recommends no packages.
Versions of packages iptables suggests:
ii kmod 23-2
-- no debconf information
More information about the pkg-netfilter-team
mailing list