thr3ads.net - netfilter buglog - [Bug 642] New: state matching (--rcheck) in xt

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.netfilter.org

2010-Mar-26 16:05 UTC

[Bug 642] New: state matching (--rcheck) in xt_recent kernel module fails

http://bugzilla.netfilter.org/show_bug.cgi?id=642

           Summary: state matching (--rcheck) in xt_recent kernel module
                    fails
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P1
         Component: ip_tables (kernel)
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: lisaev at indiana.edu


In the recent kernel the module xt_recent is buggy: when one tries to match the
state of a packet with "-m recent ... --rcheck -j my_chain", the event
fails,
although the packet should have passed to my_chain. This is only a failure of
--rcheck, as --set/--remove/--seconds do work.

For instance, in this example:

-A IF_KNOCK -p tcp -m tcp --dport 1234 -m recent --set --name IF_KNK_LIST
--rsource -j LOG --log-prefix "kseq1--waiting: " --log-level 6
--log-ip-options
--log-uid
-A IF_KNOCK -p tcp -m tcp --dport 5678 -m recent --rcheck --seconds 30 --name
IF_KNK_LIST --rsource -j KNOCK_ACCEPT

the chain KNOCK_ACCEPT will never be traversed, even if the two packets arrived
at ports 1234 and 5678 within 30 sec window.

A similar bug has already been noticed in Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/544984
and Arch Linux:
http://bugs.archlinux.org/task/18845

* package version(s)
kernel 2.6.32.10-1
iptables 1.4.7-1


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

bugzilla-daemon at bugzilla.netfilter.org

2010-Mar-31 08:27 UTC

head link

[Bug 642] state matching (--rcheck) in xt_recent kernel module fails

http://bugzilla.netfilter.org/show_bug.cgi?id=642


kaber at trash.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Comment #1 from kaber at trash.net  2010-03-31 10:27 -------
The patch for this problem is already upstream and queued for the next -stable
release(s).


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

netfilter buglog - Mar 2010 - [Bug 642] New: state matching (--rcheck) in xt_recent kernel module fails

[Bug 642] New: state matching (--rcheck) in xt_recent kernel module fails

[Bug 642] state matching (--rcheck) in xt_recent kernel module fails