[Bug 95] New: inverse limit match doesn't work

bugzilla-daemon@netfilter.org bugzilla-daemon@netfilter.org
Fri, 30 May 2003 03:17:40 +0200


           Summary: inverse limit match doesn't work
           Product: netfilter/iptables
           Version: linux-2.4.x
          Platform: i386
        OS/Version: Mandrake Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ip_tables (kernel)
        AssignedTo: laforge@netfilter.org
        ReportedBy: email@cs-ware.de
                CC: netfilter-buglog@lists.netfilter.org

The inverse limit match seems to be broken:

#iptables -A INPUT -m limit ! --limit 1/sec -j DROP
seems to be the same as
#iptables -A INPUT -m limit --limit 1/sec -j DROP

Both result in:
#iptables --list -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --            limit: avg 1/sec 
burst 5

But in the iptables Tutorial 1.1.19 by Oskar Andreasson (http://iptables-
tutorial.frozentux.net/chunkyhtml/matches.html#TABLE.LIMITMATCH) there is 
"The limit match may also be inverted by adding a ! flag in front of the
limit match. It would then be expressed as -m ! limit. This means that all
packets will be matched after they have broken the limit."
And in the iptables man-page there is written:
"A rule using this extension will match until this limit is reached (unless 
the '!' flag is used)."

My configuration:
iptables/1.2.8, Kernel 2.4.20 with POM 20030107 and grsecurity-1.9.9h

Sven Strickroth

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.