-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem with "hashlimit" match without hashlimit_htable_expire value #201
Comments
I can verify this bug. I'm using my patched version (see #200 ), on Linux Mint 18 "Sarah". Uncommenting the line #match.hashlimit_htable_expire = '100' Successfully added the rule to iptables. Furthermore, if I disable autocommit by modifying the code as such: table = iptc.Table(iptc.Table.FILTER)
table.autocommit = False
rule = iptc.Rule()
rule.src = "127.0.0.1"
rule.protocol = "udp"
rule.target = iptc.Target(rule, "ACCEPT")
match = iptc.Match(rule, "hashlimit")
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "FORWARD")
match.hashlimit_name = 'foo'
match.hashlimit_mode = 'srcip'
match.hashlimit_upto = '200/sec'
#match.hashlimit = '200' # This seems not to be necessary
#match.hashlimit_htable_expire = '100'
rule.add_match(match)
chain.insert_rule(rule)
table.commit()
table.autocommit = True Now it emits an error at
Trying to emulate same using CLI: iptables -A FORWARD -s 127.0.0.1 -p udp -j ACCEPT \
-m hashlimit --hashlimit-name foo \
--hashlimit-mode srcip --hashlimit-upto 200/sec Does not exhibit the same behavior. |
Additional info:If I edit the code as such: table = iptc.Table(iptc.Table.FILTER)
table.autocommit = False
rule = iptc.Rule()
rule.src = "127.0.0.1"
rule.protocol = "udp"
rule.target = iptc.Target(rule, "ACCEPT")
match = iptc.Match(rule, "hashlimit")
print('Params just after match creation:\n ', match.parameters)
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "FORWARD")
match.hashlimit_name = 'foo'
match.hashlimit_mode = 'srcip'
match.hashlimit_upto = '200/sec'
print('Params after partial set:\n ', match.parameters)
#match.hashlimit = '200' # This seems not to be necessary
#match.hashlimit_htable_expire = '100'
rule.add_match(match)
chain.insert_rule(rule)
table.commit()
table.autocommit = True I get this: Params just after match creation:
{u'hashlimit_burst': u'5', u'hashlimit_name': u'', u'hashlimit_upto': u'inf'}
Params after partial set:
{u'hashlimit_burst': u'5', u'hashlimit_mode': u'srcip', u'hashlimit_name': u'foo', u'hashlimit_upto': u'200/sec', u'hashlimit_htable_expire': u'0'}
Traceback (most recent call last):
File "/home/pepoluan/PycharmProjects/python-iptables/tests/try_it.py", line 25, in <module>
table.commit()
File "/home/pepoluan/PycharmProjects/python-iptables/iptc/ip4tc.py", line 1591, in commit
raise IPTCError("can't commit: %s" % (self.strerror()))
iptc.ip4tc.IPTCError: can't commit: Invalid argument So, apparently, # iptables -A FORWARD -s 127.0.0.1 -p udp -j ACCEPT -m hashlimit --hashlimit-name foo --hashlimit-mode srcip --hashlimit-upto 200/sec --hashlimit-htable-expire 0
iptables: Invalid argument. Run `dmesg' for more information. iptables puked on Not sure where this |
Yes, this is a known issue. Setting it explicitly works around the problem, thought. |
Hei!
Then dump the rules
The default value for hashlimit-htable-expire is therefore 1000 ms (1 sec). It would be great if we could somehow set the default value to 1000 upon creation of a hashlimit match. |
Hi, More information to this regard. There seems to be a larger issue than initially expected. The following examples creates a hashlimit match and sets a target value for the rule
Following the examples of above create a hashlimit match but without setting a target value for the rule gives the following error for all the variations of the hashlimit_htable_expire parameter.
However, the same rule without the target can be added via iptables CLI, then with iptc I can read it and reinsert it again and again... Is the Rule() created differently when reading from the netlink interface?
In addition, I have also conducted more tests with the htable_expire = 1000 and there seems to be another bug somewhere...
Cheers! |
Just a thought: Could this be an upstream bug?
…On Jan 4, 2017 5:32 AM, "jllorente" ***@***.***> wrote:
Hi,
More information to this regard. There seems to be a larger issue than
initially expected.
