summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorPhil Oester <kernel@linuxace.com>2005-12-01 23:29:24 +0100
committerDavid S. Miller <davem@davemloft.net>2005-12-01 23:29:24 +0100
commit2a43c4af3fa2e701008d51c28365e26fccf9cbb0 (patch)
tree4018c6b43c81875c424502ca1b7bc464a22064c0 /net
parent[NETFILTER]: Ignore ACKs ACKs on half open connections in TCP conntrack (diff)
downloadlinux-2a43c4af3fa2e701008d51c28365e26fccf9cbb0.tar.xz
linux-2a43c4af3fa2e701008d51c28365e26fccf9cbb0.zip
[NETFILTER]: Fix recent match jiffies wrap mismatches
Around jiffies wrap time (i.e. within first 5 mins after boot), recent match rules which contain both --seconds and --hitcount arguments experience false matches. This is because the last_pkts array is filled with zeros on creation, and when comparing 'now' to 0 (+ --seconds argument), time_before_eq thinks it has found a hit. Below patch adds a break if the packet value is zero. This has the unfortunate side effect of causing mismatches if a packet was received when jiffies really was equal to zero. The odds of that happening are slim compared to the problems caused by not adding the break however. Plus, the author used this same method just below, so it is "good enough". This fixes netfilter bugs #383 and #395. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/ipt_recent.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 2d44b07688af..261cbb4d4c49 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -532,6 +532,7 @@ match(const struct sk_buff *skb,
}
if(info->seconds && info->hit_count) {
for(pkt_count = 0, hits_found = 0; pkt_count < ip_pkt_list_tot; pkt_count++) {
+ if(r_list[location].last_pkts[pkt_count] == 0) break;
if(time_before_eq(now,r_list[location].last_pkts[pkt_count]+info->seconds*HZ)) hits_found++;
}
if(hits_found >= info->hit_count) ans = !info->invert; else ans = info->invert;