Added the optional "--autoclose" parameter (takes minutes) that
closes the pknock-opened rule in a specified time.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Just below the check that was just removed, the presence of --name is
tested for, as --name is always required. That makes the (flags == 0)
check superfluous, because non-zeroness is ensured by the name check.
In TCP --strict mode, forget the peer which sent the wrong knock in a
sequence, rather than resetting its status to ST_INIT. This avoids
filling up the peer table (which would lead to pknock DoS) in case of
a DDoS attack performed by a set of port-scanning malicious hosts.
If rule->peer_head==NULL due to an unsuccessful allocation, peer_gc
(and perhaps other places) may crash when they try to access it.
Since I see no deferred retry for allocation, the only option is to
fail in add_rule, clean it up, and return false instead.
Independent of that problem, it also needs to free peer_head in case
the status_proc allocation fails.
It is no longer possible to specify gc_expir_time with a time lower
than its default value (65000 msecs). This is to avoid running
peer_gc() earlier than 1 minute [well, 65 s actually] in the future,
which would otherwise render anti-spoof protection in SPA mode
non-functional.
- $Id$ in a comment is pointless.
- remove unneeded/commented-out includes.
- remove warning messages on allocation failure
(if that happens it is almost too late anyway;
not wanting to spam the logs)
- remove warning messages about unhandled packets
(attacker filling up logs)
First, there is a memory leak - when the crypto functions fail,
hexresult was not freed. Second, in that error case, the return value
is simply passed up to the caller, ignoring the different meanings of
0 and 1 between crypto and pknock.
Some functions like the crypto init or proc_mkdir do not return an
error value. Replace the -1, which is actually EPERM, and looks a
little out of place, and use ENXIO instead. (After all, the requested
objects were not there after the request of initialization.)
Since pr_debug depends on #if DEBUG anyway, there is no need to
contain DEBUGP/pk_debug within a further if. Rename from DEBUGP to
pk_debug, because DEBUGP is flagged by Xtables-addons (- and that's
good so, because often DEBUGPs should have been pr_debug instead).
The printk calls were protected using #if DEBUG anyway, so they can
just be changed to pr_debug. pr_debug also depends on #if DEBUG, and
takes care of the module prefix.
