lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4C498509.4010805@trash.net>
Date:	Fri, 23 Jul 2010 14:03:21 +0200
From:	Patrick McHardy <kaber@...sh.net>
To:	Eric Dumazet <eric.dumazet@...il.com>
CC:	Jan Engelhardt <jengelh@...ozas.de>,
	Changli Gao <xiaosuo@...il.com>,
	"David S. Miller" <davem@...emloft.net>,
	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH] xt_quota: don't copy quota back to userspace

On 23.07.2010 08:28, Eric Dumazet wrote:
> Le vendredi 23 juillet 2010 à 08:20 +0200, Jan Engelhardt a écrit :
>> On Friday 2010-07-23 06:54, Changli Gao wrote:
>>
>>> This patch should be applied after my another patch:
>>> http://patchwork.ozlabs.org/patch/59729/
>>>
>>> xt_quota: don't copy quota back to userspace
>>>
>>> In nowadays, table entries are per-cpu variables, so it don't make any 
>>> sense to copy quota back to one of the variable instances. To keep 
>>> things simple, this patch undo the copy.
>>
>> I object. This line is on purpose, to give at least a chance of 
>> reporting back a more-or-less believable value. Without copying
>> the value back, users have moaned about the counter not decreasing
>> _at all_.
> 
> Maybe, but current situation is buggy.

Indeed, besides not being able to properly "iptables-save" a rule,
its not possible to delete a specific quota rule since they can't
be distinguished based on the specified quota value:

# iptables -A INPUT -m quota --quota 1000
# iptables -A INPUT -m quota --quota 2000
# iptables -D INPUT -m quota --quota 2000
# iptables -vxnL INPUT
Chain INPUT (policy ACCEPT 2 packets, 96 bytes)
    pkts      bytes target     prot opt in     out     source
    destination
       6      356            all  --  *      *       0.0.0.0/0
  0.0.0.0/0           quota: 1644 bytes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