In case the kernel is built without IPv6 support the compilation of
this module fails as it assumes IPv6. This patch makes kernel support
conditional on kernel .config.
In case the kernel is built without IPv6 support the compilation of
this module fails as it assumes IPv6. This patch makes kernel support
conditional on kernel .config.
This commit adds an option to xt_quota2 called "no-change". The
effect of this option, when used, is that it will skip incrementing
or decrementing the quota counter, effectively providing a quota test
only.
The reason for implementing this is so that I could have a rule check
if quota is available for a rule in the PREROUTING tables, without
actually decrementing the amount of available quota. I only wanted to
decrement the amount of available quota in the FORWARD rule.
Otherwise, the first packet of every connection would be counted
twice.
Not sure if this was overlooked, or if it is not in a suitable state
for general use, but lets give it a shot and see how it works.
Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
[j.eng: it was overlooked]
xt_pknock.c: In function "update_peer":
xt_pknock.c:890:3: warning: implicit declaration of function "pass_security"
xt_pknock.c: In function "pknock_mt":
xt_pknock.c:1030:5: warning: implicit declaration of function "is_close_knock"
IP refers to Internet Protocol; adding "address" is therefore beneficial.
The CIDR size is better known as "prefix length".
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Consistently apply markup so that only replaceable items are italic,
and only items to be typed verbatim are bold. Also apply the command
syntax "BNF" (where and when to use [], {}) that is used in the
iptables manpages to ipset.8.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
There is another mistake in the code. I have checked the Gnutella
protocol specification -- looks like the line separation is 0x0d-0x0a
and not 0x0a-0x0d (it seemed obvious but I was not sure and thought
they cannot have possibly got that wrong...). It would certainly
explain why I have never seen a match on any of my systems.
pknlusr.c: In function "main":
pknlusr.c:81:25: warning: cast to pointer from integer of different size
pknlusr.c:81:7: warning: cast to pointer from integer of different size
Handle specific case when someone put a (master) --opensecret
--closesecret rule after a --checkip rule with the same name.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Fixes a bug whereby an ST_ALLOWED peer existing for a time greater
than gc_expir_time would be gc-deleted, because both
!has_logged_during_this_minute(peer) and
is_interknock_time_exceeded(peer, rule->max_time) would be satisfied
for ST_ALLOWED hosts.
We also no longer test for !has_logged_during_this_minute(peer) in
peer_gc(), since there is really no need for this: the anti-spoof
minute check is performed (and subsequent remove_peer(peer) called if
needed) for each passing UDP-mode peer with expired autoclose in
pknock_mt(), given that --autoclose has been specified. If autoclose
has not been set, it will be subject to reset_knock_status(peer)
called from knock_mt() upon receiving the first closing secret - so it
is still guaranteed to disappear at the closest opportunity.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Renames:
update_rule_timer() -> update_gc_rule_timer()
is_time_exceeded() -> is_interknock_time_exceeded()
Changed some debug messages and comments to give more appropriate meanings.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
