From: Tim Gardner <tim.gardner@canonical.com>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: netfilter-devel@vger.kernel.org, Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: [PATCH v3] iptables: libxt_recent: Add support for --reap option
Date: Fri, 02 Dec 2011 11:46:07 -0700 [thread overview]
Message-ID: <4ED91CEF.1080006@canonical.com> (raw)
In-Reply-To: <alpine.LNX.2.01.1112021628190.5296@frira.zrqbmnf.qr>
[-- Attachment #1: Type: text/plain, Size: 1637 bytes --]
On 12/02/2011 08:30 AM, Jan Engelhardt wrote:
>
> On Friday 2011-12-02 02:29, Tim Gardner wrote:
>> @@ -34,6 +36,8 @@ static const struct xt_option_entry recent_opts[] = {
>> .excl = F_ANY_OP, .flags = XTOPT_INVERT},
>> {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32,
>> .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds)},
>> + {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE,
>> + .also = F_SECONDS },
>> {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32,
>> .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)},
>> {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE,
>
>> +
>> + if ((info->check_set& XT_RECENT_REAP)&& !info->seconds)
>> + xtables_error(PARAMETER_PROBLEM,
>> + "recent: you must specify `--seconds' with `--reap'");
>> }
>
> Well, I did mean that .also = F_SECONDS makes the extra
> "info->check_set& XT_RECENT_REAP)&& !info->seconds" test
> redundant. Or, the error message is wrong, because you are
> actually testing for seconds==0 rather than "reap was specified
> without seconds".
> Is seconds=0 even useful for non-reap cases?
Its not meaningful in that 0 is the default value in the kernel filter
and implies no timeout.
> If not, we should probably consider using .min=1 on the --seconds
> parameter, in which case the test is also redundant.
>
Done. Tested with the following combinations and received the expected
failures on the first 2:
iptables -A FORWARD -m recent --rcheck --seconds 0 -j DROP
iptables -A FORWARD -m recent --rcheck --reap -j DROP
iptables -A FORWARD -m recent --rcheck --seconds 10 --reap -j DROP
rtg
--
Tim Gardner tim.gardner@canonical.com
[-- Attachment #2: 0001-libxt_recent-Add-support-for-reap-option.patch --]
[-- Type: text/x-patch, Size: 4443 bytes --]
>From 0957b0f655506852b8a612910d7d9a6176bc58b0 Mon Sep 17 00:00:00 2001
From: Tim Gardner <tim.gardner@canonical.com>
Date: Wed, 30 Nov 2011 08:16:53 -0700
Subject: [PATCH v3] libxt_recent: Add support for --reap option
Support for the reap option was merged in the kernel as of 2.6.35.
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
extensions/libxt_recent.c | 17 ++++++++++++++++-
extensions/libxt_recent.man | 5 +++++
2 files changed, 21 insertions(+), 1 deletions(-)
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
index 1e1a111..46b8fe9 100644
--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
@@ -10,6 +10,7 @@ enum {
O_UPDATE,
O_REMOVE,
O_SECONDS,
+ O_REAP,
O_HITCOUNT,
O_RTTL,
O_NAME,
@@ -19,6 +20,7 @@ enum {
F_RCHECK = 1 << O_RCHECK,
F_UPDATE = 1 << O_UPDATE,
F_REMOVE = 1 << O_REMOVE,
+ F_SECONDS = 1 << O_SECONDS,
F_ANY_OP = F_SET | F_RCHECK | F_UPDATE | F_REMOVE,
};
@@ -33,7 +35,9 @@ static const struct xt_option_entry recent_opts[] = {
{.name = "remove", .id = O_REMOVE, .type = XTTYPE_NONE,
.excl = F_ANY_OP, .flags = XTOPT_INVERT},
{.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32,
- .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds)},
+ .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds), .min = 1},
+ {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE,
+ .also = F_SECONDS },
{.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32,
.flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)},
{.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE,
@@ -57,6 +61,8 @@ static void recent_help(void)
" --seconds seconds For check and update commands above.\n"
" Specifies that the match will only occur if source address last seen within\n"
" the last 'seconds' seconds.\n"
+" --reap Purge entries older then 'seconds'.\n"
+" Can only be used in conjunction with the seconds option.\n"
" --hitcount hits For check and update commands above.\n"
" Specifies that the match will only occur if source address seen hits times.\n"
" May be used in conjunction with the seconds option.\n"
@@ -117,11 +123,16 @@ static void recent_parse(struct xt_option_call *cb)
case O_RDEST:
info->side = XT_RECENT_DEST;
break;
+ case O_REAP:
+ info->check_set |= XT_RECENT_REAP;
+ break;
}
}
static void recent_check(struct xt_fcheck_call *cb)
{
+ struct xt_recent_mtinfo *info = cb->data;
+
if (!(cb->xflags & F_ANY_OP))
xtables_error(PARAMETER_PROBLEM,
"recent: you must specify one of `--set', `--rcheck' "
@@ -146,6 +157,8 @@ static void recent_print(const void *ip, const struct xt_entry_match *match,
if (info->check_set & XT_RECENT_REMOVE)
printf(" REMOVE");
if(info->seconds) printf(" seconds: %d", info->seconds);
+ if(info->check_set & XT_RECENT_REAP)
+ printf(" reap");
if(info->hit_count) printf(" hit_count: %d", info->hit_count);
if (info->check_set & XT_RECENT_TTL)
printf(" TTL-Match");
@@ -172,6 +185,8 @@ static void recent_save(const void *ip, const struct xt_entry_match *match)
if (info->check_set & XT_RECENT_REMOVE)
printf(" --remove");
if(info->seconds) printf(" --seconds %d", info->seconds);
+ if(info->check_set & XT_RECENT_REAP)
+ printf(" --reap");
if(info->hit_count) printf(" --hitcount %d", info->hit_count);
if (info->check_set & XT_RECENT_TTL)
printf(" --rttl");
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index 0392c2c..8043df4 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
address is in the list and was seen within the last given number of seconds.
.TP
+\fB\-\-reap\fP
+This option can only be used in conjunction with \fB\-\-seconds\fP.
+When used, this will cause entries older than the last given number of seconds
+to be purged.
+.TP
\fB\-\-hitcount\fP \fIhits\fP
This option must be used in conjunction with one of \fB\-\-rcheck\fP or
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
--
1.7.0.4
next prev parent reply other threads:[~2011-12-02 19:39 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-02 1:29 [PATCH v2] iptables: libxt_recent: Add support for --reap option Tim Gardner
2011-12-02 15:30 ` Jan Engelhardt
2011-12-02 18:46 ` Tim Gardner [this message]
2011-12-09 2:31 ` [PATCH v3] " Tim Gardner
2011-12-09 4:17 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ED91CEF.1080006@canonical.com \
--to=tim.gardner@canonical.com \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.