*
* @rule
*/
-static void update_rule_timer(struct xt_pknock_rule *rule)
+static void update_rule_gc_timer(struct xt_pknock_rule *rule)
{
if (timer_pending(&rule->timer))
del_timer(&rule->timer);
* @return: 1 time exceeded, 0 still valid
*/
static inline bool
-is_time_exceeded(const struct peer *peer, unsigned int max_time)
+is_interknock_time_exceeded(const struct peer *peer, unsigned int max_time)
{
return peer != NULL && time_after(jiffies / HZ,
peer->timestamp + max_time);
}
/**
- * Garbage collector. It removes the old entries after timer has expired.
+ * Garbage collector. It removes the old entries after tis timers have expired.
*
* @r: rule
*/
peer = list_entry(pos, struct peer, head);
if ((!has_logged_during_this_minute(peer) &&
- is_time_exceeded(peer, rule->max_time)) ||
+ is_interknock_time_exceeded(peer, rule->max_time)) ||
(peer->status == ST_ALLOWED &&
autoclose_time_passed(peer, rule->autoclose_time)))
{
/* The peer can't log more than once during the same minute. */
if (has_logged_during_this_minute(peer)) {
- pk_debug("BLOCKED", peer);
+ pk_debug("DENIED (anti-spoof protection)", peer);
return false;
}
/* Check for OPEN secret */
#endif /* PK_CRYPTO */
/**
- * It updates the peer matching status.
+ * Validates the peer and updates the peer status for an initiating or
+ * in-sequence knock packet.
*
* @peer
* @info
* @rule
* @hdr
- * @return: 1 if allowed, 0 otherwise
+ *
+ * Returns true if allowed, false otherwise.
*/
static bool
update_peer(struct peer *peer, const struct xt_pknock_mtinfo *info,
return false;
}
- /* Just update the timer when there is a state change. */
- update_rule_timer(rule);
+ /* Update the gc timer when there is a state change. */
+ update_rule_gc_timer(rule);
++peer->accepted_knock_count;
return true;
}
- /* Controls the max matching time between ports. */
+ /* Immediate control over the maximum time between knocks. */
if (info->option & XT_PKNOCK_TIME) {
time = jiffies/HZ;
- if (is_time_exceeded(peer, info->max_time)) {
- pk_debug("TIME EXCEEDED", peer);
- pk_debug("DESTROYED", peer);
+ if (is_interknock_time_exceeded(peer, info->max_time)) {
+ pk_debug("ST_MATCHING knock received after interknock "
+ "time passed => destroyed", peer);
pr_debug("max_time: %ld - time: %ld\n",
peer->timestamp + info->max_time,
time);
info->close_secret_len, peer->ip,
payload, payload_len))
{
- pk_debug("RESET", peer);
+ pk_debug("BLOCKED", peer);
return true;
}
return false;
projects / thirdparty / xtables-addons.git / commitdiff
