From: Tim Gardner <tim.gardner@canonical.com>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: netfilter-devel@vger.kernel.org, Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: [PATCH v3] iptables: libxt_recent: Add support for --reap option
Date: Thu, 08 Dec 2011 19:31:42 -0700 [thread overview]
Message-ID: <4EE1730E.90200@canonical.com> (raw)
In-Reply-To: <4ED91CEF.1080006@canonical.com>
On 12/02/2011 11:46 AM, Tim Gardner wrote:
> On 12/02/2011 08:30 AM, Jan Engelhardt wrote:
>>
>> On Friday 2011-12-02 02:29, Tim Gardner wrote:
>>> @@ -34,6 +36,8 @@ static const struct xt_option_entry recent_opts[] = {
>>> .excl = F_ANY_OP, .flags = XTOPT_INVERT},
>>> {.name = "seconds", .id = O_SECONDS, .type = XTTYPE_UINT32,
>>> .flags = XTOPT_PUT, XTOPT_POINTER(s, seconds)},
>>> + {.name = "reap", .id = O_REAP, .type = XTTYPE_NONE,
>>> + .also = F_SECONDS },
>>> {.name = "hitcount", .id = O_HITCOUNT, .type = XTTYPE_UINT32,
>>> .flags = XTOPT_PUT, XTOPT_POINTER(s, hit_count)},
>>> {.name = "rttl", .id = O_RTTL, .type = XTTYPE_NONE,
>>
>>> +
>>> + if ((info->check_set& XT_RECENT_REAP)&& !info->seconds)
>>> + xtables_error(PARAMETER_PROBLEM,
>>> + "recent: you must specify `--seconds' with `--reap'");
>>> }
>>
>> Well, I did mean that .also = F_SECONDS makes the extra
>> "info->check_set& XT_RECENT_REAP)&& !info->seconds" test
>> redundant. Or, the error message is wrong, because you are
>> actually testing for seconds==0 rather than "reap was specified
>> without seconds".
>> Is seconds=0 even useful for non-reap cases?
>
> Its not meaningful in that 0 is the default value in the kernel filter
> and implies no timeout.
>
>> If not, we should probably consider using .min=1 on the --seconds
>> parameter, in which case the test is also redundant.
>>
>
> Done. Tested with the following combinations and received the expected
> failures on the first 2:
>
> iptables -A FORWARD -m recent --rcheck --seconds 0 -j DROP
> iptables -A FORWARD -m recent --rcheck --reap -j DROP
> iptables -A FORWARD -m recent --rcheck --seconds 10 --reap -j DROP
>
> rtg
Jan ? Is this v3 patch sufficient ?
rtg
--
Tim Gardner tim.gardner@canonical.com
next prev parent reply other threads:[~2011-12-09 2:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-02 1:29 [PATCH v2] iptables: libxt_recent: Add support for --reap option Tim Gardner
2011-12-02 15:30 ` Jan Engelhardt
2011-12-02 18:46 ` [PATCH v3] " Tim Gardner
2011-12-09 2:31 ` Tim Gardner [this message]
2011-12-09 4:17 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EE1730E.90200@canonical.com \
--to=tim.gardner@canonical.com \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.