* Re: [stable] regression in iptables: recent filter [not found] <ejijc4dc92n75s2el334e7dgdanngs7qv3@4ax.com> @ 2008-09-12 3:01 ` Andrew Morton 2008-09-12 3:04 ` David Miller 2008-09-12 3:11 ` Alexey Dobriyan 1 sibling, 1 reply; 5+ messages in thread From: Andrew Morton @ 2008-09-12 3:01 UTC (permalink / raw) To: Grant Coady; +Cc: Grant Coady, linux-kernel, netdev On Fri, 12 Sep 2008 11:53:35 +1000 Grant Coady <grant_lkml@dodo.com.au> wrote: > Hi there, > > Last known good kernel: 2.6.24.7 > > # iptables -N calmrate > # iptables -A calmrate -p tcp -m state --state NEW \ > -m recent --name listrate --update --rttl \ > --seconds 60 --hitcount 60 -j DROP > iptables: Unknown error 4294967295 > > Fails for 2.6.25.17 and 2.6.26.5 > > dmesg + config: http://bugsplatter.id.au/kernel/boxen/deltree/ > (cc netdev) ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [stable] regression in iptables: recent filter 2008-09-12 3:01 ` [stable] regression in iptables: recent filter Andrew Morton @ 2008-09-12 3:04 ` David Miller 0 siblings, 0 replies; 5+ messages in thread From: David Miller @ 2008-09-12 3:04 UTC (permalink / raw) To: akpm; +Cc: gcoady.lk, grant_lkml, linux-kernel, netdev, netfilter-devel From: Andrew Morton <akpm@linux-foundation.org> Date: Thu, 11 Sep 2008 20:01:33 -0700 > On Fri, 12 Sep 2008 11:53:35 +1000 Grant Coady <grant_lkml@dodo.com.au> wrote: > > > Hi there, > > > > Last known good kernel: 2.6.24.7 > > > > # iptables -N calmrate > > # iptables -A calmrate -p tcp -m state --state NEW \ > > -m recent --name listrate --update --rttl \ > > --seconds 60 --hitcount 60 -j DROP > > iptables: Unknown error 4294967295 > > > > Fails for 2.6.25.17 and 2.6.26.5 > > > > dmesg + config: http://bugsplatter.id.au/kernel/boxen/deltree/ > > > > (cc netdev) (cc netfilter-devel) For those playing at home, 4294967295 is 32-bit -1. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [stable] regression in iptables: recent filter [not found] <ejijc4dc92n75s2el334e7dgdanngs7qv3@4ax.com> 2008-09-12 3:01 ` [stable] regression in iptables: recent filter Andrew Morton @ 2008-09-12 3:11 ` Alexey Dobriyan 2008-09-12 3:29 ` Grant Coady 1 sibling, 1 reply; 5+ messages in thread From: Alexey Dobriyan @ 2008-09-12 3:11 UTC (permalink / raw) To: Grant Coady; +Cc: linux-kernel, netdev, netfilter-devel On Fri, Sep 12, 2008 at 11:53:35AM +1000, Grant Coady wrote: > Last known good kernel: 2.6.24.7 > > # iptables -N calmrate > # iptables -A calmrate -p tcp -m state --state NEW \ > -m recent --name listrate --update --rttl \ > --seconds 60 --hitcount 60 -j DROP > iptables: Unknown error 4294967295 > > Fails for 2.6.25.17 and 2.6.26.5 > > dmesg + config: http://bugsplatter.id.au/kernel/boxen/deltree/ You were einvaled by the following commit: Reloading module with ip_pkt_list_tot=60 should fix it. commit d0ebf133590abdc035af6e19a6568667af0ab3b0 Author: Daniel Hokka Zakrisson <daniel@hozac.com> Date: Thu Mar 20 15:07:10 2008 -0700 [NETFILTER]: ipt_recent: sanity check hit count If a rule using ipt_recent is created with a hit count greater than ip_pkt_list_tot, the rule will never match as it cannot keep track of enough timestamps. This patch makes ipt_recent refuse to create such rules. With ip_pkt_list_tot's default value of 20, the following can be used to reproduce the problem. nc -u -l 0.0.0.0 1234 & for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done This limits it to 20 packets: iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \ --rsource iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \ 60 --hitcount 20 --name test --rsource -j DROP While this is unlimited: iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \ --rsource iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \ 60 --hitcount 21 --name test --rsource -j DROP With the patch the second rule-set will throw an EINVAL. Reported-by: Sean Kennedy <skennedy@vcn.com> Signed-off-by: Daniel Hokka Zakrisson <daniel@hozac.