package/network/utils/iptables/patches/011-recent-add-reap.patch

   1 From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001
   2 From: Tim Gardner <tim.gardner@canonical.com>
   3 Date: Mon, 1 Mar 2010 19:00:29 -0700
   4 Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation
   5
   6 Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
   7 ---
   8  extensions/libxt_recent.c           |   20 ++++++++++++++++++++
   9  extensions/libxt_recent.man         |    5 +++++
  10  include/linux/netfilter/xt_recent.h |    7 +++++++
  11  3 files changed, 32 insertions(+), 0 deletions(-)
  12
  13 --- a/extensions/libxt_recent.c
  14 +++ b/extensions/libxt_recent.c
  15 @@ -20,6 +20,7 @@ static const struct option recent_opts[]
  16         {.name = "name",     .has_arg = true,  .val = 208},
  17         {.name = "rsource",  .has_arg = false, .val = 209},
  18         {.name = "rdest",    .has_arg = false, .val = 210},
  19 +       {.name = "reap",     .has_arg = false, .val = 211},
  20         XT_GETOPT_TABLEEND,
  21  };
  22
  23 @@ -37,6 +38,7 @@ static void recent_help(void)
  24  "    --hitcount hits             For check and update commands above.\n"
  25  "                                Specifies that the match will only occur if source address seen hits times.\n"
  26  "                                May be used in conjunction with the seconds option.\n"
  27 +"    --reap                      Remove entries that have expired. Can only be used with --seconds\n"
  28  "    --rttl                      For check and update commands above.\n"
  29  "                                Specifies that the match will only occur if the source address and the TTL\n"
  30  "                                match between this packet and the one which was set.\n"
  31 @@ -63,6 +65,8 @@ static void recent_init(struct xt_entry_
  32         (XT_RECENT_SET | XT_RECENT_CHECK | \
  33         XT_RECENT_UPDATE | XT_RECENT_REMOVE)
  34
  35 +#define XT_RECENT_SECONDS 1 << 31
  36 +
  37  static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
  38                          const void *entry, struct xt_entry_match **match)
  39  {
  40 @@ -104,6 +108,7 @@ static int recent_parse(int c, char **ar
  41
  42                 case 204:
  43                         info->seconds = atoi(optarg);
  44 +                       *flags |= XT_RECENT_SECONDS;
  45                         break;
  46
  47                 case 205:
  48 @@ -139,6 +144,11 @@ static int recent_parse(int c, char **ar
  49                         info->side = XT_RECENT_DEST;
  50                         break;
  51
  52 +               case 211:
  53 +                       info->check_set |= XT_RECENT_REAP;
  54 +                       *flags |= XT_RECENT_REAP;
  55 +                       break;
  56 +
  57                 default:
  58                         return 0;
  59         }
  60 @@ -157,6 +167,12 @@ static void recent_check(unsigned int fl
  61                 xtables_error(PARAMETER_PROBLEM,
  62                            "recent: --rttl may only be used with --rcheck or "
  63                            "--update");
  64 +       if ((flags & XT_RECENT_REAP) &&
  65 +           ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) ||
  66 +           (!(flags & XT_RECENT_SECONDS))))
  67 +               xtables_error(PARAMETER_PROBLEM,
  68 +                          "recent: --reap may only be used with --rcheck or "
  69 +                          "--update and --seconds");
  70  }
  71
  72  static void recent_print(const void *ip, const struct xt_entry_match *match,
  73 @@ -185,6 +201,8 @@ static void recent_print(const void *ip,
  74                 printf("side: source ");
  75         if (info->side == XT_RECENT_DEST)
  76                 printf("side: dest ");
  77 +       if (info->check_set & XT_RECENT_REAP)
  78 +               printf("reap ");
  79  }
  80
  81  static void recent_save(const void *ip, const struct xt_entry_match *match)
  82 @@ -211,6 +229,8 @@ static void recent_save(const void *ip,
  83                 printf("--rsource ");
  84         if (info->side == XT_RECENT_DEST)
  85                 printf("--rdest ");
  86 +       if (info->check_set & XT_RECENT_REAP)
  87 +               printf("--reap ");
  88  }
  89
  90  static struct xtables_match recent_mt_reg = {
  91 --- a/extensions/libxt_recent.man
  92 +++ b/extensions/libxt_recent.man
  93 @@ -41,6 +41,11 @@ This option must be used in conjunction
  94  \fB\-\-update\fP. When used, this will narrow the match to only happen when the
  95  address is in the list and was seen within the last given number of seconds.
  96  .TP
  97 +\fB\-\-reap\fP \fIreap\fP
  98 +This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
  99 +will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
 100 +since the last packet was received.
 101 +.TP
 102  \fB\-\-hitcount\fP \fIhits\fP
 103  This option must be used in conjunction with one of \fB\-\-rcheck\fP or
 104  \fB\-\-update\fP. When used, this will narrow the match to only happen when the
 105 --- a/include/linux/netfilter/xt_recent.h
 106 +++ b/include/linux/netfilter/xt_recent.h
 107 @@ -23,6 +23,9 @@ enum {
 108  #define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
 109                                XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
 110
 111 +/* Only allowed with --rcheck and --update */
 112 +#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
 113 +
 114  struct xt_recent_mtinfo {
 115         __u32 seconds;
 116         __u32 hit_count;