iptables module recent: how to get the --mask parameter working

Discussion in 'Tomato Firmware' started by PetervdM, Apr 16, 2019.

  1. PetervdM

    PetervdM Network Guru Member

    i am trying to get --mask working in the module xt_recent. the manual states: --mask netmask but does not state howto.
    i tried 255.255.255.248, 29 and /29, non of these worked, error: iptables v1.6.2: unknown option "--mask"

    according to the history of commit 55cf7be by @Edrikk the mask parameter was implemented on 2012-Jul-31 in iptables-1.4.15.

    has anyone succeeded in using the mask parameter?
     
  2. lancethepants

    lancethepants Network Guru Member

    did you 'modprobe xt_recent' ?
     
  3. PetervdM

    PetervdM Network Guru Member

    yes, i tried, but made no difference. the module recent works, except for the --mask parameter. i currently have:
    Code:
    # WAN filter hitcount
    iptables -N ATTACK # create rule chain
    iptables -F ATTACK # clear rule chain
    iptables -A ATTACK -m recent --set --name ATTACK --rsource # initialize
    iptables -A ATTACK -m recent --update --name ATTACK --rsource --seconds 1200 --hitcount 3 -j DROP
    #
    iptables -D INPUT -j logdrop # delete catch all rule
    iptables -A INPUT -i vlan2 -d a.b.c.d -m state --state NEW -j ATTACK
    iptables -A INPUT -j logdrop # restore catch all rule
    #
    
    iptables -nvL shows that these rules work:
    Code:
    Chain ATTACK (1 references)
     pkts bytes target     prot opt in     out     source               destination
      201 11307            all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: ATTACK side: source
       40  1600 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 1200 hit_count: 3 name: ATTACK side: source
    and
    Code:
      201 11307 ATTACK     all  --  vlan2  *       0.0.0.0/0            a.b.c.d        state NEW
      126  7057 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    if i insert the --mask parameter in either or both iptables -A ATTACK rules i get the unknown option "--mask" error and the rules are not present in iptables -nvL
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice