iptables connlimit/iplimit not working

Bug #60439 reported by dario
18
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Unassigned
linux-source-2.6.15 (Ubuntu)
Won't Fix
Undecided
Unassigned
linux-source-2.6.20 (Ubuntu)
Won't Fix
Medium
Unassigned
linux-source-2.6.22 (Ubuntu)
Won't Fix
Medium
Ben Collins

Bug Description

Currently there's /lib/iptables/libipt_connlimit.so module present in the system but no matching module in /lib/modules/*/kernel/net/ipv4/netfilter/ so I guess that's the reason why I get "iptables: No chain/target/match by that name" when entering for example

iptables -I INPUT -p tcp -m connlimit --connlimit-above 100 -j REJECT

Same with iplimit.

description: updated
Revision history for this message
Lumír Jasiok (lumir-jasiok) wrote :

Proposed solution:

1. download patch-o-matic-ng snapshot from
 http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/
2. download iptables from ... similar place :-)
3. download connlimit patch from http://people.netfilter.org/ole/pom/connlimit .
4. unpack connlimit:
 tar xzvf connlimit to unpacked patch-o-matic/patchlets/
5. modify "info" file in patchlets/connlimit directory, so it looks like this:
 Title: iptables connlimit match
 Author: Gerd Knorr <email address hidden>
 Status: ItWorksForMe[tm]
 Repository: extra
 Requires: linux > 2.6.0

6. cd ../.. back to patch-o-matic top and configure by
 ./runme extra

7. select connlimit option to Y
8. go to Linux directory and make menuconfig to make sure that the new connlimit module is going to be compiled (CONFIG_IP_NF_MATCH_CONNLIMIT=m)
9. compile Linux kernel

Revision history for this message
yota (yota-opensystems) wrote : Still not resolved in 2.6.20-15

The bug seem to be still present in feisty:

root@one:/home/yota# uname -a
Linux one 2.6.20-15-generic #2 SMP Sun Apr 15 07:36:31 UTC 2007 i686 GNU/Linux
root@one:/home/yota# iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables: No chain/target/match by that name
root@one:/home/yota# ls /lib/modules/*/kernel/net/ipv4/netfilter/
arptable_filter.ko iptable_mangle.ko ipt_ah.ko ipt_LOG.ko ipt_REDIRECT.ko ipt_TOS.ko nf_nat_amanda.ko nf_nat_pptp.ko
arp_tables.ko iptable_nat.ko ipt_CLUSTERIP.ko ipt_MASQUERADE.ko ipt_REJECT.ko ipt_ttl.ko nf_nat_ftp.ko nf_nat_proto_gre.ko
arpt_mangle.ko iptable_raw.ko ipt_ecn.ko ipt_NETMAP.ko ipt_SAME.ko ipt_TTL.ko nf_nat_h323.ko nf_nat_sip.ko
ip_queue.ko ip_tables.ko ipt_ECN.ko ipt_owner.ko ipt_TCPMSS.ko ipt_ULOG.ko nf_nat_irc.ko nf_nat_snmp_basic.ko
iptable_filter.ko ipt_addrtype.ko ipt_iprange.ko ipt_recent.ko ipt_tos.ko nf_conntrack_ipv4.ko nf_nat.ko nf_nat_tftp.ko
root@one:/home/yota#

Changed in linux-source-2.6.17:
status: Unconfirmed → Confirmed
Revision history for this message
Romain MOREL (romain-caramiel) wrote :

Like Lumir proposed i compiled a fresh kernel and iptables patched against patch-o-matic.

First I had the same problem as Yota : iptables : No chain/target/match by that name

After googling some minutes i've applied this little patch on sources in KERNEL_DIR/net/ipv4/netfilter/ipt_connlimit.c
: http://lists.netfilter.org/pipermail/netfilter/2007-April/068386.html et recompiled/reboot again on the new kernel

I hope this trick could have helped you

Changed in linux-source-2.6.20:
assignee: nobody → ubuntu-kernel-team
importance: Undecided → Medium
Changed in linux-source-2.6.22:
assignee: nobody → ubuntu-kernel-team
importance: Undecided → Medium
status: New → Triaged
Changed in linux-source-2.6.20:
status: Confirmed → Triaged
Revision history for this message
Ben Collins (ben-collins) wrote :

Likely not going to be fixed in feisty.

However, I've yet to see where someone actually said they tested this in gutsy with 2.6.22. That needs to be confirmed.

Changed in linux-source-2.6.20:
status: Triaged → Won't Fix
Changed in linux-source-2.6.22:
assignee: ubuntu-kernel-team → ben-collins
status: Triaged → Incomplete
Revision history for this message
yota (yota-opensystems) wrote :

Confirmed on gutsy:

root@ubuntu:/tmp# uname -a
Linux ubuntu 2.6.22-8-generic #1 SMP Thu Jul 12 15:59:45 GMT 2007 i686 GNU/Linux
root@ubuntu:/tmp# iptables -I INPUT -p tcp -m connlimit --connlimit-above 100 -j REJECT
iptables: No chain/target/match by that name
root@ubuntu:/tmp#

and on Dapper (where imho is more important since it is LTS and more server oriented) too:

root@serverino:/# uname -a
Linux serverino 2.6.15-28-686 #1 SMP PREEMPT Wed Jul 18 22:57:30 UTC 2007 i686 GNU/Linux
root@serverino:/# iptables -I INPUT -p tcp -m connlimit --connlimit-above 100 -j REJECT
iptables: No chain/target/match by that name

I really hope that this can be fixed on Dapper, let me know if you have any concerns.

