anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-08 13:44:56 +02:00
Code Issues Releases Wiki Activity

pknock: disallow running peer_gc too early

Browse Source 
It is no longer possible to specify gc_expir_time with a time lower
than its default value (65000 msecs). This is to avoid running
peer_gc() earlier than 1 minute [well, 65 s actually] in the future,
which would otherwise render anti-spoof protection in SPA mode
non-functional.
This commit is contained in:
Jan Rafaj
2009-09-01 19:52:48 +02:00
committed by Jan Engelhardt
parent 1bc7f1be67
commit e0276b4875
2 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
doc/changelog.txt
View File

@@ -4,6 +4,8 @@
- added reworked xt_pknock module - added reworked xt_pknock module
Changes from pknock v0.5: Changes from pknock v0.5:
- pknock: "strict" and "checkip" flags were not displayed in `iptables -L` - pknock: "strict" and "checkip" flags were not displayed in `iptables -L`
- pknock: the GC expire time's lower bound is now the default gc time
(65000 msec) to avoid rendering anti-spoof protection in SPA mode useless
Xtables-addons 1.18 (September 09 2009) Xtables-addons 1.18 (September 09 2009)

2
extensions/xt_pknock.c
View File

@@ -1104,6 +1104,8 @@ static struct xt_match xt_pknock_mt_reg __read_mostly = {
static int __init xt_pknock_mt_init(void) static int __init xt_pknock_mt_init(void)
{ {
if (gc_expir_time < DEFAULT_GC_EXPIRATION_TIME)
gc_expir_time = DEFAULT_GC_EXPIRATION_TIME;
#ifdef PK_CRYPTO #ifdef PK_CRYPTO
if (request_module(crypto.algo) < 0) { if (request_module(crypto.algo) < 0) {
printk(KERN_ERR PKNOCK "request_module('%s') error.\n", printk(KERN_ERR PKNOCK "request_module('%s') error.\n",