The following examples creates a hashlimit match and sets a target value
for the rule
# Example setting a target value - ACCEPT
>>> chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "FORWARD")
>>> rule = iptc.Rule()
>>> rule.src = '1.2.3.4'
>>> target = rule.create_target('ACCEPT')
>>> match = rule.create_match('hashlimit')
>>> match.hashlimit_name = 'hl_test1'
>>> match.hashlimit_above = '100/sec'
>>> match.hashlimit_burst = '150/sec'
# This rule is not inserted as hashlimit_htable_expire = 0
>>> print(match.parameters)
{'hashlimit_burst': '150', 'hashlimit_name': 'hl_test1', 'hashlimit_above': '100/sec', 'hashlimit_htable_expire': '0'}
>>> chain.insert_rule(rule)
# This rule is inserted
>>> match.hashlimit_htable_expire = '100'
>>> print(match.parameters)
{'hashlimit_htable_expire': '100', 'hashlimit_above': '100/sec', 'hashlimit_name': 'hl_test1', 'hashlimit_burst': '150'}
>>> chain.insert_rule(rule)
# This rule is inserted
>>> match.hashlimit_htable_expire = '2000'
>>> print(match.parameters)
{'hashlimit_burst': '150', 'hashlimit_name': 'hl_test1', 'hashlimit_above': '100/sec', 'hashlimit_htable_expire': '2000'}
>>> chain.insert_rule(rule)
# This rule is not inserted, furthermore there is no hashlimit_htable_expire parameter in match
>>> match.hashlimit_htable_expire = '1000'
>>> print(match.parameters)
{'hashlimit_burst': '150', 'hashlimit_name': 'hl_test1', 'hashlimit_above': '100/sec'}
>>> chain.insert_rule(rule)
Following the examples of above create a hashlimit match but without
setting a target value for the rule gives the following error for all the
variations of the hashlimit_htable_expire parameter.
/home/ubuntu/.local/lib/python3.5/site-packages/iptc/ip4tc.py in insert_rule(self, rule, position)
1434 rbuf = rule.rule
1435 if not rbuf:
-> 1436 raise ValueError("invalid rule")
1437 self.table.insert_entry(self.name, rbuf, position)
1438
ValueError: invalid rule
However, the same rule without the target can be added via iptables CLI,
then with iptc I can read it and reinsert it again and again... Is the
Rule() created differently when reading from the netlink interface?
iptables -A FORWARD -s 1.2.3.4/32 -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 150 --hashlimit-name hl_test1 --hashlimit-htable-expire 100
In addition, I have also conducted more tests with the htable_expire =
1000 and there seems to be another bug somewhere...
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "FORWARD")
rule = iptc.Rule()
rule.src = '5.6.7.8'
target = rule.create_target('ACCEPT')
match = rule.create_match('hashlimit')
match.hashlimit_name = 'hl_test2'
match.hashlimit_above = '100/sec'
match.hashlimit_burst = '150/sec'
match.hashlimit_htable_expire = '1000'
print(match.parameters)
chain.insert_rule(rule)
# Sometimes, if I repeat this insert_rule() several times from the python interpreter, it inserts junk as can be seen from the iptables output. The value is random and it changed for every batch of tests I've run.
# iptables -S FORWARD
-A FORWARD -s 5.6.7.8/32 -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 150 --hashlimit-name hl_test2 --hashlimit-htable-expire 4031034112 -j ACCEPT
-A FORWARD -s 5.6.7.8/32 -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 150 --hashlimit-name hl_test2 --hashlimit-htable-expire 4031034112 -j ACCEPT
-A FORWARD -s 5.6.7.8/32 -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 150 --hashlimit-name hl_test2 --hashlimit-htable-expire 4031034112 -j ACCEPT
-A FORWARD -s 5.6.7.8/32 -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 150 --hashlimit-name hl_test2 --hashlimit-htable-expire 4031034112 -j ACCEPT
-A FORWARD -s 5.6.7.8/32 -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 150 --hashlimit-name hl_test2 --hashlimit-htable-expire 4031034112 -j ACCEPT
-A FORWARD -s 5.6.7.8/32 -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 150 --hashlimit-name hl_test2 --hashlimit-htable-expire 4031034112 -j ACCEPT
Cheers!
Jesus
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#201 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAnM00FhmRmOepv7-mwF5KYFfeOcQWprks5rOsx4gaJpZM4LO_9r>
.
|
I cannot tell where the problem lies, but there is certainly a bug somewhere... I would suggest to reopen the issue until it is resolved, as it may help other people running into the same problem. As a temporary solution I am using this in my rules:
Cheers! |
Looking into this a bit more
and then in
so it's ambigous in the extension itself -
Does this help? |
It is an upstream bug, then :-) |
I wouldn't call it a bug, but unfortunately I see no easy way to fix it in python-iptables without adding extension-specific workarounds. :) Let me know if there's anything else I can help with! |
Thanks @ldx for the digging! |
Another thought came to me: If the lib requires |
Hi,
I tried to replicate the example described here (
python-iptables/tests/test_matches.py
Line 431 in edd1623
Turns out if you do not set hashlimit_htable_expire, the iptables chain is not populated but no error is shown either, fails silently. I did this, not setting a value because I was a bit unsure since I hadn't used it either in my other iptables scripts.
Steps to reproduce:
The text was updated successfully, but these errors were encountered: