Commit cef9ed86 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: xt_recent: don't reject rule if new hitcount exceeds table max

given:
-A INPUT -m recent --update --seconds 30 --hitcount 4
and
iptables-save > foo

then
iptables-restore < foo

will fail with:
kernel: xt_recent: hitcount (4) is larger than packets to be remembered (4) for table DEFAULT

Even when the check is fixed, the restore won't work if the hitcount is
increased to e.g. 6, since by the time checkentry runs it will find the
'old' incarnation of the table.

We can avoid this by increasing the maximum threshold silently; we only
have to rm all the current entries of the table (these entries would
not have enough room to handle the increased hitcount).

This even makes (not-very-useful)
-A INPUT -m recent --update --seconds 30 --hitcount 4
-A INPUT -m recent --update --seconds 30 --hitcount 42
work.

Fixes: abc86d0f (netfilter: xt_recent: relax ip_pkt_list_tot restrictions)
Tracked-down-by: default avatarChris Vine <chris@cvine.freeserve.co.uk>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 520aa741
...@@ -378,12 +378,11 @@ static int recent_mt_check(const struct xt_mtchk_param *par, ...@@ -378,12 +378,11 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
mutex_lock(&recent_mutex); mutex_lock(&recent_mutex);
t = recent_table_lookup(recent_net, info->name); t = recent_table_lookup(recent_net, info->name);
if (t != NULL) { if (t != NULL) {
if (info->hit_count > t->nstamps_max_mask) { if (nstamp_mask > t->nstamps_max_mask) {
pr_info("hitcount (%u) is larger than packets to be remembered (%u) for table %s\n", spin_lock_bh(&recent_lock);
info->hit_count, t->nstamps_max_mask + 1, recent_table_flush(t);
info->name); t->nstamps_max_mask = nstamp_mask;
ret = -EINVAL; spin_unlock_bh(&recent_lock);
goto out;
} }
t->refcnt++; t->refcnt++;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment