Cannot delete hashlimit match entries

Cannot delete hashlimit match entries

[Phil Oester]

As noted by a bugzilla reporter, 

iptables -A foo -m hashlimit --hashlimit 5/s --hashlimit-mode srcip --hashlimit-name foo
iptables -D foo -m hashlimit --hashlimit 5/s --hashlimit-mode srcip --hashlimit-name foo
iptables: Bad rule (does a matching rule exist in that chain?)

In reviewing this, I think the fact that *hinfo is initialized by the kernel
will make this a tough problem to fix.  The unitialized match is:

(gdb) inspect *(struct ipt_hashlimit_info *)((struct ipt_entry_match)*a->elems)->data
$42 = {name = "foo\000\000\000\000\000\000\000\000\000", cfg = {mode = 6, avg = 2000, burst = 5, 
    size = 0, max = 0, gc_interval = 1000, expire = 10000}, hinfo = 0x0, u = {ptr = 0x0, 
    master = 0x0}}

while once initialized:

(gdb) inspect *(struct ipt_hashlimit_info *)((struct ipt_entry_match)*b->elems)->data
$43 = {name = "foo\000\000\000\000\000\000\000\000\000", cfg = {mode = 6, avg = 2000, burst = 5, 
    size = 0, max = 0, gc_interval = 1000, expire = 10000}, hinfo = 0xd4875000, u = {
    ptr = 0xd48733d0, master = 0xd48733d0}}

So...unless I'm missing something, they really don't match.  

Ideas?

Phil

Re: Cannot delete hashlimit match entries

[Samuel Jean]

Phil Oester wrote:
> As noted by a bugzilla reporter, 
> 
> iptables -A foo -m hashlimit --hashlimit 5/s --hashlimit-mode srcip --hashlimit-name foo
> iptables -D foo -m hashlimit --hashlimit 5/s --hashlimit-mode srcip --hashlimit-name foo
> iptables: Bad rule (does a matching rule exist in that chain?)
> 
> In reviewing this, I think the fact that *hinfo is initialized by the kernel
> will make this a tough problem to fix.  The unitialized match is:
> 

Yes. The only way am aware of to fix it is sizing the matching part with offsetof().
Fortunately, in this case, all modified member are at end so we can use this hack without
breaking any compatibility.

> Ideas?

Index: extensions/libipt_hashlimit.c
===================================================================
--- extensions/libipt_hashlimit.c       (revision 3525)
+++ extensions/libipt_hashlimit.c       (working copy)
@@ -351,8 +351,7 @@
         .name           = "hashlimit",
         .version        = IPTABLES_VERSION,
         .size           = IPT_ALIGN(sizeof(struct ipt_hashlimit_info)),
-       .userspacesize  = IPT_ALIGN(sizeof(struct ipt_hashlimit_info)),
-       //offsetof(struct ipt_hashlimit_info, prev),
+       .userspacesize  = offsetof(struct ipt_hashlimit_info, hinfo),
         .help           = &help,
         .init           = &init,
         .parse          = &parse,

By now, SVN is crush. 8( I can't tell wheter this patch applies or not. but at least, you got the idea.


> 
> Phil
> 

Cheers,
Samuel

Re: Cannot delete hashlimit match entries

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 766 bytes --]

On Fri, Feb 04, 2005 at 07:33:04PM -0500, Samuel Jean wrote:
> Yes. The only way am aware of to fix it is sizing the matching part with 
> offsetof().
> Fortunately, in this case, all modified member are at end so we can use 
> this hack without
> breaking any compatibility.

Thanks!

Sending        extensions/libipt_hashlimit.c
Transmitting file data .
Committed revision 3654.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]