hashlimit match errors and patches

hashlimit match errors and patches

[Nikolai Malykh]

[-- Attachment #1: Type: text/plain, Size: 509 bytes --]

1. Incorrect parameters handling in libipt_hashlimit make impossible to 
save rule without error because --hashlimit-mode saved as --mode

Patch for this error in attachment

2. Incorrect parameter in jhash_3words() - port numbers not hashed in result
3. Incorrect parameter value in hashlimit_match() - matching packet = 
burst +1 instead burst

Patch for this errors in attachment


PS. Sorry for my English it's not my native.

-- 
Nikolai Malykh
nmalykh@ieee.org

phone +7 (812) 449 0770
ICQ UIN 30741141

[-- Attachment #2: libipt_hashlimit.patch --]
[-- Type: text/plain, Size: 973 bytes --]

--- /usr/src/iptables-1.3.0rc1/extensions/libipt_hashlimit.c	2005-01-04 13:38:34.000000000 +0300
+++ libipt_hashlimit.c	2005-01-24 21:23:50.000000000 +0300
@@ -7,6 +7,8 @@
  * Based on ipt_limit.c by
  * Jérôme de Vivie   <devivie@info.enserb.u-bordeaux.fr>
  * Hervé Eychenne    <rv@wallfire.org>
+ * 
+ * Error corections by nmalykh@bilim.com (22.01.2005)
  */
 
 #include <stdio.h>
@@ -294,7 +296,7 @@
 		fputs("dstip", stdout);
 		prevmode = 1;
 	}
-	if (r->cfg.mode & IPT_HASHLIMIT_HASH_SPT) {
+	if (r->cfg.mode & IPT_HASHLIMIT_HASH_DPT) {
 		if (prevmode)
 			putchar(separator);
 		fputs("dstport", stdout);
@@ -334,8 +336,10 @@
 	if (r->cfg.burst != IPT_HASHLIMIT_BURST)
 		printf("--hashlimit-burst %u ", r->cfg.burst);
 
-	fputs("--mode ", stdout);
+	fputs("--hashlimit-mode ", stdout);
 	print_mode(r, ',');
+	
+	printf("--hashlimit-name %s ", r->name);
 
 	if (r->cfg.size)
 		printf("--hashlimit-htable-size %u ", r->cfg.size);

[-- Attachment #3: ipt_hashlimit.patch --]
[-- Type: text/plain, Size: 2109 bytes --]

--- ipt_hashlimit.c	2004-12-25 00:34:57.000000000 +0300
+++ /usr/src/linux/net/ipv4/netfilter/ipt_hashlimit.c	2005-02-04 23:19:17.848878277 +0300
@@ -97,7 +97,7 @@
 	struct list_head hash[0];	/* hashtable itself */
 };
 
-DECLARE_RWLOCK(hashlimit_lock);		/* protects htables list */
+static DECLARE_RWLOCK(hashlimit_lock);		/* protects htables list */
 static LIST_HEAD(hashlimit_htables);
 static kmem_cache_t *hashlimit_cachep;
 
@@ -112,7 +112,7 @@
 static inline u_int32_t
 hash_dst(const struct ipt_hashlimit_htable *ht, const struct dsthash_dst *dst)
 {
-	return (jhash_3words(dst->dst_ip, (dst->dst_port<<16 & dst->src_port), 
+	return (jhash_3words(dst->dst_ip, (u32)((u32)dst->dst_port<<16 | dst->src_port), 
 			     dst->src_ip, ht->rnd) % ht->cfg.size);
 }
 
@@ -413,7 +413,6 @@
 			ports[0] = ports[1] = 0;
 			break;
 	}
-
 	return 0;
 }
 
@@ -471,7 +470,7 @@
 
 		dh->rateinfo.prev = jiffies;
 		dh->rateinfo.credit = user2credits(hinfo->cfg.avg * 
-							hinfo->cfg.burst);
+							(hinfo->cfg.burst-1));
 		dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg * 
 							hinfo->cfg.burst);
 		dh->rateinfo.cost = user2credits(hinfo->cfg.avg);
@@ -480,6 +479,7 @@
 		return 1;
 	}
 
+//	unsigned long now = jiffies;
 	/* update expiration timeout */
 	dh->expires = now + MS2JIFFIES(hinfo->cfg.expire);
 
@@ -608,6 +608,9 @@
 	/* recalculate to show accurate numbers */
 	rateinfo_recalc(ent, jiffies);
 
+//	ent->rateinfo.credit += (jiffies - xchg(&ent->rateinfo.prev, jiffies)) 
+//					* CREDITS_PER_JIFFY;
+
 	return seq_printf(s, "%ld %u.%u.%u.%u:%u->%u.%u.%u.%u:%u %u %u %u\n",
 			(ent->expires - jiffies)/HZ,
 			NIPQUAD(ent->dst.src_ip), ntohs(ent->dst.src_port),
@@ -668,11 +671,9 @@
 		goto cleanup_nothing;
 	}
 
-	/* FIXME: do we really want HWCACHE_ALIGN since our objects are
-	 * quite small ? */
 	hashlimit_cachep = kmem_cache_create("ipt_hashlimit",
 					    sizeof(struct dsthash_ent), 0,
-					    SLAB_HWCACHE_ALIGN, NULL, NULL);
+					    0, NULL, NULL);
 	if (!hashlimit_cachep) {
 		printk(KERN_ERR "Unable to create ipt_hashlimit slab cache\n");
 		ret = -ENOMEM;

Re: hashlimit match errors and patches

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1272 bytes --]

On Fri, Feb 04, 2005 at 11:40:38PM +0300, Nikolai Malykh wrote:
> 1. Incorrect parameters handling in libipt_hashlimit make impossible to 
> save rule without error because --hashlimit-mode saved as --mode

thanks, applied your patch.  
Committed revision 3653.

> Patch for this error in attachment
> 
> 2. Incorrect parameter in jhash_3words() - port numbers not hashed in result
> 3. Incorrect parameter value in hashlimit_match() - matching packet = 
> burst +1 instead burst

Your kernel patches contained other changes than the bugs you mentioned
above.  Please try to separate such changes before submitting a fix.
Thanks.

I'll grab the two hunks that actually fix bugs and hand the result over
to Patrick.

It's good to see hashlimit bugreports and fixes during the last couple
of weeks.  This proves that it has it's applications and people are
actually using it :)

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]