[Bug 544984] Re: netfilter xt_recent --rcheck fails to match
Colm Buckley, this bug report is being closed due to your last comment https://bugs.launchpad.net/ubuntu/+source/linux/+bug/544984/comments/5 regarding this being fixed with an update. For future reference you can manage the status of your own bugs by clicking on the current status in the yellow line and then choosing a new status in the revealed drop down box. You can learn more about bug statuses at https://wiki.ubuntu.com/Bugs/Status. Thank you again for taking the time to report this bug and helping to make Ubuntu better. Please submit any future bugs you may find. ** Changed in: linux (Ubuntu) Status: Confirmed = Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/544984 Title: netfilter xt_recent --rcheck fails to match To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/544984/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 544984] Re: netfilter xt_recent --rcheck fails to match
This *seems* to be resolved in 2.6.32-21 -- netfilter xt_recent --rcheck fails to match https://bugs.launchpad.net/bugs/544984 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 544984] Re: netfilter xt_recent --rcheck fails to match
** Changed in: linux (Ubuntu) Status: New = Confirmed -- netfilter xt_recent --rcheck fails to match https://bugs.launchpad.net/bugs/544984 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 544984] Re: netfilter xt_recent --rcheck fails to match
** Tags added: kernel-series-unknown -- netfilter xt_recent --rcheck fails to match https://bugs.launchpad.net/bugs/544984 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 544984] Re: netfilter xt_recent --rcheck fails to match
Just in case it isn't clear, this prevents IP blacklisting and port knocking from working, so will probably cause a pretty significant security issue. It fails silently. -- netfilter xt_recent --rcheck fails to match https://bugs.launchpad.net/bugs/544984 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 544984] Re: netfilter xt_recent --rcheck fails to match
** Description changed: The netfilter module xt_recent (-m recent) fails to match ip addresses. To reproduce: iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT - iptables -A INPUT -i eth0 -p tcp --dport 80 -m recent --rcheck -j ACCEPT + iptables -A INPUT -i eth0 -p tcp --dport 80 -m recent --rcheck -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 80 -j REJECT and have a daemon listening on port 80. Connections to this daemon succeed when the INPUT table is flushed, or when connecing via localhost. Connections from a remote machine fail as expected; however adding the remote machine's IP address to the match list (echo '+remote.ip.add.ress' /proc/net/xt_recent/DEFAULT), although the address then appears in the list, the iptables --recent rule fails to match; connections are still dropped. # uname -a Linux dagda 2.6.32-17-server #26-Ubuntu SMP Sat Mar 20 03:39:37 UTC 2010 x86_64 GNU/Linux # cat /proc/version_signature Ubuntu 2.6.32-17.26-server 2.6.32.10+drm33.1 # iptables -V iptables v1.4.4 # lsmod Module Size Used by - ipt_REJECT 2384 1 - xt_recent 8218 1 - xt_tcpudp 2667 2 - iptable_filter 2791 1 + ipt_REJECT 2384 1 + xt_recent 8218 1 + xt_tcpudp 2667 2 + iptable_filter 2791 1 ip_tables 18358 1 iptable_filter x_tables 22429 4 ipt_REJECT,xt_recent,xt_tcpudp,ip_tables [...] -- netfilter xt_recent --rcheck fails to match https://bugs.launchpad.net/bugs/544984 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 544984] Re: netfilter xt_recent --rcheck fails to match
This looks like a reversion to the behavior described in bug 365539 - were the patches mentioned there ever propagated properly? -- netfilter xt_recent --rcheck fails to match https://bugs.launchpad.net/bugs/544984 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 544984] Re: netfilter xt_recent --rcheck fails to match
Further to comment #2; it's only the --rcheck rule which fails. --set and --remove rules seem to have the correct effect in adding and removing entries to /proc/net/xt_recent/DEFAULT (and any other name). Likewise, the echo +IP and echo -IP methods seem to work correctly: # cat /proc/net/xt_recent/DEFAULT # echo '+10.0.0.1' /proc/net/xt_recent/DEFAULT # echo '+10.0.0.2' /proc/net/xt_recent/DEFAULT # cat /proc/net/xt_recent/DEFAULT src=10.0.0.2 ttl: 0 last_seen: 4301811921 oldest_pkt: 1 4301811921 src=10.0.0.1 ttl: 0 last_seen: 4301811288 oldest_pkt: 1 4301811288 # echo '-10.0.0.1' /proc/net/xt_recent/DEFAULT # cat /proc/net/xt_recent/DEFAULT src=10.0.0.2 ttl: 0 last_seen: 4301811921 oldest_pkt: 1 4301811921 # echo '/' /proc/net/xt_recent/DEFAULT # cat /proc/net/xt_recent/DEFAULT But --rcheck fails to match these entries when packets with the same source addresses are received. -- netfilter xt_recent --rcheck fails to match https://bugs.launchpad.net/bugs/544984 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 544984] Re: netfilter xt_recent --rcheck fails to match
The attached script (recent.sh) demonstrates the bug; it sets up an iptables rule to log packets which match an entry in an xt_recent table and then causes some traffic which should fire the rule. On Karmic (correct behaviour), the output is: Linux 2.6.31-20-server #58-Ubuntu SMP Fri Mar 12 05:40:05 UTC 2010 Testing list table follows (should have 1 line) : src=127.0.0.2 ttl: 0 last_seen: 4294976129 oldest_pkt: 1 4294976129 ---end Connecting to 127.0.0.2... Connecting to 127.0.0.3... Looking for 127.0.0.2 logged packets (should be 0) : 2 Looking for 127.0.0.3 logged packets (should be 0) : 0 Note that it correctly finds two logged packets in dmesg. On Lucid (incorrect behaviour), the output is: Linux 2.6.32-17-generic #26-Ubuntu SMP Fri Mar 19 23:58:53 UTC 2010 Testing list table follows (should have 1 line) : src=127.0.0.2 ttl: 0 last_seen: 4294918907 oldest_pkt: 1 4294918907 ---end Connecting to 127.0.0.2... Connecting to 127.0.0.3... Looking for 127.0.0.2 logged packets (should be 0) : 0 Looking for 127.0.0.3 logged packets (should be 0) : 0 Note that no packets are logged in dmesg, demonstrating that the --rcheck rule has failed to fire. ** Attachment added: Script to demonstrate the problem. http://launchpadlibrarian.net/41783982/recent.sh -- netfilter xt_recent --rcheck fails to match https://bugs.launchpad.net/bugs/544984 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
