On 03/19/2010 09:41 AM, Patrick McHardy wrote:
Thomas Jarosch wrote:
On Tuesday, 23. February 2010 14:59:46 Patrick McHardy wrote:
Tim Gardner wrote:
> From 146111514a8c126268e848e45b7dd967329b072f Mon Sep 17 00:00:00 2001
From: Tim Gardner<tim.gardner@xxxxxxxxxxxxx>
Date: Thu, 18 Feb 2010 20:33:00 -0700
Subject: [PATCH] xt_recent: Fix false match.
A rule with a zero hit_count will always match.
Also applied, thanks Tim.
I just updated from kernel 2.6.32.9 to kernel 2.6.32.10 which contains
the xt_recent "zero hit_count will always match" fix.
After that xt_recent stopped working for this scenario:
iptables -A INPUT -m recent --rcheck --rdest --name INET_IP -j LOG
echo "+1.2.3.4">/proc/net/xt_recent/INET_IP
The ip address 1.2.3.4 represents the current ip of my dial up connection.
If I change "--rcheck" to "--update", it works again.
Reverting the patch fixes the issue.
Maybe this is related to the xt_recent
proc interface creating the entry
(with a zero hit count)?
Mhh, looking at that patch again, I think it should actually do:
if (!info->hit_count || ++hits>= info->hit_count)
...
since a hit_count of 0 implies that the user just wants to check for the
presence of the entry. Thomas, could you give that a try?
I think you're right. Its kind of a subtle exit condition.
rtg
--
Tim Gardner timg@xxxxxxx www.tpi.com
OR 503-601-0234 x102 MT 406-443-5357
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
