libxt_recent: do not allow both --set and --rttl

libxt_recent: do not allow both --set and --rttl

[Jan Engelhardt]

commit a49a4695616dd8c467360af5447869e3a68c4f4d
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Sun Aug 3 15:03:27 2008 -0400

libxt_recent: do not allow both --set and --rttl

Reported-by: Erich Schubert <erich@debian.org>
Reference: Debian bug #346034

"I was using the --rttl option in my --set line; this caused all
incoming ssh connections to be rejected; --rttl is only to be used
with --rcheck and --update."

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_recent.c |   33 +++++++++++++++++++++++----------
 1 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/extensions/libipt_recent.c b/extensions/libipt_recent.c
index 51b0d15..108de2f 100644
--- a/extensions/libipt_recent.c
+++ b/extensions/libipt_recent.c
@@ -75,6 +75,10 @@ static void recent_init(struct xt_entry_match *match)
 	info->side = IPT_RECENT_SOURCE;
 }
 
+#define RECENT_CMDS \
+	(IPT_RECENT_SET | IPT_RECENT_CHECK | \
+	IPT_RECENT_UPDATE | IPT_RECENT_REMOVE)
+
 /* Function which parses command options; returns true if it
    ate an option */
 static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -83,43 +87,47 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
 	struct ipt_recent_info *info = (struct ipt_recent_info *)(*match)->data;
 	switch (c) {
 		case 201:
-			if (*flags) exit_error(PARAMETER_PROBLEM,
+			if (*flags & RECENT_CMDS)
+				exit_error(PARAMETER_PROBLEM,
 					"recent: only one of `--set', `--rcheck' "
 					"`--update' or `--remove' may be set");
 			check_inverse(optarg, &invert, &optind, 0);
 			info->check_set |= IPT_RECENT_SET;
 			if (invert) info->invert = 1;
-			*flags = 1;
+			*flags |= IPT_RECENT_SET;
 			break;
 			
 		case 202:
-			if (*flags) exit_error(PARAMETER_PROBLEM,
+			if (*flags & RECENT_CMDS)
+				exit_error(PARAMETER_PROBLEM,
 					"recent: only one of `--set', `--rcheck' "
 					"`--update' or `--remove' may be set");
 			check_inverse(optarg, &invert, &optind, 0);
 			info->check_set |= IPT_RECENT_CHECK;
 			if(invert) info->invert = 1;
-			*flags = 1;
+			*flags |= IPT_RECENT_CHECK;
 			break;
 
 		case 203:
-			if (*flags) exit_error(PARAMETER_PROBLEM,
+			if (*flags & RECENT_CMDS)
+				exit_error(PARAMETER_PROBLEM,
 					"recent: only one of `--set', `--rcheck' "
 					"`--update' or `--remove' may be set");
 			check_inverse(optarg, &invert, &optind, 0);
 			info->check_set |= IPT_RECENT_UPDATE;
 			if (invert) info->invert = 1;
-			*flags = 1;
+			*flags |= IPT_RECENT_UPDATE;
 			break;
 
 		case 206:
-			if (*flags) exit_error(PARAMETER_PROBLEM,
+			if (*flags & RECENT_CMDS)
+				exit_error(PARAMETER_PROBLEM,
 					"recent: only one of `--set', `--rcheck' "
 					"`--update' or `--remove' may be set");
 			check_inverse(optarg, &invert, &optind, 0);
 			info->check_set |= IPT_RECENT_REMOVE;
 			if (invert) info->invert = 1;
-			*flags = 1;
+			*flags |= IPT_RECENT_REMOVE;
 			break;
 
 		case 204:
@@ -132,6 +140,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
 
 		case 207:
 			info->check_set |= IPT_RECENT_TTL;
+			*flags |= IPT_RECENT_TTL;
 			break;
 
 		case 208:
@@ -157,11 +166,15 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
 /* Final check; must have specified a specific option. */
 static void recent_check(unsigned int flags)
 {
-
-	if (!flags)
+	if (!(flags & RECENT_CMDS))
 		exit_error(PARAMETER_PROBLEM,
 			"recent: you must specify one of `--set', `--rcheck' "
 			"`--update' or `--remove'");
+	if ((flags & IPT_RECENT_TTL) &&
+	    (flags & (IPT_RECENT_SET | IPT_RECENT_REMOVE | IPT_RECENT_UPDATE)))
+		exit_error(PARAMETER_PROBLEM,
+		           "recent: --rttl may only be used with --rcheck or "
+		           "--update");
 }
 
