pknock: check interknock time only for !ST_ALLOWED peers

Fixes a bug whereby an ST_ALLOWED peer existing for a time greater
than gc_expir_time would be gc-deleted, because both
!has_logged_during_this_minute(peer) and
is_interknock_time_exceeded(peer, rule->max_time) would be satisfied
for ST_ALLOWED hosts.

We also no longer test for !has_logged_during_this_minute(peer) in
peer_gc(), since there is really no need for this: the anti-spoof
minute check is performed (and subsequent remove_peer(peer) called if
needed) for each passing UDP-mode peer with expired autoclose in
pknock_mt(), given that --autoclose has been specified. If autoclose
has not been set, it will be subject to reset_knock_status(peer)
called from knock_mt() upon receiving the first closing secret - so it
is still guaranteed to disappear at the closest opportunity.

Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>

extensions/pknock/xt_pknock.c

@@ -376,15 +376,20 @@ peer_gc(unsigned long r)
 	struct peer *peer;
 	struct list_head *pos, *n;
 
+	pr_debug("(S) running %s\n", __func__);
 	hashtable_for_each_safe(pos, n, rule->peer_head, peer_hashsize, i) {
 		peer = list_entry(pos, struct peer, head);
 
-		if ((!has_logged_during_this_minute(peer) &&
+		/*
+		 * Remove any peer whose (inter-knock) max_time
+		 * or autoclose_time passed.
+		 */
+		if ((peer->status != ST_ALLOWED &&
 		    is_interknock_time_exceeded(peer, rule->max_time)) ||
 		    (peer->status == ST_ALLOWED &&
 		    autoclose_time_passed(peer, rule->autoclose_time)))
 		{
-			pk_debug("DESTROYED", peer);
+			pk_debug("GC-DELETED", peer);
 			list_del(pos);
 			kfree(peer);
 		}