pknock: Make non-zero time mandatory for TCP mode

This avoids DDoS on the first-in-sequence TCP knockport, which would otherwise fill up the peer table permanently - especially if the user does not specify --autoclose - and would thus cause permanent pknock DoS. Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
2025-09-06 12:45:13 +02:00 · 2009-10-12 00:01:32 +02:00
parent 98e5dfd6ef
commit 2b2b6246f0
2 changed files with 8 additions and 0 deletions
--- a/extensions/pknock/libxt_pknock.c
+++ b/extensions/pknock/libxt_pknock.c
@@ -132,6 +132,9 @@ __pknock_parse(int c, char **argv, int invert, unsigned int *flags,
 			xtables_error(PARAMETER_PROBLEM, PKNOCK
 				"cannot use --time twice.\n");
 		info->max_time = atoi(optarg);
+		if (info->max_time == 0)
+			xtables_error(PARAMETER_PROBLEM, PKNOCK
+				"--time number must be > 0.\n");
 		info->option |= XT_PKNOCK_TIME;
 		*flags |= XT_PKNOCK_TIME;
 		break;
@@ -256,6 +259,9 @@ static void pknock_mt_check(unsigned int flags)
 		if (flags & XT_PKNOCK_AUTOCLOSE)
 			xtables_error(PARAMETER_PROBLEM, PKNOCK
 				"cannot specify --autoclose with --checkip.\n");
+	} else if (!(flags & (XT_PKNOCK_OPENSECRET | XT_PKNOCK_TIME))) {
+		xtables_error(PARAMETER_PROBLEM, PKNOCK
+			"you must specify --time.\n");
 	}
 }

--- a/extensions/pknock/xt_pknock.c
+++ b/extensions/pknock/xt_pknock.c
@@ -1093,6 +1093,8 @@ static bool pknock_mt_check(const struct xt_mtchk_param *par)
 			RETURN_ERR("Can't specify --time with --checkip.\n");
 		if (info->option & XT_PKNOCK_AUTOCLOSE)
 			RETURN_ERR("Can't specify --autoclose with --checkip.\n");
+	} else if (!(info->option & (XT_PKNOCK_OPENSECRET | XT_PKNOCK_TIME))) {
+		RETURN_ERR("you must specify --time.\n");
 	}

 	if (info->option & XT_PKNOCK_OPENSECRET) {