 /* Prints out the matchinfo. */

Re: libxt_recent: do not allow both --set and --rttl

[Patrick McHardy]

Jan Engelhardt wrote:
> libxt_recent: do not allow both --set and --rttl
> 
> Reported-by: Erich Schubert <erich@debian.org>
> Reference: Debian bug #346034
> 
> "I was using the --rttl option in my --set line; this caused all
> incoming ssh connections to be rejected; --rttl is only to be used
> with --rcheck and --update."

Applied, thanks.

Re: libxt_recent: do not allow both --set and --rttl

[Tony.Ho]

+	if ((flags & IPT_RECENT_TTL) &&
+	    (flags & (IPT_RECENT_SET | IPT_RECENT_REMOVE | IPT_RECENT_UPDATE)))

I think there should be:

+	if ((flags & IPT_RECENT_TTL) &&
+	    (flags & (IPT_RECENT_SET | IPT_RECENT_REMOVE)))

Is it rhght? 



Jan Engelhardt wrote:
> commit a49a4695616dd8c467360af5447869e3a68c4f4d
> Author: Jan Engelhardt <jengelh@medozas.de>
> Date:   Sun Aug 3 15:03:27 2008 -0400
>
> libxt_recent: do not allow both --set and --rttl
>
> Reported-by: Erich Schubert <erich@debian.org>
> Reference: Debian bug #346034
>
> "I was using the --rttl option in my --set line; this caused all
> incoming ssh connections to be rejected; --rttl is only to be used
> with --rcheck and --update."
>
> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
> ---
>  extensions/libipt_recent.c |   33 +++++++++++++++++++++++----------
>  1 files changed, 23 insertions(+), 10 deletions(-)
>
> diff --git a/extensions/libipt_recent.c b/extensions/libipt_recent.c
> index 51b0d15..108de2f 100644
> --- a/extensions/libipt_recent.c
> +++ b/extensions/libipt_recent.c
> @@ -75,6 +75,10 @@ static void recent_init(struct xt_entry_match *match)
>  	info->side = IPT_RECENT_SOURCE;
>  }
>  
> +#define RECENT_CMDS \
> +	(IPT_RECENT_SET | IPT_RECENT_CHECK | \
> +	IPT_RECENT_UPDATE | IPT_RECENT_REMOVE)
> +
>  /* Function which parses command options; returns true if it
>     ate an option */
>  static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
> @@ -83,43 +87,47 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
>  	struct ipt_recent_info *info = (struct ipt_recent_info *)(*match)->data;
>  	switch (c) {
>  		case 201:
> -			if (*flags) exit_error(PARAMETER_PROBLEM,
> +			if (*flags & RECENT_CMDS)
> +				exit_error(PARAMETER_PROBLEM,
>  					"recent: only one of `--set', `--rcheck' "
>  					"`--update' or `--remove' may be set");
>  			check_inverse(optarg, &invert, &optind, 0);
>  			info->check_set |= IPT_RECENT_SET;
>  			if (invert) info->invert = 1;
> -			*flags = 1;
> +			*flags |= IPT_RECENT_SET;
>  			break;
>  			
>  		case 202:
> -			if (*flags) exit_error(PARAMETER_PROBLEM,
> +			if (*flags & RECENT_CMDS)
> +				exit_error(PARAMETER_PROBLEM,
>  					"recent: only one of `--set', `--rcheck' "
>  					"`--update' or `--remove' may be set");
>  			check_inverse(optarg, &invert, &optind, 0);
>  			info->check_set |= IPT_RECENT_CHECK;
>  			if(invert) info->invert = 1;
> -			*flags = 1;
> +			*flags |= IPT_RECENT_CHECK;
>  			break;
>  
>  		case 203:
> -			if (*flags) exit_error(PARAMETER_PROBLEM,
> +			if (*flags & RECENT_CMDS)
> +				exit_error(PARAMETER_PROBLEM,
>  					"recent: only one of `--set', `--rcheck' "
>  					"`--update' or `--remove' may be set");
>  			check_inverse(optarg, &invert, &optind, 0);
>  			info->check_set |= IPT_RECENT_UPDATE;
>  			if (invert) info->invert = 1;
> -			*flags = 1;
> +			*flags |= IPT_RECENT_UPDATE;
>  			break;
>  
>  		case 206:
> -			if (*flags) exit_error(PARAMETER_PROBLEM,
> +			if (*flags & RECENT_CMDS)
> +				exit_error(PARAMETER_PROBLEM,
>  					"recent: only one of `--set', `--rcheck' "
>  					"`--update' or `--remove' may be set");
>  			check_inverse(optarg, &invert, &optind, 0);
>  			info->check_set |= IPT_RECENT_REMOVE;
>  			if (invert) info->invert = 1;
> -			*flags = 1;
> +			*flags |= IPT_RECENT_REMOVE;
>  			break;
>  
>  		case 204:
> @@ -132,6 +140,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
>  
>  		case 207:
>  			info->check_set |= IPT_RECENT_TTL;
> +			*flags |= IPT_RECENT_TTL;
>  			break;
>  
>  		case 208:
> @@ -157,11 +166,15 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
>  /* Final check; must have specified a specific option. */
>  static void recent_check(unsigned int flags)
>  {
> -
> -	if (!flags)
> +	if (!(flags & RECENT_CMDS))
>  		exit_error(PARAMETER_PROBLEM,
>  			"recent: you must specify one of `--set', `--rcheck' "
>  			"`--update' or `--remove'");
> +	if ((flags & IPT_RECENT_TTL) &&
> +	    (flags & (IPT_RECENT_SET | IPT_RECENT_REMOVE | IPT_RECENT_UPDATE)))
> +		exit_error(PARAMETER_PROBLEM,
> +		           "recent: --rttl may only be used with --rcheck or "
> +		           "--update");
>  }
>  
>  /* Prints out the matchinfo. */
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>   

