anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-05 20:26:38 +02:00
Code Issues Releases Wiki Activity

pknock: Make non-zero time mandatory for TCP mode

Browse Source 
This avoids DDoS on the first-in-sequence TCP knockport, which would
otherwise fill up the peer table permanently - especially if the user
does not specify --autoclose - and would thus cause permanent pknock
DoS.

Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
This commit is contained in:
Jan Rafaj
2009-10-12 00:01:32 +02:00
committed by Jan Engelhardt
parent 98e5dfd6ef
commit 2b2b6246f0
2 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
extensions/pknock/libxt_pknock.c
View File

@@ -132,6 +132,9 @@ __pknock_parse(int c, char **argv, int invert, unsigned int *flags,
xtables_error(PARAMETER_PROBLEM, PKNOCK
"cannot use --time twice.\n");
info->max_time = atoi(optarg);
if (info->max_time == 0)
xtables_error(PARAMETER_PROBLEM, PKNOCK
"--time number must be > 0.\n");
info->option |= XT_PKNOCK_TIME;
*flags |= XT_PKNOCK_TIME;
break;
@@ -256,6 +259,9 @@ static void pknock_mt_check(unsigned int flags)
if (flags & XT_PKNOCK_AUTOCLOSE)
xtables_error(PARAMETER_PROBLEM, PKNOCK
"cannot specify --autoclose with --checkip.\n");
} else if (!(flags & (XT_PKNOCK_OPENSECRET | XT_PKNOCK_TIME))) {
xtables_error(PARAMETER_PROBLEM, PKNOCK
"you must specify --time.\n");
}
}