+++ This bug was initially created as a clone of Bug #523982 +++ Description of problem: If a rule using ipt_recent is created with a hit count greater than ip_pkt_list_tot, the rule will never match as it cannot keep track of enough timestamps. This patch makes ipt_recent refuse to create such rules. With ip_pkt_list_tot's default value of 20, the following can be used to reproduce the problem. nc -u -l 0.0.0.0 1234 & for i in `seq 1 100`; do echo $i | nc -w 1 -u 127.0.0.1 1234; done This limits it to 20 packets: iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \ --rsource iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \ 60 --hitcount 20 --name test --rsource -j DROP While this is unlimited: iptables -A OUTPUT -p udp --dport 1234 -m recent --set --name test \ --rsource iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds \ 60 --hitcount 21 --name test --rsource -j DROP With the patch the second rule-set will throw an EINVAL. Reported-by: Sean Kennedy <skennedy> Signed-off-by: Daniel Hokka Zakrisson <daniel> Signed-off-by: Patrick McHardy <kaber> Signed-off-by: David S. Miller <davem> Upstream commit: http://git.kernel.org/linus/d0ebf133590abdc035af6e19a6568667af0ab3b0
Patch bz523986-ipt_recent-sanity-check-hit-count.patch, backport of commit d0ebf133590abdc035af6e19a6568667af0ab3b0 from Linus' tree, was added to kernel's -135 queue.
Verified by running reproducing routine. On 2.6.24.7-132 the following iptables command was allowed: iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds 60 --hitcount 21 --name test --rsource -j DROP On 2.6.24.7-136 the same command failed: (64bit kernel) [root@hp-dl585g2-01 ~]# iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds 60 --hitcount 21 --name test --rsource -j DROP iptables: Unknown error 18446744073709551615 (32bit kernel) [root@intel-greencity-01 ~]# iptables -A OUTPUT -p udp --dport 1234 -m recent --update --seconds 60 --hitcount 21 --name test --rsource -j DROP iptables: Unknown error 4294967295
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-1540.html