iptables xt_recent kernel module with --reap support

Support for security such as Firewalls and securing linux

iptables xt_recent kernel module with --reap support

Postby drboyd » 2012/04/23 19:30:14

I've noticed that it appears the Centos 6.2 kernel does not support the xt_recent --reap capability.

Its very strange, as Ubuntu server 10.10 even had it, and that was quite a while ago.

Does anyone know when Centos is going to get a kernel update to support a modern xt_recent kernel module?
drboyd
 
Posts: 3
Joined: 2012/04/23 19:25:14

iptables xt_recent kernel module with --reap support

Postby jlehtone » 2012/04/23 20:15:21

Ubuntu 10.10 changelogs say:
2010-03-04 - Tim Gardner
iptables (1.4.4-2ubuntu2) lucid; urgency=low
* Added support for the xt_recent filter --reap switch.
This feature should appear in the 1.4.8 upstream release.

The iptables of CentOS 6.2 is formally version 1.4.7, and TUV follows its own backport policies.

For comparison, the manpage of Fedora 15 (iptables-1.4.10) does not mention --reap either (F15 is now old though).

Recent Ubuntu bug claims lack of --reap as well. :lol:


We do know that CentOS does get kernel feature updates if and when TUV does so.
User avatar
jlehtone
 
Posts: 1431
Joined: 2007/12/11 08:17:33
Location: Finland

Re: iptables xt_recent kernel module with --reap support

Postby drboyd » 2012/04/24 14:39:28

Thanks for the quick response!

Just an FYI, and that is Ubuntu server 10.10 has iptables 1.4.4, and --reap works. Ubuntu server 11.10 has iptables 1.4.10, and --reap works. I use both of those distributions for game servers, and want to switch them to Centos 6.2.

However, the iptables rules I use to protect some of the older q3-protocol linux servers just flat out won't work with Centos 6.2. Not having the --reap option breaks retirement in dynamic whitelisting of players.

Centos 6.2 is newer (12.11) than either of those distributions. It's just frustrating to be using a feature that's been in Ubuntu so long and find out that its not in the latest release of Centos.

I even recompiled and installed the latest iptables (1.4.13) from www.netfilter.org. The end result was that iptables no longer barked about the --reap option, but it just didn't work. It wasn't until I did some further digging did I realize that it has to be in the xt_recent kernel module too, and that all I did was make the iptables program not complain about a feature not there.

I guess the only thing to do it to try to rebuild the xt_recent kernel module myself to get --reap? I really would like to use Centos 6.2 instead of Ubuntu Server, but at this point I just can't.

Thanks,

Boyd
drboyd
 
Posts: 3
Joined: 2012/04/23 19:25:14

Re: iptables xt_recent kernel module with --reap support

Postby TrevorH » 2012/04/24 16:36:57

The ELRepo has a kernel-ml repo that has updateed mainline kernel packages for CentOS 6 that may contain this.
User avatar
TrevorH
Forum Moderator
 
Posts: 9103
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables xt_recent kernel module with --reap support

Postby drboyd » 2012/04/24 18:49:45

Thanks Trevor, I'll check it out (pun intended).

:-D
drboyd
 
Posts: 3
Joined: 2012/04/23 19:25:14


Return to CentOS 6 - Security Support

Who is online

Users browsing this forum: No registered users and 1 guest