]> git.ipfire.org Git - thirdparty/xtables-addons.git/commitdiff
projects / thirdparty / xtables-addons.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 71beab5)
pknock: check interknock time only for !ST_ALLOWED peers
authorJan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Sun, 11 Oct 2009 22:01:35 +0000 (00:01 +0200)
committerJan Engelhardt <jengelh@medozas.de>
Mon, 12 Oct 2009 15:21:32 +0000 (17:21 +0200)
Fixes a bug whereby an ST_ALLOWED peer existing for a time greater
than gc_expir_time would be gc-deleted, because both
!has_logged_during_this_minute(peer) and
is_interknock_time_exceeded(peer, rule->max_time) would be satisfied
for ST_ALLOWED hosts.

We also no longer test for !has_logged_during_this_minute(peer) in
peer_gc(), since there is really no need for this: the anti-spoof
minute check is performed (and subsequent remove_peer(peer) called if
needed) for each passing UDP-mode peer with expired autoclose in
pknock_mt(), given that --autoclose has been specified. If autoclose
has not been set, it will be subject to reset_knock_status(peer)
called from knock_mt() upon receiving the first closing secret - so it
is still guaranteed to disappear at the closest opportunity.

Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
extensions/pknock/xt_pknock.c patch | blob | blame | history

diff --git a/extensions/pknock/xt_pknock.c b/extensions/pknock/xt_pknock.c
index e8dd654525c65a7477d2a3117114bc3543b4156b..50789e57d088f85fc215acf33a020a0a72eaa42f 100644 (file)
--- a/extensions/pknock/xt_pknock.c
+++ b/extensions/pknock/xt_pknock.c
@@ -376,15 +376,20 @@ peer_gc(unsigned long r)
        struct peer *peer;
        struct list_head *pos, *n;
 
+       pr_debug("(S) running %s\n", __func__);
        hashtable_for_each_safe(pos, n, rule->peer_head, peer_hashsize, i) {
                peer = list_entry(pos, struct peer, head);
 
-               if ((!has_logged_during_this_minute(peer) &&
+               /*
+                * Remove any peer whose (inter-knock) max_time
+                * or autoclose_time passed.
+                */
+               if ((peer->status != ST_ALLOWED &&
                    is_interknock_time_exceeded(peer, rule->max_time)) ||
                    (peer->status == ST_ALLOWED &&
                    autoclose_time_passed(peer, rule->autoclose_time)))
                {
-                       pk_debug("DESTROYED", peer);
+                       pk_debug("GC-DELETED", peer);
                        list_del(pos);
                        kfree(peer);
                }
Mirror of git://git.inai.de/xtables-addons