Suggestion: "--match recent --set --life-span <secs>" to prevent table filling up

Suggestion: "--match recent --set --life-span <secs>" to prevent table filling up

[Chris Hanson]

Hello,

A suggestion for the match recent part of netfilter. Include a life_span 
field in the table. A host is removed from a table after it hasn't been 
seen for x seconds.

I suggest this because of the number of botnet hosts that rapidly fill 
up the /proc/net/ipt_recent tables. Sometimes an attacking host is only 
seen once in a long probe/attack.


Additional related suggestions:

Perhaps just reuse the --seconds parameter on a --set. instead of adding 
a new parameter.

Give the field a default value. (3600?)

Have a module command line parameter for changing the default value.

Use 0 for an infinite life_span.


I apologize for not being able to submit code. I tried looking at the 
source and I soon realized that my coding skills are VERY rusty.

I hope this sounds useful to you all. Keep up the good work.

Chris Hanson

Re: Suggestion: "--match recent --set --life-span <secs>" to prevent table filling up

[Jan Engelhardt]

On Monday 2009-03-09 23:48, Chris Hanson wrote:
>
> A suggestion for the match recent part of netfilter. Include a
> life_span field in the table. A host is removed from a table after
> it hasn't been seen for x seconds.

How does this differ from simply ignoring hosts recorded in the list
whose last_seen time is greater than x -- apart from potential
memory savings?

Re: Suggestion: "--match recent --set --life-span <secs>" to prevent table filling up

[Jan Engelhardt]

(whew, don't strip Ccs!)

On Tuesday 2009-03-10 20:19, Chris Hanson wrote:
>>  
>>> A suggestion for the match recent part of netfilter. Include a
>>> life_span field in the table. A host is removed from a table after
>>> it hasn't been seen for x seconds.
>>
>> How does this differ from simply ignoring hosts recorded in the list
>> whose last_seen time is greater than x -- apart from potential
>> memory savings?
>
> I had the impression that the --set function behaved badly when the table
> filled up.

Well the “only” problem xt_recent has is that entries are thrown off
the edge of the table when it fills up. It *should* do this in the
style of an LRU. The only benefit of a premature removal due to
life_span exceeding I can see is that you want to expire specific
entries (i.e. matched by, like, -m moonphase) to specifically keep
even older entries from falling off the LRU edge.

Seems to be a big plan there.</thoughts>

> I also believe that the "--rcheck ! --seconds x" check didn't work.
>
> I will investigate and report back.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Suggestion: "--match recent --set --life-span <secs>" to prevent table filling up

[Chris Hanson]

Jan Engelhardt wrote:
> (whew, don't strip Ccs!)
>
> On Tuesday 2009-03-10 20:19, Chris Hanson wrote:
>   
>>>  
>>>       
>>>> A suggestion for the match recent part of netfilter. Include a
>>>> life_span field in the table. A host is removed from a table after
>>>> it hasn't been seen for x seconds.
>>>>         
>>> How does this differ from simply ignoring hosts recorded in the list
>>> whose last_seen time is greater than x -- apart from potential
>>> memory savings?
>>>       
>> I had the impression that the --set function behaved badly when the table
>> filled up.
>>     
>
> Well the “only” problem xt_recent has is that entries are thrown off
> the edge of the table when it fills up. It *should* do this in the
> style of an LRU. The only benefit of a premature removal due to
> life_span exceeding I can see is that you want to expire specific
> entries (i.e. matched by, like, -m moonphase) to specifically keep
> even older entries from falling off the LRU edge.
>
> Seems to be a big plan there.</thoughts>
>
>   
That is a big plan, and not worth the bother!

I double checked the behavior of the table when full and it seemed to 
work just fine. I don't know why I thought it was broken.
>> I also believe that the "--rcheck ! --seconds x" check didn't work.
>>
>> I will investigate and report back.
>>     
I made a mistake in the syntax. It should be "! --rcheck --seconds x".

So, in the end, all I have to complain about is that "--rcheck ! 
--seconds x" doesn't throw an error. It is accepted as if there was no "!".
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Suggestion: "--match recent --set --life-span <secs>" to prevent table filling up

[Jan Engelhardt]

On Tuesday 2009-03-10 21:10, Chris Hanson wrote:
>>> I also believe that the "--rcheck ! --seconds x" check didn't work.
>>>
>>> I will investigate and report back.
>>>    
> I made a mistake in the syntax. It should be "! --rcheck --seconds x".
>
> So, in the end, all I have to complain about is that "--rcheck ! --seconds x"
> doesn't throw an error. It is accepted as if there was no "!".
>
That might be. Some modules have missing "! not allowed here" checks
and just ignore it without warning about it, but Patrick has put me
on hold (it seems like an infinity) with regard to new patches :-/ :-p