anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-07 05:05:12 +02:00
Code Issues Releases Wiki Activity

pknock: Make non-zero time mandatory for TCP mode

Browse Source 
This avoids DDoS on the first-in-sequence TCP knockport, which would
otherwise fill up the peer table permanently - especially if the user
does not specify --autoclose - and would thus cause permanent pknock
DoS.

Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
This commit is contained in:
Jan Rafaj
2009-10-12 00:01:32 +02:00
committed by Jan Engelhardt
parent 98e5dfd6ef
commit 2b2b6246f0
2 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
extensions/pknock/xt_pknock.c
View File

@@ -1093,6 +1093,8 @@ static bool pknock_mt_check(const struct xt_mtchk_param *par)
RETURN_ERR("Can't specify --time with --checkip.\n");
if (info->option & XT_PKNOCK_AUTOCLOSE)
RETURN_ERR("Can't specify --autoclose with --checkip.\n");
} else if (!(info->option & (XT_PKNOCK_OPENSECRET | XT_PKNOCK_TIME))) {
RETURN_ERR("you must specify --time.\n");
}
if (info->option & XT_PKNOCK_OPENSECRET) {