IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1834.79 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-05-19
[03:15]<sfun>:p
[03:15]<mrrynfmr>true
[03:17]<mrrynfmr>ah, it may need another patch
[03:18]<sfun>????
[03:19]<sfun>I already patched, selected at config, and now I am compiling kernel
[03:19]<mrrynfmr>look at the warnings on this module
[03:19]<sfun> CC net/ipv4/netfilter/ipt_connlimit.o
[03:19]<sfun>net/ipv4/netfilter/ipt_connlimit.c:211: warning: initialization from incompatible pointer type
[03:19]<sfun>net/ipv4/netfilter/ipt_connlimit.c:212: warning: initialization from incompatible pointer type
[03:19]<sfun>only this
[03:20]<mrrynfmr>yep. That's a problem, at least the first one
[03:20]<sfun>(I compiled staticaly)
[03:20]<mrrynfmr>add "unsigned int protoff," after "int offset," in the match function of net/ipv4/netfilter/ipt_connlimit.c
[03:21]<sfun>omg
[03:21]<sfun>too brutal patching :p
[03:21]<mrrynfmr>well, I could make a patchfile ... ;)
[03:22]<mrrynfmr>that would only cause a problem if you had kmalloc fail or an invalid ct state
[03:22]<mrrynfmr>both of which shouldn't happen, but they'll fail better than accessing some random memory address
[03:22]<sfun>match(const struct sk_buff *skb,
[03:22]<sfun> const struct net_device *in,
[03:22]<sfun> const struct net_device *out,
[03:22]<sfun> const void *matchinfo,
[03:22]<sfun> int offset,
[03:22]<sfun> unsigned int protof,
[03:22]<sfun> int *hotdrop)
[03:22]<sfun>ok now?
[03:22]<mrrynfmr>yes
[03:23]<sfun>I think its time to select it as module...
[03:23]<mrrynfmr>I always select everything iptables-related as a module
[03:24]<sfun>I already have one warning
[03:24]<sfun>net/ipv4/netfilter/ipt_connlimit.c:213: warning: initialization from incompatible pointer type
[03:24]<mrrynfmr>what's on line 213, just curious?
[03:25]<sfun>static struct ipt_match connlimit_match = {
[03:25]<sfun> .name = "connlimit",
[03:25]<sfun> .match = &match,
[03:25]<sfun> .checkentry = &check,
[03:25]<sfun> .destroy = &destroy,
[03:25]<sfun> .me = THIS_MODULE
[03:25]<sfun>};
[03:25]<sfun>.checkentry. is 213
[03:27]<mrrynfmr>hmm. Not sure if it's needed to change it, but it might be better
[03:28]<sfun>change to what?
[03:28]<drwygn>sque: that doesn't look right
[03:29]<sfun>maxine, what doens't look right?
[03:29]<drwygn>bugger all, i dunno, sque
[03:29]<mrrynfmr>maxine: what are you
[03:29]<drwygn>i am the bot? or a pocket calculator
[03:29]<sfun>I feel like I am in the wrong way
[03:29]<sfun>but whatelse can I do?
[03:30]<sfun>maxine, what are you
[03:30]<drwygn>i think i am the bot? or a pocket calculator
[03:30]<sfun>:|
[03:30]<mrrynfmr>http://daniel.6dns.org/misc/connlimit.patch
[03:30]<mrrynfmr>sque: try that patch to ipt_connlimit.c
[03:30]<sfun>I wasn't able to find the file you asked for.
[03:30]<sfun>If you think this is a mistake on my part, email me and I'll fix it.
[03:31]<sfun>the url
[03:31]<mrrynfmr>oops
[03:31]<mrrynfmr>forgot to hit enter :/
[03:31]<sfun>:p
[03:31]<sfun>ern how do I patch?
[03:32]<sfun>I only know to diff :p
[03:32]<mrrynfmr>patch < that file
[03:32]<mrrynfmr>in net/ipv4/netfilter as current directory
[03:33]<sfun>patching file ipt_connlimit.c
[03:33]<sfun>Hunk #1 FAILED at 131.
[03:33]<sfun>Hunk #2 succeeded at 164 (offset 1 line).
[03:33]<sfun>Hunk #3 succeeded at 172 (offset 1 line).
[03:33]<sfun>1 out of 3 hunks FAILED -- saving rejects to file ipt_connlimit.c.rej
[03:33]<mrrynfmr>that's because you already patched the first hunk
[03:33]<sfun>yes
[03:33]<mrrynfmr>it was repatching the "unsigned int protoff,
[03:34]<sfun>that was only rejected
[03:34]<sfun>so I am ok
[03:34]<sfun>right?
[03:34]<mrrynfmr>I think so.
[03:35]<mrrynfmr>yes. It'll fail to compile otherwise
[03:35]<sfun>i repatched at an original copy
[03:35]<sfun>and succeded :)
[03:35]<sfun>just to be sure
[03:36]<sfun>lol
[03:36]<sfun>7 lines
[03:36]<sfun>paste here?
[03:37]<mrrynfmr>what seven lines
[03:37]<sfun>net/ipv4/netfilter/ipt_connlimit.c:166: error: syntax error before "void"
[03:37]<sfun>net/ipv4/netfilter/ipt_connlimit.c:170: warning: function declaration isn't a prototype
[03:37]<sfun>net/ipv4/netfilter/ipt_connlimit.c: In function `check':
[03:37]<sfun>net/ipv4/netfilter/ipt_connlimit.c:171: error: `matchinfo' undeclared (first use in this function)
[03:37]<sfun>net/ipv4/netfilter/ipt_connlimit.c:171: error: (Each undeclared identifier is reported only once
[03:37]<sfun>net/ipv4/netfilter/ipt_connlimit.c:171: error: for each function it appears in.)
[03:37]<sfun>net/ipv4/netfilter/ipt_connlimit.c:174: error: `e_void' undeclared (first use in this function)
[03:37]<sfun>net/ipv4/netfilter/ipt_connlimit.c:177: error: `matchsize' undeclared (first use in this function)
[03:37]<mrrynfmr>doh. Remove "struct" before "void"
[03:38]<sfun>rebooting....
[03:38]<sfun>(god help!)
[03:39]<mrrynfmr>good luck!
[03:44]<sfun>router ~ # iptables -A FORWARD -s 192.168.0.0/24 -m connlimit --connlimit-above 500 -j DROP
[03:44]<sfun>iptables: Invalid argument
[03:44]<mrrynfmr>you need a -p tcp in there
[03:44]<mrrynfmr>check dmesg|tail
