Bug 523977

Summary: kernel: ipt_recent does not sanity check hit count
Product: Red Hat Enterprise Linux 5 Reporter: Tomas Hoger <thoger>
Component: kernelAssignee: Red Hat Kernel Manager <kernel-mgr>
Status: CLOSED DUPLICATE QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.4CC: plyons
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-17 14:22:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2009-09-17 13:12:42 UTC 
Quoting upstream commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d0ebf133590abdc035af6e19a6568667af0ab3b0

  If a rule using ipt_recent is created with a hit count greater than
  ip_pkt_list_tot, the rule will never match as it cannot keep track
  of enough timestamps. This patch makes ipt_recent refuse to create such
  rules.

Version-Release number of selected component (if applicable):
kernel-2.6.18-164.el5

Steps to Reproduce:
Outline in the upstream commit, this variant using TCP connections instead of UDP connections worked little better for me:

iptables rules:

iptables -F
iptables -A INPUT -p tcp --dport 1235 -m recent --remove --name test
iptables -A INPUT -p tcp --syn --dport 1234 -m recent --set --name test
iptables -A INPUT -p tcp --syn --dport 1234 -m recent --update --seconds 60 --hitcount 20 --name test -j REJECT

run testing server as:

while : ; do nc -l 0.0.0.0 1234 ; done

client side:

# remove previous recent entries to get a clean state
echo 2> /dev/null | nc 127.0.0.1 1235
cat /proc/net/ipt_recent/test

for i in `seq 1 30`; do
  echo $i | nc 127.0.0.1 1234; sleep 0.2
done

When hitcount 20 is used, you can see only 19 connections to the server are allowed.  Raising hitcount to 21 (assuming default ip_pkt_list_tot), unlimited number of connections are allowed.

After the fix, an attempt to create rule with hitcount higher than ip_pkt_list_tot should result in error:

  iptables: Invalid argument
Comment 2 Eugene Teo (Security Response) 2009-09-17 14:22:15 UTC 

*** This bug has been marked as a duplicate of bug 523982 ***