iptables xt_recent kernel module with --reap support

Support for security such as Firewalls and securing linux
Post Reply
drboyd
Posts: 3
Joined: 2012/04/23 19:25:14

iptables xt_recent kernel module with --reap support

Post by drboyd » 2012/04/23 19:30:14

I've noticed that it appears the Centos 6.2 kernel does not support the xt_recent --reap capability.

Its very strange, as Ubuntu server 10.10 even had it, and that was quite a while ago.

Does anyone know when Centos is going to get a kernel update to support a modern xt_recent kernel module?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

iptables xt_recent kernel module with --reap support

Post by jlehtone » 2012/04/23 20:15:21

Ubuntu 10.10 changelogs say:
[quote]2010-03-04 - Tim Gardner
iptables (1.4.4-2ubuntu2) lucid; urgency=low
* Added support for the xt_recent filter --reap switch.
This feature should appear in the 1.4.[b]8[/b] upstream release.[/quote]
The iptables of CentOS 6.2 is formally version 1.4.[b]7[/b], and TUV follows its own backport policies.

For comparison, the manpage of Fedora 15 (iptables-1.4.10) does not mention --reap either (F15 is now old though).

Recent Ubuntu [url=https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/887332]bug[/url] claims lack of --reap as well. :lol:


We do know that CentOS does get kernel feature updates if and when TUV does so.

drboyd
Posts: 3
Joined: 2012/04/23 19:25:14

Re: iptables xt_recent kernel module with --reap support

Post by drboyd » 2012/04/24 14:39:28

Thanks for the quick response!

Just an FYI, and that is Ubuntu server 10.10 has iptables 1.4.4, and --reap works. Ubuntu server 11.10 has iptables 1.4.10, and --reap works. I use both of those distributions for game servers, and want to switch them to Centos 6.2.

However, the iptables rules I use to protect some of the older q3-protocol linux servers just flat out won't work with Centos 6.2. Not having the --reap option breaks retirement in dynamic whitelisting of players.

Centos 6.2 is newer (12.11) than either of those distributions. It's just frustrating to be using a feature that's been in Ubuntu so long and find out that its not in the latest release of Centos.

I even recompiled and installed the latest iptables (1.4.13) from www.netfilter.org. The end result was that iptables no longer barked about the --reap option, but it just didn't work. It wasn't until I did some further digging did I realize that it has to be in the xt_recent kernel module too, and that all I did was make the iptables program not complain about a feature not there.

I guess the only thing to do it to try to rebuild the xt_recent kernel module myself to get --reap? I really would like to use Centos 6.2 instead of Ubuntu Server, but at this point I just can't.

Thanks,

Boyd

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables xt_recent kernel module with --reap support

Post by TrevorH » 2012/04/24 16:36:57

The ELRepo has a kernel-ml repo that has updateed mainline kernel packages for CentOS 6 that may contain this.

drboyd
Posts: 3
Joined: 2012/04/23 19:25:14

Re: iptables xt_recent kernel module with --reap support

Post by drboyd » 2012/04/24 18:49:45

Thanks Trevor, I'll check it out (pun intended).

:-D

Post Reply