[PATCH] Recent match jiffies wrap mismatches

[PATCH] Recent match jiffies wrap mismatches

[Phil Oester]

[-- Attachment #1: Type: text/plain, Size: 778 bytes --]

Around jiffies wrap time (i.e. within first 5 mins after boot), recent match
rules which contain both --seconds and --hitcount arguments experience
false matches.

This is because the last_pkts array is filled with zeros on creation, and
when comparing 'now' to 0 (+ --seconds argument), time_before_eq thinks it
has found a hit.

Below patch adds a break if the packet value is zero.  This has the unfortunate
side effect of causing mismatches if a packet was received when jiffies really
was equal to zero.  The odds of that happening are slim compared to the
problems caused by not adding the break however.  Plus, the author used
this same method just below, so it is "good enough".

This fixes bugs #383 and #395.

Phil

Signed-off-by: Phil Oester <kernel@linuxace.com>




[-- Attachment #2: patch-recent --]
[-- Type: text/plain, Size: 663 bytes --]

diff -ru linux-orig/net/ipv4/netfilter/ipt_recent.c linux-new/net/ipv4/netfilter/ipt_recent.c
--- linux-orig/net/ipv4/netfilter/ipt_recent.c	2005-10-27 20:02:08.000000000 -0400
+++ linux-new/net/ipv4/netfilter/ipt_recent.c	2005-11-23 13:29:29.000000000 -0500
@@ -532,6 +532,7 @@
 			}
 			if(info->seconds && info->hit_count) {
 				for(pkt_count = 0, hits_found = 0; pkt_count < ip_pkt_list_tot; pkt_count++) {
+					if(r_list[location].last_pkts[pkt_count] == 0) break;
 					if(time_before_eq(now,r_list[location].last_pkts[pkt_count]+info->seconds*HZ)) hits_found++;
 				}
 				if(hits_found >= info->hit_count) ans = !info->invert; else ans = info->invert;