| 1 | From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001 |
| 2 | From: Tim Gardner <tim.gardner@canonical.com> |
| 3 | Date: Mon, 1 Mar 2010 19:00:29 -0700 |
| 4 | Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation |
| 5 | |
| 6 | Signed-off-by: Tim Gardner <tim.gardner@canonical.com> |
| 7 | --- |
| 8 | extensions/libxt_recent.c | 20 ++++++++++++++++++++ |
| 9 | extensions/libxt_recent.man | 5 +++++ |
| 10 | include/linux/netfilter/xt_recent.h | 7 +++++++ |
| 11 | 3 files changed, 32 insertions(+), 0 deletions(-) |
| 12 | |
| 13 | diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c |
| 14 | index 4ac32f7..7e3d280 100644 |
| 15 | --- a/extensions/libxt_recent.c |
| 16 | +++ b/extensions/libxt_recent.c |
| 17 | @@ -20,6 +20,7 @@ static const struct option recent_opts[] = { |
| 18 | {.name = "name", .has_arg = true, .val = 208}, |
| 19 | {.name = "rsource", .has_arg = false, .val = 209}, |
| 20 | {.name = "rdest", .has_arg = false, .val = 210}, |
| 21 | + {.name = "reap", .has_arg = false, .val = 211}, |
| 22 | XT_GETOPT_TABLEEND, |
| 23 | }; |
| 24 | |
| 25 | @@ -36,6 +37,7 @@ static void recent_help(void) |
| 26 | " --hitcount hits For check and update commands above.\n" |
| 27 | " Specifies that the match will only occur if source address seen hits times.\n" |
| 28 | " May be used in conjunction with the seconds option.\n" |
| 29 | +" --reap Remove entries that have expired. Can only be used with --seconds\n" |
| 30 | " --rttl For check and update commands above.\n" |
| 31 | " Specifies that the match will only occur if the source address and the TTL\n" |
| 32 | " match between this packet and the one which was set.\n" |
| 33 | @@ -62,6 +64,8 @@ static void recent_init(struct xt_entry_match *match) |
| 34 | (XT_RECENT_SET | XT_RECENT_CHECK | \ |
| 35 | XT_RECENT_UPDATE | XT_RECENT_REMOVE) |
| 36 | |
| 37 | +#define XT_RECENT_SECONDS 1 << 31 |
| 38 | + |
| 39 | static int recent_parse(int c, char **argv, int invert, unsigned int *flags, |
| 40 | const void *entry, struct xt_entry_match **match) |
| 41 | { |
| 42 | @@ -103,6 +107,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags, |
| 43 | |
| 44 | case 204: |
| 45 | info->seconds = atoi(optarg); |
| 46 | + *flags |= XT_RECENT_SECONDS; |
| 47 | break; |
| 48 | |
| 49 | case 205: |
| 50 | @@ -138,6 +143,11 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags, |
| 51 | info->side = XT_RECENT_DEST; |
| 52 | break; |
| 53 | |
| 54 | + case 211: |
| 55 | + info->check_set |= XT_RECENT_REAP; |
| 56 | + *flags |= XT_RECENT_REAP; |
| 57 | + break; |
| 58 | + |
| 59 | default: |
| 60 | return 0; |
| 61 | } |
| 62 | @@ -156,6 +166,12 @@ static void recent_check(unsigned int flags) |
| 63 | xtables_error(PARAMETER_PROBLEM, |
| 64 | "recent: --rttl may only be used with --rcheck or " |
| 65 | "--update"); |
| 66 | + if ((flags & XT_RECENT_REAP) && |
| 67 | + ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) || |
| 68 | + (!(flags & XT_RECENT_SECONDS)))) |
| 69 | + xtables_error(PARAMETER_PROBLEM, |
| 70 | + "recent: --reap may only be used with --rcheck or " |
| 71 | + "--update and --seconds"); |
| 72 | } |
| 73 | |
| 74 | static void recent_print(const void *ip, const struct xt_entry_match *match, |
| 75 | @@ -185,6 +201,8 @@ |
| 76 | printf("side: source "); |
| 77 | if (info->side == XT_RECENT_DEST) |
| 78 | printf("side: dest "); |
| 79 | + if (info->check_set & XT_RECENT_REAP) |
| 80 | + printf("reap "); |
| 81 | } |
| 82 | |
| 83 | static void recent_save(const void *ip, const struct xt_entry_match *match) |
| 84 | @@ -210,6 +228,8 @@ static void recent_save(const void *ip, const struct xt_entry_match *match) |
| 85 | printf("--rsource "); |
| 86 | if (info->side == XT_RECENT_DEST) |
| 87 | printf("--rdest "); |
| 88 | + if (info->check_set & XT_RECENT_REAP) |
| 89 | + printf("--reap "); |
| 90 | } |
| 91 | |
| 92 | static struct xtables_match recent_mt_reg = { |
| 93 | diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man |
| 94 | index 532c328..26e4fb9 100644 |
| 95 | --- a/extensions/libxt_recent.man |
| 96 | +++ b/extensions/libxt_recent.man |
| 97 | @@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or |
| 98 | \fB\-\-update\fP. When used, this will narrow the match to only happen when the |
| 99 | address is in the list and was seen within the last given number of seconds. |
| 100 | .TP |
| 101 | +\fB\-\-reap\fP \fIreap\fP |
| 102 | +This option must be used in conjunction with \fB\-\-seconds\fP. When used, this |
| 103 | +will remove entries with the most recent timestamp older then \fB\-\-seconds\fP |
| 104 | +since the last packet was received. |
| 105 | +.TP |
| 106 | \fB\-\-hitcount\fP \fIhits\fP |
| 107 | This option must be used in conjunction with one of \fB\-\-rcheck\fP or |
| 108 | \fB\-\-update\fP. When used, this will narrow the match to only happen when the |
| 109 | diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h |
| 110 | index d2c2766..e21acdf 100644 |
| 111 | --- a/include/linux/netfilter/xt_recent.h |
| 112 | +++ b/include/linux/netfilter/xt_recent.h |
| 113 | @@ -16,6 +17,9 @@ enum { |
| 114 | XT_RECENT_NAME_LEN = 200, |
| 115 | }; |
| 116 | |
| 117 | +/* Only allowed with --rcheck and --update */ |
| 118 | +#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP) |
| 119 | + |
| 120 | struct xt_recent_mtinfo { |
| 121 | __u32 seconds; |
| 122 | __u32 hit_count; |
| 123 | |