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c index 68cbe3c..8e8f042 100644 --- a/net/ipv4/netfilter/ipt_recent.c +++ b/net/ipv4/netfilter/ipt_recent.c @@ -252,6 +252,8 @@ recent_mt_check(const char *tablename, const void *ip, if ((info->check_set & (IPT_RECENT_SET | IPT_RECENT_REMOVE)) && (info->seconds || info->hit_count)) return false; + if (info->hit_count > ip_pkt_list_tot) + return false; if (info->name[0] == '\0' || strnlen(info->name, IPT_RECENT_NAME_LEN) == IPT_RECENT_NAME_LEN) return false; ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [stable] regression in iptables: recent filter 2008-09-12 3:11 ` Alexey Dobriyan @ 2008-09-12 3:29 ` Grant Coady 2008-09-12 5:46 ` Jan Engelhardt 0 siblings, 1 reply; 5+ messages in thread From: Grant Coady @ 2008-09-12 3:29 UTC (permalink / raw) To: Alexey Dobriyan; +Cc: Grant Coady, linux-kernel, netdev, netfilter-devel On Fri, 12 Sep 2008 07:11:32 +0400, Alexey Dobriyan <adobriyan@gmail.com> wrote: >On Fri, Sep 12, 2008 at 11:53:35AM +1000, Grant Coady wrote: >> Last known good kernel: 2.6.24.7 >> >> # iptables -N calmrate >> # iptables -A calmrate -p tcp -m state --state NEW \ >> -m recent --name listrate --update --rttl \ >> --seconds 60 --hitcount 60 -j DROP >> iptables: Unknown error 4294967295 >> >> Fails for 2.6.25.17 and 2.6.26.5 >> >> dmesg + config: http://bugsplatter.id.au/kernel/boxen/deltree/ > >You were einvaled by the following commit: > >Reloading module with ip_pkt_list_tot=60 should fix it. Thanks, I just been through the sources and reached the same conclusion -- yes, okay with the ip_pkt_list_tot=60 :) Not a very informative error message :( The source needs some whitespace fixing too, but who cares? Grant. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [stable] regression in iptables: recent filter 2008-09-12 3:29 ` Grant Coady @ 2008-09-12 5:46 ` Jan Engelhardt 0 siblings, 0 replies; 5+ messages in thread From: Jan Engelhardt @ 2008-09-12 5:46 UTC (permalink / raw) To: Grant Coady Cc: Alexey Dobriyan, Linux Kernel Mailing List, netdev, Netfilter Developer Mailing List On Thursday 2008-09-11 23:29, Grant Coady wrote: >On Fri, 12 Sep 2008 07:11:32 +0400, Alexey Dobriyan <adobriyan@gmail.com> wrote: >>On Fri, Sep 12, 2008 at 11:53:35AM +1000, Grant Coady wrote: >>> Last known good kernel: 2.6.24.7 >>> >>> # iptables -N calmrate >>> # iptables -A calmrate -p tcp -m state --state NEW \ >>> -m recent --name listrate --update --rttl \ >>> --seconds 60 --hitcount 60 -j DROP >>> iptables: Unknown error 4294967295 Try upgrading the iptables binary as a freetime project. Because if the match check returned false, and the Xtables core subsequently -EINVAL, you would get iptables: Invalid argument ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-09-12 5:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <ejijc4dc92n75s2el334e7dgdanngs7qv3@4ax.com>
2008-09-12 3:01 ` [stable] regression in iptables: recent filter Andrew Morton
2008-09-12 3:04 ` David Miller
2008-09-12 3:11 ` Alexey Dobriyan
2008-09-12 3:29 ` Grant Coady
2008-09-12 5:46 ` Jan Engelhardt
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).