Revision history for this message
yota (yota-opensystems) wrote :

Confirmed on gutsy:

root@ubuntu:/tmp# uname -a
Linux ubuntu 2.6.22-8-generic #1 SMP Thu Jul 12 15:59:45 GMT 2007 i686 GNU/Linux
root@ubuntu:/tmp# iptables -I INPUT -p tcp -m connlimit --connlimit-above 100 -j REJECT
iptables: No chain/target/match by that name
root@ubuntu:/tmp#

Changed in linux-source-2.6.22:
status: Incomplete → Confirmed
Revision history for this message
rtzra (rtzra) wrote :

There are many modules, not included in /lib/iptables
See https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/141436

Changed in linux-source-2.6.15:
status: New → Incomplete
Revision history for this message
MatB (matteo-brusa) wrote :

On hardy:

# uname -a
Linux bingo 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686 GNU/Linux

# iptables -I INPUT -p tcp -m connlimit --connlimit-above 100 -j REJECT
iptables v1.3.8: Couldn't load match `connlimit':/lib/iptables/libipt_connlimit.so: cannot open shared object file: No such file or directory

i searched for a package which contains such file, no luck.

Revision history for this message
Piotr Żurek (piotrek.zurek) wrote :

I confirm this bug on hardy server kernel too.

# uname -a
Linux serwer 2.6.24-16-server #1 SMP Thu Apr 10 13:15:38 UTC 2008 x86_64 GNU/Linux

# iptables -I INPUT -p tcp -m connlimit --connlimit-above 100 -j REJECT
iptables v1.3.8: Couldn't load match `connlimit':/lib/iptables/libipt_connlimit.so: cannot open shared object file: No such file or directory

It's an very old bug now. When could this be corrected?
This is often much needed (if not necessary) in server/router machines. At least the server flavour of ubuntu kernel shoul have these modules compiled IMO.

Revision history for this message
Stefan Soriga (sgstefan) wrote :

i confirm on hardy

Revision history for this message
kiev1 (sys-sys-admin) wrote :

Please help!!!

Revision history for this message
Srand (cyril-scetbon) wrote :

I'd really enjoy if this feature was added to our favorite distribution.

Revision history for this message
Leann Ogasawara (leannogasawara) wrote :

Beginning with the Hardy Heron 8.04 development cycle the kernel source package naming convention changed from "linux-source-2.6.xx" to just "linux". Going forward, kernel bugs should now be reported against the "linux" package. I'm going to automatically retarget this bug against the "linux" package.

Revision history for this message
Leann Ogasawara (leannogasawara) wrote :

This report will be kept open against the actively developed kernel but against 2.6.15 and 2.6.22 this will be closed as it does not qualify for a Stable Release Update - http://www.ubuntu.com/StableReleaseUpdates . Thanks.

Changed in linux:
assignee: nobody → ubuntu-kernel-team
importance: Undecided → Medium
status: New → Triaged
Changed in linux-source-2.6.15:
status: Incomplete → Won't Fix
Changed in linux-source-2.6.22:
status: Confirmed → Won't Fix
Revision history for this message
Leann Ogasawara (leannogasawara) wrote :

The Ubuntu Kernel Team is planning to move to the 2.6.27 kernel for the upcoming Intrepid Ibex 8.10 release. As a result, the kernel team would appreciate it if you could please test this newer 2.6.27 Ubuntu kernel. There are one of two ways you should be able to test:

1) If you are comfortable installing packages on your own, the linux-image-2.6.27-* package is currently available for you to install and test.

--or--

2) The upcoming Alpha5 for Intrepid Ibex 8.10 will contain this newer 2.6.27 Ubuntu kernel. Alpha5 is set to be released Thursday Sept 4. Please watch http://www.ubuntu.com/testing for Alpha5 to be announced. You should then be able to test via a LiveCD.

Please let us know immediately if this newer 2.6.27 kernel resolves the bug reported here or if the issue remains. More importantly, please open a new bug report for each new bug/regression introduced by the 2.6.27 kernel and tag the bug report with 'linux-2.6.27'. Also, please specifically note if the issue does or does not appear in the 2.6.26 kernel. Thanks again, we really appreicate your help and feedback.

Revision history for this message
yota (yota-opensystems) wrote :

It finally works on Intrepid alpha 6:

root@ubuntu:/home/ubuntu# uname -a
Linux ubuntu 2.6.27-3-generic #1 SMP Wed Sep 10 16:02:00 UTC 2008 i686 GNU/Linux
root@ubuntu:/home/ubuntu# iptables -I INPUT -p tcp -m connlimit --connlimit-above 100 -j REJECT
root@ubuntu:/home/ubuntu#

Thank you! :-)

Revision history for this message
Leann Ogasawara (leannogasawara) wrote :

Thanks for the update. Marking this "Fix Released" for Intrepid.

Changed in linux:
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote : Kernel team bugs

Per a decision made by the Ubuntu Kernel Team, bugs will longer be assigned to the ubuntu-kernel-team in Launchpad as part of the bug triage process. The ubuntu-kernel-team is being unassigned from this bug report. Refer to https://wiki.ubuntu.com/KernelTeamBugPolicies for more information. Thanks.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.