Package: iptables Version: 1.4.14-3.1 Severity: normal Dear Maintainer,
the hashlimit module is not working correctly for certain combinations of rates and bucket sizes. For example: sudo iptables -A INPUT -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 38 --hashlimit-mode srcip --hashlimit-name mylimit This generates an error "iptables: Numerical result out of range". The same error occurs also for these values: sudo iptables -A INPUT -m hashlimit --hashlimit-above 1/min --hashlimit-burst 2237 --hashlimit-mode srcip --hashlimit-name mylimit For smaller burst values the module works correctly. For larger burst values there is no error message, and the module does not work correctly, since the actual bucket size will be much smaller than what is defined by the rule. This can be checked by looking at "/proc/net/ipt_hashlimit/mylimit". If the rate is 1/hour, the last field has a value of 115200000, and the previous field should be the bucket size multiplied by 115200000. This is the case until a bucket size of 37, for larger buckets there is an overflow (apparently the field is limited to 32 bits, and 38 * 115200000 is greater than 2 to the power of 32). Kind regards, B.Areco -- System Information: Debian Release: 7.8 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages iptables depends on: ii libc6 2.13-38+deb7u8 ii libnfnetlink0 1.0.0-1.1 iptables recommends no packages. iptables suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
