shash_desc::flags was removed from the kernel in 5.1.
That assignment was actually superfluous anyway, because crypto.desc
is zero-initialized when crypto is initialized (xt_pknock.c, ll.
110ff.).
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
When the PK_CRYPTO pre-processor flag got removed in
v1.47.1-2-g66f213e, one of the removal cases was misapplied; the body
of an "#ifndef PK_CRYPTO" was left in rather than the whole section
being removed.
Since the last merge of the "api35" branch, further changes were
included into nf-next. This set of three commits updates the
xtables-addons API to match that.
xt_pknock.c: In function "update_peer":
xt_pknock.c:890:3: warning: implicit declaration of function "pass_security"
xt_pknock.c: In function "pknock_mt":
xt_pknock.c:1030:5: warning: implicit declaration of function "is_close_knock"
Handle specific case when someone put a (master) --opensecret
--closesecret rule after a --checkip rule with the same name.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Fixes a bug whereby an ST_ALLOWED peer existing for a time greater
than gc_expir_time would be gc-deleted, because both
!has_logged_during_this_minute(peer) and
is_interknock_time_exceeded(peer, rule->max_time) would be satisfied
for ST_ALLOWED hosts.
We also no longer test for !has_logged_during_this_minute(peer) in
peer_gc(), since there is really no need for this: the anti-spoof
minute check is performed (and subsequent remove_peer(peer) called if
needed) for each passing UDP-mode peer with expired autoclose in
pknock_mt(), given that --autoclose has been specified. If autoclose
has not been set, it will be subject to reset_knock_status(peer)
called from knock_mt() upon receiving the first closing secret - so it
is still guaranteed to disappear at the closest opportunity.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Renames:
update_rule_timer() -> update_gc_rule_timer()
is_time_exceeded() -> is_interknock_time_exceeded()
Changed some debug messages and comments to give more appropriate meanings.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
This avoids DDoS on the first-in-sequence TCP knockport, which would
otherwise fill up the peer table permanently - especially if the user
does not specify --autoclose - and would thus cause permanent pknock
DoS.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
Added the optional "--autoclose" parameter (takes minutes) that
closes the pknock-opened rule in a specified time.
Signed-off-by: Jan Rafaj <jr+netfilter-devel@cedric.unob.cz>
In TCP --strict mode, forget the peer which sent the wrong knock in a
sequence, rather than resetting its status to ST_INIT. This avoids
filling up the peer table (which would lead to pknock DoS) in case of
a DDoS attack performed by a set of port-scanning malicious hosts.