libxt_recent: do allow --rttl for --update

[Jan Engelhardt]

commit 5c395d782e97ce7218acebc8c8bb950808adde97
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Wed Aug 20 13:36:45 2008 -0400

libxt_recent: do allow --rttl for --update

Tony Ho noticed a too-strict check in xt_recent, so here is a fix.

Reported-by: Tony Ho <iptables@iblink.com.cn>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_recent.c   |    2 +-
 extensions/libipt_recent.man |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libipt_recent.c b/extensions/libipt_recent.c
index 94f246a..7281fe5 100644
--- a/extensions/libipt_recent.c
+++ b/extensions/libipt_recent.c
@@ -165,7 +165,7 @@ static void recent_check(unsigned int flags)
 			"recent: you must specify one of `--set', `--rcheck' "
 			"`--update' or `--remove'");
 	if ((flags & IPT_RECENT_TTL) &&
-	    (flags & (IPT_RECENT_SET | IPT_RECENT_REMOVE | IPT_RECENT_UPDATE)))
+	    (flags & (IPT_RECENT_SET | IPT_RECENT_REMOVE)))
 		exit_error(PARAMETER_PROBLEM,
 		           "recent: --rttl may only be used with --rcheck or "
 		           "--update");
diff --git a/extensions/libipt_recent.man b/extensions/libipt_recent.man
index 02432ba..d5bdaa0 100644
--- a/extensions/libipt_recent.man
+++ b/extensions/libipt_recent.man
@@ -50,7 +50,7 @@ than or equal to the given value. This option may be used along with
 number of hits within a specific time frame.
 .TP
 \fB--rttl\fR
-This option must be used in conjunction with one of \fB--rcheck\fR or
+This option may only be used in conjunction with one of \fB--rcheck\fR or
 \fB--update\fR. When used, this will narrow the match to only happen
 when the address is in the list and the TTL of the current packet
 matches that of the packet which hit the \fB--set\fR rule. This may be

Re: libxt_recent: do allow --rttl for --update

[Patrick McHardy]

Jan Engelhardt wrote:
> libxt_recent: do allow --rttl for --update
> 
> Tony Ho noticed a too-strict check in xt_recent, so here is a fix.

Applied, thanks.