diff --git a/SOURCES/0062-extensions-hashlimit-Fix-tests-with-HZ-1000.patch b/SOURCES/0062-extensions-hashlimit-Fix-tests-with-HZ-1000.patch new file mode 100644 index 0000000..81b2c3a --- /dev/null +++ b/SOURCES/0062-extensions-hashlimit-Fix-tests-with-HZ-1000.patch @@ -0,0 +1,47 @@ +From 41660ba1faea8b7ebd71e94c70ef175a75ab91cc Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 8 Nov 2021 17:03:21 +0100 +Subject: [PATCH] extensions: hashlimit: Fix tests with HZ=1000 + +In an attempt to fix for failing hashlimit tests with HZ=100, the +expected failures were changed so they are expected to pass and the +parameters changed to seemingly fix them. Yet while the new parameters +worked on HZ=100 systems, with higher tick rates they didn't so the +observed problem moved from the test failing on HZ=100 to failing on +HZ=1000 instead. + +Kernel's error message "try lower: 864000000/5" turned out to be a red +herring: The burst value does not act as a dividor but a multiplier +instead, so in order to lower the overflow-checked value, a lower burst +value must be chosen. Inded, using a burst value of 1 makes the kernel +accept the rule in both HZ=100 and HZ=1000 configurations. + +Fixes: bef9dc575625a ("extensions: hashlimit: Fix tests with HZ=100") +Signed-off-by: Phil Sutter +(cherry picked from commit 1eab8e83aec0e6965f11f8cad460add1caeae629) +--- + extensions/libxt_hashlimit.t | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/extensions/libxt_hashlimit.t b/extensions/libxt_hashlimit.t +index 8369933786f68..206d92935f2e2 100644 +--- a/extensions/libxt_hashlimit.t ++++ b/extensions/libxt_hashlimit.t +@@ -3,12 +3,12 @@ + -m hashlimit --hashlimit-above 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK +--m hashlimit --hashlimit-above 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK ++-m hashlimit --hashlimit-above 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK +--m hashlimit --hashlimit-upto 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK ++-m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK + -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK + -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK +-- +2.33.0 + diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index 58df10b..85be0bd 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -17,7 +17,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: http://www.netfilter.org/projects/iptables Version: 1.8.4 -Release: 21%{?dist} +Release: 22%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -95,6 +95,7 @@ Patch58: 0058-nft-cache-Retry-if-kernel-returns-EINTR.patch Patch59: 0059-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch Patch60: 0060-ebtables-Dump-atomic-waste.patch Patch61: 0061-extensions-hashlimit-Fix-tests-with-HZ-100.patch +Patch62: 0062-extensions-hashlimit-Fix-tests-with-HZ-1000.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -503,6 +504,9 @@ done %doc %{_mandir}/man8/ebtables*.8* %changelog +* Mon Nov 29 2021 Phil Sutter - 1.8.4-22 +- extensions: hashlimit: Fix tests with HZ=1000 + * Thu Oct 07 2021 Phil Sutter - 1.8.4-21 - extensions: hashlimit: Fix tests with HZ=100 - ebtables: Dump atomic waste