[Bug 642] New: state matching (--rcheck) in xt_recent kernel module fails
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Fri Mar 26 17:05:27 CET 2010
http://bugzilla.netfilter.org/show_bug.cgi?id=642
Summary: state matching (--rcheck) in xt_recent kernel module
fails
Product: netfilter/iptables
Version: linux-2.6.x
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P1
Component: ip_tables (kernel)
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: lisaev at indiana.edu
In the recent kernel the module xt_recent is buggy: when one tries to match the
state of a packet with "-m recent ... --rcheck -j my_chain", the event fails,
although the packet should have passed to my_chain. This is only a failure of
--rcheck, as --set/--remove/--seconds do work.
For instance, in this example:
-A IF_KNOCK -p tcp -m tcp --dport 1234 -m recent --set --name IF_KNK_LIST
--rsource -j LOG --log-prefix "kseq1--waiting: " --log-level 6 --log-ip-options
--log-uid
-A IF_KNOCK -p tcp -m tcp --dport 5678 -m recent --rcheck --seconds 30 --name
IF_KNK_LIST --rsource -j KNOCK_ACCEPT
the chain KNOCK_ACCEPT will never be traversed, even if the two packets arrived
at ports 1234 and 5678 within 30 sec window.
A similar bug has already been noticed in Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/544984
and Arch Linux:
http://bugs.archlinux.org/task/18845
* package version(s)
kernel 2.6.32.10-1
iptables 1.4.7-1
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the netfilter-buglog
mailing list