1. 25 Mar, 2008 19 commits
  2. 20 Mar, 2008 1 commit
    • Daniel Hokka Zakrisson's avatar
      [NETFILTER]: ipt_recent: sanity check hit count · d0ebf133
      Daniel Hokka Zakrisson authored
      
      
      If a rule using ipt_recent is created with a hit count greater than
      ip_pkt_list_tot, the rule will never match as it cannot keep track
      of enough timestamps. This patch makes ipt_recent refuse to create such
      rules.
      
      With ip_pkt_list_tot's default value of 20, the following can be used
      to reproduce the problem.
      
      nc -u -l 0.0.0.0 1234 &
      for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done
      
      This limits it to 20 packets:
      iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
               --rsource
      iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
               60 --hitcount 20 --name test --rsource -j DROP
      
      While this is unlimited:
      iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
               --rsource
      iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
               60 --hitcount 21 --name test --rsource -j DROP
      
      With the patch the second rule-set will throw an EINVAL.
      Reported-by: default avatarSean Kennedy <skennedy@vcn.com>
      Signed-off-by: default avatarDaniel Hokka Zakrisson <daniel@hozac.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d0ebf133
  3. 05 Mar, 2008 2 commits
  4. 03 Mar, 2008 1 commit
  5. 29 Feb, 2008 1 commit
  6. 28 Feb, 2008 1 commit
  7. 19 Feb, 2008 2 commits
  8. 07 Feb, 2008 1 commit
  9. 31 Jan, 2008 12 commits