* Cannot delete hashlimit match entries
@ 2005-02-04 23:24 Phil Oester
2005-02-05 0:33 ` Samuel Jean
0 siblings, 1 reply; 3+ messages in thread
From: Phil Oester @ 2005-02-04 23:24 UTC (permalink / raw)
To: netfilter-devel
As noted by a bugzilla reporter,
iptables -A foo -m hashlimit --hashlimit 5/s --hashlimit-mode srcip --hashlimit-name foo
iptables -D foo -m hashlimit --hashlimit 5/s --hashlimit-mode srcip --hashlimit-name foo
iptables: Bad rule (does a matching rule exist in that chain?)
In reviewing this, I think the fact that *hinfo is initialized by the kernel
will make this a tough problem to fix. The unitialized match is:
(gdb) inspect *(struct ipt_hashlimit_info *)((struct ipt_entry_match)*a->elems)->data
$42 = {name = "foo\000\000\000\000\000\000\000\000\000", cfg = {mode = 6, avg = 2000, burst = 5,
size = 0, max = 0, gc_interval = 1000, expire = 10000}, hinfo = 0x0, u = {ptr = 0x0,
master = 0x0}}
while once initialized:
(gdb) inspect *(struct ipt_hashlimit_info *)((struct ipt_entry_match)*b->elems)->data
$43 = {name = "foo\000\000\000\000\000\000\000\000\000", cfg = {mode = 6, avg = 2000, burst = 5,
size = 0, max = 0, gc_interval = 1000, expire = 10000}, hinfo = 0xd4875000, u = {
ptr = 0xd48733d0, master = 0xd48733d0}}
So...unless I'm missing something, they really don't match.
Ideas?
Phil
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Cannot delete hashlimit match entries
2005-02-04 23:24 Cannot delete hashlimit match entries Phil Oester
@ 2005-02-05 0:33 ` Samuel Jean
2005-02-07 18:41 ` Harald Welte
0 siblings, 1 reply; 3+ messages in thread
From: Samuel Jean @ 2005-02-05 0:33 UTC (permalink / raw)
To: Phil Oester; +Cc: netfilter-devel
Phil Oester wrote:
> As noted by a bugzilla reporter,
>
> iptables -A foo -m hashlimit --hashlimit 5/s --hashlimit-mode srcip --hashlimit-name foo
> iptables -D foo -m hashlimit --hashlimit 5/s --hashlimit-mode srcip --hashlimit-name foo
> iptables: Bad rule (does a matching rule exist in that chain?)
>
> In reviewing this, I think the fact that *hinfo is initialized by the kernel
> will make this a tough problem to fix. The unitialized match is:
>
Yes. The only way am aware of to fix it is sizing the matching part with offsetof().
Fortunately, in this case, all modified member are at end so we can use this hack without
breaking any compatibility.
> Ideas?
Index: extensions/libipt_hashlimit.c
===================================================================
--- extensions/libipt_hashlimit.c (revision 3525)
+++ extensions/libipt_hashlimit.c (working copy)
@@ -351,8 +351,7 @@
.name = "hashlimit",
.version = IPTABLES_VERSION,
.size = IPT_ALIGN(sizeof(struct ipt_hashlimit_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_hashlimit_info)),
- //offsetof(struct ipt_hashlimit_info, prev),
+ .userspacesize = offsetof(struct ipt_hashlimit_info, hinfo),
.help = &help,
.init = &init,
.parse = &parse,
By now, SVN is crush. 8( I can't tell wheter this patch applies or not. but at least, you got the idea.
>
> Phil
>
Cheers,
Samuel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-02-07 18:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-04 23:24 Cannot delete hashlimit match entries Phil Oester
2005-02-05 0:33 ` Samuel Jean
2005-02-07 18:41 ` Harald Welte
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.