[cod] Updating iptables if you don't have the --reap option of the recent module

Mon Apr 23 11:09:43 EDT 2012

After a bit more research on Centos 6.2, it turns out that (for this 
distribution) the --reap option *is not in the kernel*/. /What that 
means is that /even if you update iptables /to 1.4.13 as described 
below, all you will end up with is the iptables module no longer 
complaining about the --reap option, but due to the kernel, the --reap 
option NOT working.

If you do a "listgame.sh" on the server rules, if you are running Centos 
6.2 you will notice that players that are no longer collected stay in 
the list until the game rules are reset with a "unprotectgame.sh" 
followed by a "protectgame.sh", or when the server is physically 
rebooted.  With the standard Centos 6.2 kernel there is no other 
option.  That's what the --reap parameter did for you, and that is 
expire the whitelisted players after they have quit playing on the 
server for a while.

It's interesting to note that Centos 6.2 uses the 2.6.32-220 kernel, 
while Ubuntu 10.10 server uses 2.6.32-305.  Ubuntu Server 10.10 does 
indeed work properly with --reap, so my guess is that Centos is just way 
behind in its kernel updates.

The solution for those of you using Centos 6.2 is at sometime (perhaps 
overnight) run the script to unprotect the game server, followed by the 
script to re-protect it to clear the whitelisted players.  Just make 
sure that is done when nobody is currently playing on the server, or 
when you re-protect the server everyone will lag out and have to reconnect.

For anyone who updates their kernel sucessfully so --reap works, forward 
along the steps you took so everyone else can benefit.  At this point 
I'm not going to try it myself due to time constraints.

Thanks,

/Boyd/
/__________________________________
Boyd G. Gafford Ph.D.
Manager of Software Development
Westport Research Associates Inc.
7001 Blue Ridge Blvd
Raytown, MO 64133
(816) 358-8990
drboyd at westportresearch.com
/

On 04/20/2012 09:40 AM, Boyd G. Gafford Ph.D. wrote:
> Just a note about using the protection scripts under some Linux 
> distributions (especially older ones).  The protection scripts use the 
> recent iptables module with the --reap parameter in order to expire 
> whitelisted players that have quit playing on the server.  You really 
> need this in order for the scripts to work.
>
> Escaped Turkey first reported this with Centos 6.2, so I installed 
> this distribution on a VPS and verified it.  If you are using another 
> flavor of Linux, you can check to see if the --reap parameter is 
> already supported by doing a:
>
> main iptables
>
> followed by
>
> /--reap[enter]
>
> If you see "pattern not found", then you don't have an iptables that 
> supports the --reap option, and need to update your iptables.  If your 
> cursor lands on the option, then are are already good to go.
>
> *In the case of most older Linux distributions, try updating them via 
> the normal update process for the distribution first.  This usually 
> gets you a newer iptables from the distribution's repository, which 
> works nearly all of the time.*
>
> However Centos 6.2 is a recent distribution, but for some reason 
> --reap doesn't work.  So the best option is to update iptables to the 
> latest.  Here's how I did it (from root).  First off, if you don't 
> have gcc or make installed, you need to do that first:
>
> # yum install gcc
> # yum install make
>
> Now just do the following, which downloads the latest iptables source, 
> builds it and makes it active.
>
> # cd /root
> # wget www.netfilter.org/projects/iptables/files/iptables-1.4.13.tar.bz2
> # tar -jxvf iptables-1.4.13.tar.bz2
> # cd iptables-1.4.13
> # ./configure
> # make
> # make install
> # cp /usr/local/sbin/xtables-multi /sbin/iptables-multi
>
> And you are done!  Now your iptables module is updated to 1.4.13, 
> complete with --reap option for the dynamic expiration of whitelisted 
> players.
>
> And of course the process here is very similar if you have other 
> distributions.
>
> Good luck,
>
> /  Boyd/
>
> /__________________________________
> Boyd G. Gafford Ph.D.
> Manager of Software Development
> Westport Research Associates Inc.
> 7001 Blue Ridge Blvd
> Raytown, MO 64133
> (816) 358-8990
> drboyd at westportresearch.com
> /
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20120423/bb1127a8/attachment.htm>