From e0276b4875c51a9d401b14d075208cdb8d05956e Mon Sep 17 00:00:00 2001 From: Jan Rafaj Date: Tue, 1 Sep 2009 19:52:48 +0200 Subject: [PATCH] pknock: disallow running peer_gc too early It is no longer possible to specify gc_expir_time with a time lower than its default value (65000 msecs). This is to avoid running peer_gc() earlier than 1 minute [well, 65 s actually] in the future, which would otherwise render anti-spoof protection in SPA mode non-functional. --- doc/changelog.txt | 2 ++ extensions/xt_pknock.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/doc/changelog.txt b/doc/changelog.txt index dc96fa5..494818a 100644 --- a/doc/changelog.txt +++ b/doc/changelog.txt @@ -4,6 +4,8 @@ - added reworked xt_pknock module Changes from pknock v0.5: - pknock: "strict" and "checkip" flags were not displayed in `iptables -L` + - pknock: the GC expire time's lower bound is now the default gc time + (65000 msec) to avoid rendering anti-spoof protection in SPA mode useless Xtables-addons 1.18 (September 09 2009) diff --git a/extensions/xt_pknock.c b/extensions/xt_pknock.c index f805925..97ccec3 100644 --- a/extensions/xt_pknock.c +++ b/extensions/xt_pknock.c @@ -1104,6 +1104,8 @@ static struct xt_match xt_pknock_mt_reg __read_mostly = { static int __init xt_pknock_mt_init(void) { + if (gc_expir_time < DEFAULT_GC_EXPIRATION_TIME) + gc_expir_time = DEFAULT_GC_EXPIRATION_TIME; #ifdef PK_CRYPTO if (request_module(crypto.algo) < 0) { printk(KERN_ERR PKNOCK "request_module('%s') error.\n",