./arch/arm/include/asm/div64.h:24:45: note: expected "uint64_t *"
{aka "long long unsigned int *"} but argument is of type
"long unsigned int *"
24 | static inline uint32_t __div64_32(uint64_t *n, uint32_t base)
The original patch for long division on x86 didn't take into account
the use of short circuit logic for checking if peer is NULL before
testing it. Here is a revised patch to v3.16.
get_seconds is removed in 5.11; its replacement ktime_get_real_seconds
is available since 3.19. The timestamps should not be affected by clock
resets, so will be switched to ktime_get_seconds.
Replace some instances of `printk(KERN_ERR PKNOCK ...)`. We define
`pr_fmt`, so `pr_err` is equivalent.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
shash_desc::flags was removed from the kernel in 5.1.
That assignment was actually superfluous anyway, because crypto.desc
is zero-initialized when crypto is initialized (xt_pknock.c, ll.
110ff.).
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
When the PK_CRYPTO pre-processor flag got removed in
v1.47.1-2-g66f213e, one of the removal cases was misapplied; the body
of an "#ifndef PK_CRYPTO" was left in rather than the whole section
being removed.
Since the last merge of the "api35" branch, further changes were
included into nf-next. This set of three commits updates the
xtables-addons API to match that.
xt_pknock.c: In function "update_peer":
xt_pknock.c:890:3: warning: implicit declaration of function "pass_security"
xt_pknock.c: In function "pknock_mt":
xt_pknock.c:1030:5: warning: implicit declaration of function "is_close_knock"
Handle specific case when someone put a (master) --opensecret
--closesecret rule after a --checkip rule with the same name.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Fixes a bug whereby an ST_ALLOWED peer existing for a time greater
than gc_expir_time would be gc-deleted, because both
!has_logged_during_this_minute(peer) and
is_interknock_time_exceeded(peer, rule->max_time) would be satisfied
for ST_ALLOWED hosts.
We also no longer test for !has_logged_during_this_minute(peer) in
peer_gc(), since there is really no need for this: the anti-spoof
minute check is performed (and subsequent remove_peer(peer) called if
needed) for each passing UDP-mode peer with expired autoclose in
pknock_mt(), given that --autoclose has been specified. If autoclose
has not been set, it will be subject to reset_knock_status(peer)
called from knock_mt() upon receiving the first closing secret - so it
is still guaranteed to disappear at the closest opportunity.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Renames:
update_rule_timer() -> update_gc_rule_timer()
is_time_exceeded() -> is_interknock_time_exceeded()
Changed some debug messages and comments to give more appropriate meanings.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
This avoids DDoS on the first-in-sequence TCP knockport, which would
otherwise fill up the peer table permanently - especially if the user
does not specify --autoclose - and would thus cause permanent pknock
DoS.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Added the optional "--autoclose" parameter (takes minutes) that
closes the pknock-opened rule in a specified time.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
In TCP --strict mode, forget the peer which sent the wrong knock in a
sequence, rather than resetting its status to ST_INIT. This avoids
filling up the peer table (which would lead to pknock DoS) in case of
a DDoS attack performed by a set of port-scanning malicious hosts.
