Thomas Jarosch wrote:
> On Tuesday, 23. February 2010 14:59:46 Patrick McHardy wrote:
>
>> Tim Gardner wrote:
>>
>>> >From 146111514a8c126268e848e45b7dd967329b072f Mon Sep 17 00:00:00 2001
>>>
>>> From: Tim Gardner <tim.gardner@xxxxxxxxxxxxx>
>>> Date: Thu, 18 Feb 2010 20:33:00 -0700
>>> Subject: [PATCH] xt_recent: Fix false match.
>>>
>>> A rule with a zero hit_count will always match.
>>>
>> Also applied, thanks Tim.
>>
>
> I just updated from kernel 2.6.32.9 to kernel 2.6.32.10 which contains
> the xt_recent "zero hit_count will always match" fix.
>
> After that xt_recent stopped working for this scenario:
>
> iptables -A INPUT -m recent --rcheck --rdest --name INET_IP -j LOG
> echo "+1.2.3.4" >/proc/net/xt_recent/INET_IP
>
> The ip address 1.2.3.4 represents the current ip of my dial up connection.
>
> If I change "--rcheck" to "--update", it works again.
> Reverting the patch fixes the issue.
>
> Maybe this is related to the xt_recent
> proc interface creating the entry
> (with a zero hit count)?
>
Mhh, looking at that patch again, I think it should actually do:
if (!info->hit_count || ++hits >= info->hit_count)
...
since a hit_count of 0 implies that the user just wants to check for the
presence of the entry. Thomas, could you give that a try?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
