package/iptables/patches/011-recent-add-reap.patch

   1 From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001
   2 From: Tim Gardner <tim.gardner@canonical.com>
   3 Date: Mon, 1 Mar 2010 19:00:29 -0700
   4 Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation
   5
   6 Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
   7 ---
   8  extensions/libxt_recent.c           |   20 ++++++++++++++++++++
   9  extensions/libxt_recent.man         |    5 +++++
  10  include/linux/netfilter/xt_recent.h |    7 +++++++
  11  3 files changed, 32 insertions(+), 0 deletions(-)
  12
  13 diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
  14 index 4ac32f7..7e3d280 100644
  15 --- a/extensions/libxt_recent.c
  16 +++ b/extensions/libxt_recent.c
  17 @@ -20,6 +20,7 @@ static const struct option recent_opts[] = {
  18         {.name = "name",     .has_arg = true,  .val = 208},
  19         {.name = "rsource",  .has_arg = false, .val = 209},
  20         {.name = "rdest",    .has_arg = false, .val = 210},
  21 +       {.name = "reap",     .has_arg = false, .val = 211},
  22         XT_GETOPT_TABLEEND,
  23  };
  24
  25 @@ -36,6 +37,7 @@ static void recent_help(void)
  26  "    --hitcount hits             For check and update commands above.\n"
  27  "                                Specifies that the match will only occur if source address seen hits times.\n"
  28  "                                May be used in conjunction with the seconds option.\n"
  29 +"    --reap                      Remove entries that have expired. Can only be used with --seconds\n"
  30  "    --rttl                      For check and update commands above.\n"
  31  "                                Specifies that the match will only occur if the source address and the TTL\n"
  32  "                                match between this packet and the one which was set.\n"
  33 @@ -62,6 +64,8 @@ static void recent_init(struct xt_entry_match *match)
  34         (XT_RECENT_SET | XT_RECENT_CHECK | \
  35         XT_RECENT_UPDATE | XT_RECENT_REMOVE)
  36
  37 +#define XT_RECENT_SECONDS 1 << 31
  38 +
  39  static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
  40                          const void *entry, struct xt_entry_match **match)
  41  {
  42 @@ -103,6 +107,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
  43
  44                 case 204:
  45                         info->seconds = atoi(optarg);
  46 +                       *flags |= XT_RECENT_SECONDS;
  47                         break;
  48
  49                 case 205:
  50 @@ -138,6 +143,11 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
  51                         info->side = XT_RECENT_DEST;
  52                         break;
  53
  54 +               case 211:
  55 +                       info->check_set |= XT_RECENT_REAP;
  56 +                       *flags |= XT_RECENT_REAP;
  57 +                       break;
  58 +
  59                 default:
  60                         return 0;
  61         }
  62 @@ -156,6 +166,12 @@ static void recent_check(unsigned int flags)
  63                 xtables_error(PARAMETER_PROBLEM,
  64                            "recent: --rttl may only be used with --rcheck or "
  65                            "--update");
  66 +       if ((flags & XT_RECENT_REAP) &&
  67 +           ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) ||
  68 +           (!(flags & XT_RECENT_SECONDS))))
  69 +               xtables_error(PARAMETER_PROBLEM,
  70 +                          "recent: --reap may only be used with --rcheck or "
  71 +                          "--update and --seconds");
  72  }
  73
  74  static void recent_print(const void *ip, const struct xt_entry_match *match,
  75 @@ -185,6 +201,8 @@
  76                 printf("side: source ");
  77         if (info->side == XT_RECENT_DEST)
  78                 printf("side: dest ");
  79 +       if (info->check_set & XT_RECENT_REAP)
  80 +               printf("reap ");
  81  }
  82
  83  static void recent_save(const void *ip, const struct xt_entry_match *match)
  84 @@ -210,6 +228,8 @@ static void recent_save(const void *ip, const struct xt_entry_match *match)
  85                 printf("--rsource ");
  86         if (info->side == XT_RECENT_DEST)
  87                 printf("--rdest ");
  88 +       if (info->check_set & XT_RECENT_REAP)
  89 +               printf("--reap ");
  90  }
  91
  92  static struct xtables_match recent_mt_reg = {
  93 diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
  94 index 532c328..26e4fb9 100644
  95 --- a/extensions/libxt_recent.man
  96 +++ b/extensions/libxt_recent.man
  97 @@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
  98  \fB\-\-update\fP. When used, this will narrow the match to only happen when the
  99  address is in the list and was seen within the last given number of seconds.
 100  .TP
 101 +\fB\-\-reap\fP \fIreap\fP
 102 +This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
 103 +will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
 104 +since the last packet was received.
 105 +.TP
 106  \fB\-\-hitcount\fP \fIhits\fP
 107  This option must be used in conjunction with one of \fB\-\-rcheck\fP or
 108  \fB\-\-update\fP. When used, this will narrow the match to only happen when the
 109 diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
 110 index d2c2766..e21acdf 100644
 111 --- a/include/linux/netfilter/xt_recent.h
 112 +++ b/include/linux/netfilter/xt_recent.h
 113 @@ -16,6 +17,9 @@ enum {
 114         XT_RECENT_NAME_LEN = 200,
 115  };
 116
 117 +/* Only allowed with --rcheck and --update */
 118 +#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
 119 +
 120  struct xt_recent_mtinfo {
 121         __u32 seconds;
 122         __u32 hit_count;