From: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Date: Tue, 1 Sep 2009 17:52:48 +0000 (+0200)
Subject: pknock: disallow running peer_gc too early
X-Git-Tag: v1.19~2^2~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e0276b4875c51a9d401b14d075208cdb8d05956e;p=thirdparty%2Fxtables-addons.git

pknock: disallow running peer_gc too early

It is no longer possible to specify gc_expir_time with a time lower
than its default value (65000 msecs). This is to avoid running
peer_gc() earlier than 1 minute [well, 65 s actually] in the future,
which would otherwise render anti-spoof protection in SPA mode
non-functional.
---

diff --git a/doc/changelog.txt b/doc/changelog.txt
index dc96fa5..494818a 100644
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -4,6 +4,8 @@
 - added reworked xt_pknock module
   Changes from pknock v0.5:
   - pknock: "strict" and "checkip" flags were not displayed in `iptables -L`
+  - pknock: the GC expire time's lower bound is now the default gc time
+    (65000 msec) to avoid rendering anti-spoof protection in SPA mode useless
 
 
 Xtables-addons 1.18 (September 09 2009)
diff --git a/extensions/xt_pknock.c b/extensions/xt_pknock.c
index f805925..97ccec3 100644
--- a/extensions/xt_pknock.c
+++ b/extensions/xt_pknock.c
@@ -1104,6 +1104,8 @@ static struct xt_match xt_pknock_mt_reg __read_mostly = {
 
 static int __init xt_pknock_mt_init(void)
 {
+	if (gc_expir_time < DEFAULT_GC_EXPIRATION_TIME)
+		gc_expir_time = DEFAULT_GC_EXPIRATION_TIME;
 #ifdef PK_CRYPTO
 	if (request_module(crypto.algo) < 0) {
 		printk(KERN_ERR PKNOCK "request_module('%s') error.\n",