From b132101b63a044a42dfb7e9ed825de4099f60ba9 Mon Sep 17 00:00:00 2001 From: Jan Rafaj Date: Mon, 12 Oct 2009 00:01:35 +0200 Subject: [PATCH] pknock: check interknock time only for !ST_ALLOWED peers Fixes a bug whereby an ST_ALLOWED peer existing for a time greater than gc_expir_time would be gc-deleted, because both !has_logged_during_this_minute(peer) and is_interknock_time_exceeded(peer, rule->max_time) would be satisfied for ST_ALLOWED hosts. We also no longer test for !has_logged_during_this_minute(peer) in peer_gc(), since there is really no need for this: the anti-spoof minute check is performed (and subsequent remove_peer(peer) called if needed) for each passing UDP-mode peer with expired autoclose in pknock_mt(), given that --autoclose has been specified. If autoclose has not been set, it will be subject to reset_knock_status(peer) called from knock_mt() upon receiving the first closing secret - so it is still guaranteed to disappear at the closest opportunity. Signed-off-by: Jan Rafaj --- extensions/pknock/xt_pknock.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/extensions/pknock/xt_pknock.c b/extensions/pknock/xt_pknock.c index e8dd654..50789e5 100644 --- a/extensions/pknock/xt_pknock.c +++ b/extensions/pknock/xt_pknock.c @@ -376,15 +376,20 @@ peer_gc(unsigned long r) struct peer *peer; struct list_head *pos, *n; + pr_debug("(S) running %s\n", __func__); hashtable_for_each_safe(pos, n, rule->peer_head, peer_hashsize, i) { peer = list_entry(pos, struct peer, head); - if ((!has_logged_during_this_minute(peer) && + /* + * Remove any peer whose (inter-knock) max_time + * or autoclose_time passed. + */ + if ((peer->status != ST_ALLOWED && is_interknock_time_exceeded(peer, rule->max_time)) || (peer->status == ST_ALLOWED && autoclose_time_passed(peer, rule->autoclose_time))) { - pk_debug("DESTROYED", peer); + pk_debug("GC-DELETED", peer); list_del(pos); kfree(peer); }