From 2b2b6246f0f2ded4d351aa9e7e3fe7b8a81059c6 Mon Sep 17 00:00:00 2001 From: Jan Rafaj Date: Mon, 12 Oct 2009 00:01:32 +0200 Subject: [PATCH] pknock: Make non-zero time mandatory for TCP mode This avoids DDoS on the first-in-sequence TCP knockport, which would otherwise fill up the peer table permanently - especially if the user does not specify --autoclose - and would thus cause permanent pknock DoS. Signed-off-by: Jan Rafaj --- extensions/pknock/libxt_pknock.c | 6 ++++++ extensions/pknock/xt_pknock.c | 2 ++ 2 files changed, 8 insertions(+) diff --git a/extensions/pknock/libxt_pknock.c b/extensions/pknock/libxt_pknock.c index 0027236..c6ad809 100644 --- a/extensions/pknock/libxt_pknock.c +++ b/extensions/pknock/libxt_pknock.c @@ -132,6 +132,9 @@ __pknock_parse(int c, char **argv, int invert, unsigned int *flags, xtables_error(PARAMETER_PROBLEM, PKNOCK "cannot use --time twice.\n"); info->max_time = atoi(optarg); + if (info->max_time == 0) + xtables_error(PARAMETER_PROBLEM, PKNOCK + "--time number must be > 0.\n"); info->option |= XT_PKNOCK_TIME; *flags |= XT_PKNOCK_TIME; break; @@ -256,6 +259,9 @@ static void pknock_mt_check(unsigned int flags) if (flags & XT_PKNOCK_AUTOCLOSE) xtables_error(PARAMETER_PROBLEM, PKNOCK "cannot specify --autoclose with --checkip.\n"); + } else if (!(flags & (XT_PKNOCK_OPENSECRET | XT_PKNOCK_TIME))) { + xtables_error(PARAMETER_PROBLEM, PKNOCK + "you must specify --time.\n"); } } diff --git a/extensions/pknock/xt_pknock.c b/extensions/pknock/xt_pknock.c index 33b9aaf..44d3fdc 100644 --- a/extensions/pknock/xt_pknock.c +++ b/extensions/pknock/xt_pknock.c @@ -1093,6 +1093,8 @@ static bool pknock_mt_check(const struct xt_mtchk_param *par) RETURN_ERR("Can't specify --time with --checkip.\n"); if (info->option & XT_PKNOCK_AUTOCLOSE) RETURN_ERR("Can't specify --autoclose with --checkip.\n"); + } else if (!(info->option & (XT_PKNOCK_OPENSECRET | XT_PKNOCK_TIME))) { + RETURN_ERR("you must specify --time.\n"); } if (info->option & XT_PKNOCK_OPENSECRET) {