iptables "recent" match broken
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Binary package hint: linux-image-
Note: This bug is security relevant, since it breaks the expected iptables behaviour and might lead to accepted packets that should be dropped. (I didn't hit the checkbox for "contact security team", since Jaunty is still beta.)
In Jaunty Beta the iptables rule
iptables -A INPUT -p icmp -s <someIP> -m recent --rcheck --seconds 1800 --name "rtest" --rsource -j DROP
should drop such ICMP packets, after adding someIP to the recent list by
echo +someIP >/proc/
However, ICMP ping replies from someIP are still accepted, as if the recent list was empty.
Negating the rule as follows leads to the wrong behaviour too:
iptables -A INPUT -p icmp -s <someIP> -m recent ! --rcheck --seconds 1800 --name "rtest" --rsource -j DROP
Now packets are dropped, regardless whether the recent list contains someIP.
Furthermore, removing entries from the recent list fails. After
echo -someIP >/proc/
someIP remains in the list. You can even cause duplicate list entries with successive
echo +someIP >/proc/
See cat /proc/net/
I guess, both misbehaviours are caused in the kernel module xt_recent.ko. So the bug is in the linux-image package.
uname -a: Linux ubuntu 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:48:10 UTC 2009 i686 GNU/Linux
apt-cache policy linux-image-
iptables: 1.4.1.1-4ubuntu3
hardware: vmware (dual CPU)
On Intrepid (kernel 2.6.27), the recent match works fine. But there the recent match is the elder code, creating the proc files in /proc/net/
This morning (after a good night's rest) I refined my tests and came to this pattern:
with Kernel 2.6.28: /proc/net/ xt_recent/ * have no effect on iptables rules. I did not test /proc/net/ ipt_recent/ * (requires Kernel option CONFIG_ NETFILTER_ XT_MATCH_ RECENT_ PROC_COMPAT which is not set in Jaunty)
with Kernel 2.6.29: xt_recent/ * works fine in any way, but /proc/net/ ipt_recent/ * has no effect on iptables rules.
/proc/net/