Bug 610 – connlimit doesn't work

First Last Prev Next No search results available

Details

Summary:

connlimit doesn't work

Bug#:	610
Product:	netfilter/iptables
Component:	unknown
Status:	VERIFIED
Resolution:	FIXED

Hardware:	All
OS:	All
Version:	linux-2.6.x
Priority:	P1
Severity:	normal

URL:

Depends on:

Blocks:

Show dependency tree - Show dependency graph

People

Reporter:	urykhy@gmail.com
Assigned To:	Jan Engelhardt <jengelh@medozas.de>
CC:

Attachments
Fix (2.04 KB, text/plain) 2009-11-04 14:31, Jan Engelhardt	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Related actions

Description:	Opened: 2009-09-24 09:21

i need to limit number of simultaneous connections to httpd:

on server:
iptables -A INPUT -p tcp -m connlimit --connlimit-above 5 --dport 80 -j DROP
(there is onle one rule in firewall )

on client i run slowloris..

on the server under attack
netstat -nta | grep :80 | grep ESTABLISHED | wc -l
180

as i understand 'iptables -L -n -v' - my rule never hits,

existing behavior:
on server under attack a lot of simultaneous connection from single ip.

expected behavior:
server should have only 5 connections

i miss something ?

ps:

debian linux 2.6.30-2, iptables 1.4.4-2 
slowloris - http://ha.ckers.org/slowloris/

------- Comment #1 From Patrick McHardy 2009-11-04 13:22:06 -------

Doesn't work for me either. Jan?

------- Comment #2 From Jan Engelhardt 2009-11-04 14:31:06 -------

Created an attachment (id=304) [details]
Fix

Affects 2.6.28--current. Please forward to 2.6.31-stable.

------- Comment #3 From Jan Engelhardt 2009-11-04 14:32:23 -------

Here's a patch.

------- Comment #4 From Patrick McHardy 2009-11-05 14:17:13 -------

*** Bug 618 has been marked as a duplicate of this bug. ***

------- Comment #5 From onorua 2010-01-28 19:39:59 -------

Kernel 2.6.31.5
After patch - get worked.
Thank you.

First Last Prev Next No search results available