This avoids DDoS on the first-in-sequence TCP knockport, which would
otherwise fill up the peer table permanently - especially if the user
does not specify --autoclose - and would thus cause permanent pknock
DoS.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Added the optional "--autoclose" parameter (takes minutes) that
closes the pknock-opened rule in a specified time.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Just below the check that was just removed, the presence of --name is
tested for, as --name is always required. That makes the (flags == 0)
check superfluous, because non-zeroness is ensured by the name check.
In TCP --strict mode, forget the peer which sent the wrong knock in a
sequence, rather than resetting its status to ST_INIT. This avoids
filling up the peer table (which would lead to pknock DoS) in case of
a DDoS attack performed by a set of port-scanning malicious hosts.
Report by: Christian Blum <chrblum@users.sourceforge.net>
"I have found that they panic in an interrupt within xt_ipp2p, function
search_all_gnu(). It's a bounds checking problem; when I add this [a
check for plen >= 65535] at the beginning [of the function] the
servers run fine (very similar to find_all_kazaa())."
If rule->peer_head==NULL due to an unsuccessful allocation, peer_gc
(and perhaps other places) may crash when they try to access it.
Since I see no deferred retry for allocation, the only option is to
fail in add_rule, clean it up, and return false instead.
Independent of that problem, it also needs to free peer_head in case
the status_proc allocation fails.
It is no longer possible to specify gc_expir_time with a time lower
than its default value (65000 msecs). This is to avoid running
peer_gc() earlier than 1 minute [well, 65 s actually] in the future,
which would otherwise render anti-spoof protection in SPA mode
non-functional.
- $Id$ in a comment is pointless.
- remove unneeded/commented-out includes.
- remove warning messages on allocation failure
(if that happens it is almost too late anyway;
not wanting to spam the logs)
- remove warning messages about unhandled packets
(attacker filling up logs)
Kbuild would install the .ko module files relative to their source
directory, i.e.
extensions/xt_quota.ko
-> /lib/modules/%/extra/xt_quota.ko
extensions/ACCOUNT/xt_ACCOUNT.ko
-> /lib/modules/%/extra/ACCOUNT/xt_ACCOUNT.ko
Add a hack to Makefile.am so that it all goes into extra/ only,
without any further subdirectories created. This is strictly a hack
as it pokes with Kbuild internals.
Putting the ext-mod-dir override into extensions/Kbuild would not do,
it is overridden by $linux/scripts/Makefile.modinst, so a higher
priority override is needed (make command line by means of
Makefile.am invoking make).
First, there is a memory leak - when the crypto functions fail,
hexresult was not freed. Second, in that error case, the return value
is simply passed up to the caller, ignoring the different meanings of
0 and 1 between crypto and pknock.
