Bug 523985

Summary: kernel: ipt_recent: sanity check hit count [rhel-3]
Product: Red Hat Enterprise Linux 3 Reporter: Eugene Teo (Security Response) <eteo>
Component: kernelAssignee: Don Howard <dhoward>
Status: CLOSED WONTFIX QA Contact: Martin Jenner <mjenner>
Severity: high Docs Contact:
Priority: high    
Version: 3.9CC: dhoward, lwang
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 523982 Environment:
Last Closed: 2012-06-20 16:04:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 523982    
Bug Blocks:    

Description Eugene Teo (Security Response) 2009-09-17 13:49:39 UTC 
+++ This bug was initially created as a clone of Bug #523982 +++

Description of problem:
If a rule using ipt_recent is created with a hit count greater than ip_pkt_list_tot, the rule will never match as it cannot keep track of enough timestamps. This patch makes ipt_recent refuse to create such rules.

With ip_pkt_list_tot's default value of 20, the following can be used to reproduce the problem.

nc -u -l 0.0.0.0 1234 &
for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done

This limits it to 20 packets:
iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
         --rsource
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
         60 --hitcount 20 --name test --rsource -j DROP

While this is unlimited:
iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \
         --rsource
iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \
         60 --hitcount 21 --name test --rsource -j DROP

With the patch the second rule-set will throw an EINVAL.

Reported-by: Sean Kennedy <skennedy>
Signed-off-by: Daniel Hokka Zakrisson <daniel>
Signed-off-by: Patrick McHardy <kaber>
Signed-off-by: David S. Miller <davem>

Upstream commit:
http://git.kernel.org/linus/d0ebf133590abdc035af6e19a6568667af0ab3b0
Comment 1 Jiri Pallich 2012-06-20 16:04:36 UTC 
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.