lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150212105417.0379fed8@bother.homenet> Date: Thu, 12 Feb 2015 10:54:17 +0000 From: Chris Vine <chris@...ne.freeserve.co.uk> To: Florian Westphal <fw@...len.de> Cc: Cong Wang <xiyou.wangcong@...il.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, netfilter-devel@...r.kernel.org, Linux Kernel Network Developers <netdev@...r.kernel.org> Subject: Re: xt_recent broken in kernel 3.19.0 + PATCH On Thu, 12 Feb 2015 10:26:16 +0000 Chris Vine <chris@...ne.freeserve.co.uk> wrote: > On Thu, 12 Feb 2015 09:35:33 +0100 > Florian Westphal <fw@...len.de> wrote: > > Cong Wang <xiyou.wangcong@...il.com> wrote: > > > (Cc'ing netdev and netfilter-devel lists) > > > > Thanks for forwarding. > > > > > > Chris Vine <chris@...ne.freeserve.co.uk> wrote: > > > >> iptables -D SSH_CHAIN -m conntrack --ctstate NEW \ > > > >> -m recent --update --seconds $SSH_LOGIN_PERIOD --hitcount > > > >> $SSH_TRIES -j DROP > > > > --- linux-3.19.0/net/netfilter/xt_recent.c~ 2015-02-10 > > > > 09:18:44.657376355 +0000 +++ > > > > linux-3.19.0/net/netfilter/xt_recent.c 2015-02-11 > > > > 17:58:33.311608835 +0000 @@ -378,7 +378,7 @@ > > > > mutex_lock(&recent_mutex); t = recent_table_lookup(recent_net, > > > > info->name); if (t != NULL) { > > > > - if (info->hit_count > t->nstamps_max_mask) { > > > > + if (info->hit_count > t->nstamps_max_mask + 1) { > > > > Looks good. Chris, could you formally submit this patch to > > netfilter-devel@...r.kernel.org? > > > > Thanks! > > Done. On further testing I see that that patch only solves the problem if SSH_TRIES is set to a power of two boundary. You still get an error loading the rule if it is anything else. I think there is something wrong with the nstamp_mask heuristic which is used here. Chris -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists