{"id":27,"date":"2005-05-09T16:52:59","date_gmt":"2005-05-09T14:52:59","guid":{"rendered":"http:\/\/blog.blackdown.de\/2005\/05\/09\/fixing-the-ipt_recent-netfilter-module\/"},"modified":"2016-10-29T03:51:02","modified_gmt":"2016-10-29T01:51:02","slug":"fixing-the-ipt_recent-netfilter-module","status":"publish","type":"post","link":"https:\/\/blackdown.de\/articles\/fixing-the-ipt_recent-netfilter-module\/","title":{"rendered":"Fixing the ipt_recent Netfilter Module"},"content":{"rendered":"

I have experienced some strange behavior with my ipt_recent netfilter rules<\/a> after an uptime of about 25 days. The rules started to block much too early. After rebooting the machine I was able to reproduce the problem for five minutes. This clearly indicated a problem with jiffies (Linux initialized jiffies so that the first roll-over happens five minutes after booting).<\/p>\n

A closer look at ipt_recent.c revealed that the time tests did not work like intended if one of the last hits was more than LONG_MAX<\/code> jiffies ago or if the list of last hits contained empty slots and jiffies is greater than LONG_MAX<\/code>.<\/p>\n

To fix this, I replaced jiffies<\/em> with seconds since ’00:00:00 1970-01-01 UTC’<\/em>. I have sent the patch<\/a> to linux-kernel and netfilter-devel. The patch also includes some 64-bit fixes.<\/p>\n

May 12th, 2005:<\/strong> The patch has been added to Linux 2.6.12-rc4-mm1<\/em><\/p>\n

September 8th, 2005:<\/strong> Please note that only the 64-bit parts of my patch have made it into 2.6.12. I’m working on an updated fix for the time comparison problems which will hopefully get accepted for 2.6.14 or later.<\/em><\/p>\n

September 12th, 2005:<\/strong> These issues have CAN numbers now: CAN-2005-2872<\/a> and CAN-2005-2873<\/a> (which supersede CAN-2005-2802<\/a>)<\/em><\/p>\n

July 10th, 2006:<\/strong> The jiffies issue is fixed in the vanilla kernel now. Also note that 2.6.18 will contain a rewrite of ipt_recent.c.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

I have experienced some strange behavior with my ipt_recent netfilter rules after an uptime of about 25 days. The rules started to block much too early. After rebooting the machine I was able to reproduce the problem for five minutes. This clearly indicated a problem with jiffies (Linux initialized jiffies so that the first roll-over
[→ Read the rest of this entry<\/a>]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[2,12,8],"tags":[],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\t\n