From: Valentijn Sessink <valentyn@blub.net>
To: netfilter-devel@vger.kernel.org
Cc: Phil Oester <kernel@linuxace.com>
Subject: Re: xt_recent.c bug - and cleanup
Date: Fri, 30 Aug 2013 07:27:01 +0200 [thread overview]
Message-ID: <52202D25.6030606@blub.net> (raw)
In-Reply-To: <20130829220904.GA6810@linuxace.com>
Hi Phil,
First, thanks for looking into this.
On 30-08-13 00:09, Phil Oester wrote:
> I disagree with your assessment. Take a closer look at the man page
> for recent match (emphasis added to relevant portion):
> [!] --update
> Like --rcheck, except it will update the "last seen" timestamp **if it matches**
> Your rule _does not match_ for "friends". Because you used inversion, it only
> matches for non-friends (and then, of course, there is no timestamp to
> update).
The manpage says "This will always return success (or failure if ! is
passed in).", which IMHO means the "!" is only meant to reverse the
return value. But I agree that the man page is not very clear.
But, as you have reviewed the code, I'd like to ask you why the code
calls recent_entry_update(t, e) when there's nothing to update (i.e. a
call to recent_entry_init(), if any, would be more appropriate) - and
the code knows it?
> By design.
Then calling recent_entry_update is a bug. Besides, see below how the
--seconds check fits in.
You're right though, that --update --seconds 10 only updates within the
10 seconds scope as well.
> This is confusing, to be sure, but from my review of the code, it is also
> by design. Unfortunately when you use --seconds, it DOES NOT MATCH,
> and therefore it does not update. But then on the next packet, since
> there was no update on the first packet, it still does not match on the
> second. And on and on... It will never match, and it will never update
> the entry.
Let's say you use
-A INPUT -m recent ! --update --name friends --seconds 600 --rsource -j
LOG --log-prefix "go away: "
Then the first 600 seconds, you're welcome. Then after 600 seconds, you
don't match - ** and suddenly your entry is updated **. So for the next
600 seconds, you're welcome again! After that, you're not welcome, so
your entry is updated again.
That's silly.
The reason I found this, is that I'm trying to actually * use * the
recent module with the inversion, and if this is not a bug, well, then
its really odd at least - I can't even think how it could be useful this
way.
Best regards,
Valentijn
next prev parent reply other threads:[~2013-08-30 5:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-29 10:16 xt_recent.c bug - and cleanup Valentijn Sessink
2013-08-29 22:09 ` Phil Oester
2013-08-30 5:27 ` Valentijn Sessink [this message]
2013-08-30 15:24 ` Phil Oester
2013-09-05 14:55 ` Valentijn Sessink
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52202D25.6030606@blub.net \
--to=valentyn@blub.net \
--cc=kernel@linuxace.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.