From: Patrick McHardy <kaber@xxxxxxxxx> Date: Thu, 20 Mar 2008 18:55:19 +0100 > [NETFILTER]: ipt_recent: sanity check hit count > > If a rule using ipt_recent is created with a hit count greater than > ip_pkt_list_tot, the rule will never match as it cannot keep track > of enough timestamps. This patch makes ipt_recent refuse to create such > rules. > > With ip_pkt_list_tot's default value of 20, the following can be used > to reproduce the problem. > > nc -u -l 0.0.0.0 1234 & > for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done > > This limits it to 20 packets: > iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \ > --rsource > iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \ > 60 --hitcount 20 --name test --rsource -j DROP > > While this is unlimited: > iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \ > --rsource > iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \ > 60 --hitcount 21 --name test --rsource -j DROP > > With the patch the second rule-set will throw an EINVAL. > > Reported-by: Sean Kennedy <skennedy@xxxxxxx> > Signed-off-by: Daniel Hokka Zakrisson <daniel@xxxxxxxxx> > Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx> Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
