i.MX6UL: Unable to restrict the number of connections by using the connlimit module in iptables

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

i.MX6UL: Unable to restrict the number of connections by using the connlimit module in iptables

496件の閲覧回数
TammyTsai
Contributor III

Hi NXP team,

I want to manage TCP sessions to comply with the following requirements.

The i.MX6UL custom board keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.

we use the connlimit module, which allows us to limit the number of connections.

To limit our device connects to at most five servers, I use iptables to add a rule as shown below.

iptables -I OUTPUT -p tcp --syn -m connlimit --connlimit-above 5 -j DROP

It shows an error message.

iptables: No chain/target/match by that name.

Does i.MX6UL not support the connlimit module?

If supported, does the device need to load this module?

Should I add CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m to config file?

i.MX6UL

ラベル(3)
0 件の賞賛
返信
5 返答(返信)

450件の閲覧回数
jimmychan
NXP TechSupport
NXP TechSupport

as you build it as a module, you should load it first when you want to use it.

0 件の賞賛
返信

442件の閲覧回数
TammyTsai
Contributor III

Hi @jimmychan ,

Our BSP version is "Linux imx6ulevk 4.14.98-2.3.1+g860ec89b125a".

Does this BSP version support connlimit?

How to build and load connlimit module?

0 件の賞賛
返信

423件の閲覧回数
jimmychan
NXP TechSupport
NXP TechSupport
0 件の賞賛
返信

418件の閲覧回数
TammyTsai
Contributor III

Hi @jimmychan ,

I execute the following command.

$ iptables -m connlimit -h

Here are the result for the help information on the extension.

root@imx6ulevk:~# iptables -m connlimit -h
iptables v1.6.2

Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.

connlimit match options:
--connlimit-upto n match if the number of existing connections is 0..n
--connlimit-above n match if the number of existing connections is >n
--connlimit-mask n group hosts using prefix length (default: max len)
--connlimit-saddr select source address for grouping
--connlimit-daddr select destination addresses for grouping
root@imx6ulevk:~#

Is the extension "connlimit" included in the kernel space?

0 件の賞賛
返信

406件の閲覧回数
jimmychan
NXP TechSupport
NXP TechSupport

I didn't use it before. You may 'google' it to find the answer.

0 件の賞賛
返信