xt_pknock.c: In function "update_peer":
xt_pknock.c:890:3: warning: implicit declaration of function "pass_security"
xt_pknock.c: In function "pknock_mt":
xt_pknock.c:1030:5: warning: implicit declaration of function "is_close_knock"
IP refers to Internet Protocol; adding "address" is therefore beneficial.
The CIDR size is better known as "prefix length".
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Consistently apply markup so that only replaceable items are italic,
and only items to be typed verbatim are bold. Also apply the command
syntax "BNF" (where and when to use [], {}) that is used in the
iptables manpages to ipset.8.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
There is another mistake in the code. I have checked the Gnutella
protocol specification -- looks like the line separation is 0x0d-0x0a
and not 0x0a-0x0d (it seemed obvious but I was not sure and thought
they cannot have possibly got that wrong...). It would certainly
explain why I have never seen a match on any of my systems.
pknlusr.c: In function "main":
pknlusr.c:81:25: warning: cast to pointer from integer of different size
pknlusr.c:81:7: warning: cast to pointer from integer of different size
Handle specific case when someone put a (master) --opensecret
--closesecret rule after a --checkip rule with the same name.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Fixes a bug whereby an ST_ALLOWED peer existing for a time greater
than gc_expir_time would be gc-deleted, because both
!has_logged_during_this_minute(peer) and
is_interknock_time_exceeded(peer, rule->max_time) would be satisfied
for ST_ALLOWED hosts.
We also no longer test for !has_logged_during_this_minute(peer) in
peer_gc(), since there is really no need for this: the anti-spoof
minute check is performed (and subsequent remove_peer(peer) called if
needed) for each passing UDP-mode peer with expired autoclose in
pknock_mt(), given that --autoclose has been specified. If autoclose
has not been set, it will be subject to reset_knock_status(peer)
called from knock_mt() upon receiving the first closing secret - so it
is still guaranteed to disappear at the closest opportunity.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Renames:
update_rule_timer() -> update_gc_rule_timer()
is_time_exceeded() -> is_interknock_time_exceeded()
Changed some debug messages and comments to give more appropriate meanings.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
This avoids DDoS on the first-in-sequence TCP knockport, which would
otherwise fill up the peer table permanently - especially if the user
does not specify --autoclose - and would thus cause permanent pknock
DoS.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Added the optional "--autoclose" parameter (takes minutes) that
closes the pknock-opened rule in a specified time.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Just below the check that was just removed, the presence of --name is
tested for, as --name is always required. That makes the (flags == 0)
check superfluous, because non-zeroness is ensured by the name check.
Olivier Mehani