mirror of
git://projects.qi-hardware.com/openwrt-xburst.git
synced 2024-11-24 03:30:37 +02:00
[package] iptables: add support for ipt_recent --reap option
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26008 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
parent
ec6dc72a0f
commit
12cb169da3
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Copyright (C) 2006-2010 OpenWrt.org
|
# Copyright (C) 2006-2011 OpenWrt.org
|
||||||
#
|
#
|
||||||
# This is free software, licensed under the GNU General Public License v2.
|
# This is free software, licensed under the GNU General Public License v2.
|
||||||
# See /LICENSE for more information.
|
# See /LICENSE for more information.
|
||||||
@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk
|
|||||||
|
|
||||||
PKG_NAME:=iptables
|
PKG_NAME:=iptables
|
||||||
PKG_VERSION:=1.4.10
|
PKG_VERSION:=1.4.10
|
||||||
PKG_RELEASE:=1
|
PKG_RELEASE:=2
|
||||||
|
|
||||||
PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198
|
PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198
|
||||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||||
|
122
package/iptables/patches/011-recent-add-reap.patch
Normal file
122
package/iptables/patches/011-recent-add-reap.patch
Normal file
@ -0,0 +1,122 @@
|
|||||||
|
From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tim Gardner <tim.gardner@canonical.com>
|
||||||
|
Date: Mon, 1 Mar 2010 19:00:29 -0700
|
||||||
|
Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation
|
||||||
|
|
||||||
|
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
|
||||||
|
---
|
||||||
|
extensions/libxt_recent.c | 20 ++++++++++++++++++++
|
||||||
|
extensions/libxt_recent.man | 5 +++++
|
||||||
|
include/linux/netfilter/xt_recent.h | 7 +++++++
|
||||||
|
3 files changed, 32 insertions(+), 0 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
|
||||||
|
index 4ac32f7..7e3d280 100644
|
||||||
|
--- a/extensions/libxt_recent.c
|
||||||
|
+++ b/extensions/libxt_recent.c
|
||||||
|
@@ -20,6 +20,7 @@ static const struct option recent_opts[] = {
|
||||||
|
{.name = "name", .has_arg = true, .val = 208},
|
||||||
|
{.name = "rsource", .has_arg = false, .val = 209},
|
||||||
|
{.name = "rdest", .has_arg = false, .val = 210},
|
||||||
|
+ {.name = "reap", .has_arg = false, .val = 211},
|
||||||
|
XT_GETOPT_TABLEEND,
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -36,6 +37,7 @@ static void recent_help(void)
|
||||||
|
" --hitcount hits For check and update commands above.\n"
|
||||||
|
" Specifies that the match will only occur if source address seen hits times.\n"
|
||||||
|
" May be used in conjunction with the seconds option.\n"
|
||||||
|
+" --reap Remove entries that have expired. Can only be used with --seconds\n"
|
||||||
|
" --rttl For check and update commands above.\n"
|
||||||
|
" Specifies that the match will only occur if the source address and the TTL\n"
|
||||||
|
" match between this packet and the one which was set.\n"
|
||||||
|
@@ -62,6 +64,8 @@ static void recent_init(struct xt_entry_match *match)
|
||||||
|
(XT_RECENT_SET | XT_RECENT_CHECK | \
|
||||||
|
XT_RECENT_UPDATE | XT_RECENT_REMOVE)
|
||||||
|
|
||||||
|
+#define XT_RECENT_SECONDS 1 << 31
|
||||||
|
+
|
||||||
|
static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
|
||||||
|
const void *entry, struct xt_entry_match **match)
|
||||||
|
{
|
||||||
|
@@ -103,6 +107,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
|
||||||
|
|
||||||
|
case 204:
|
||||||
|
info->seconds = atoi(optarg);
|
||||||
|
+ *flags |= XT_RECENT_SECONDS;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 205:
|
||||||
|
@@ -138,6 +143,11 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
|
||||||
|
info->side = XT_RECENT_DEST;
|
||||||
|
break;
|
||||||
|
|
||||||
|
+ case 211:
|
||||||
|
+ info->check_set |= XT_RECENT_REAP;
|
||||||
|
+ *flags |= XT_RECENT_REAP;
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
default:
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@@ -156,6 +166,12 @@ static void recent_check(unsigned int flags)
|
||||||
|
xtables_error(PARAMETER_PROBLEM,
|
||||||
|
"recent: --rttl may only be used with --rcheck or "
|
||||||
|
"--update");
|
||||||
|
+ if ((flags & XT_RECENT_REAP) &&
|
||||||
|
+ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) ||
|
||||||
|
+ (!(flags & XT_RECENT_SECONDS))))
|
||||||
|
+ xtables_error(PARAMETER_PROBLEM,
|
||||||
|
+ "recent: --reap may only be used with --rcheck or "
|
||||||
|
+ "--update and --seconds");
|
||||||
|
}
|
||||||
|
|
||||||
|
static void recent_print(const void *ip, const struct xt_entry_match *match,
|
||||||
|
@@ -185,6 +201,8 @@
|
||||||
|
printf("side: source ");
|
||||||
|
if (info->side == XT_RECENT_DEST)
|
||||||
|
printf("side: dest ");
|
||||||
|
+ if (info->check_set & XT_RECENT_REAP)
|
||||||
|
+ printf("reap ");
|
||||||
|
}
|
||||||
|
|
||||||
|
static void recent_save(const void *ip, const struct xt_entry_match *match)
|
||||||
|
@@ -210,6 +228,8 @@ static void recent_save(const void *ip, const struct xt_entry_match *match)
|
||||||
|
printf("--rsource ");
|
||||||
|
if (info->side == XT_RECENT_DEST)
|
||||||
|
printf("--rdest ");
|
||||||
|
+ if (info->check_set & XT_RECENT_REAP)
|
||||||
|
+ printf("--reap ");
|
||||||
|
}
|
||||||
|
|
||||||
|
static struct xtables_match recent_mt_reg = {
|
||||||
|
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
|
||||||
|
index 532c328..26e4fb9 100644
|
||||||
|
--- a/extensions/libxt_recent.man
|
||||||
|
+++ b/extensions/libxt_recent.man
|
||||||
|
@@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
|
||||||
|
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
|
||||||
|
address is in the list and was seen within the last given number of seconds.
|
||||||
|
.TP
|
||||||
|
+\fB\-\-reap\fP \fIreap\fP
|
||||||
|
+This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
|
||||||
|
+will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
|
||||||
|
+since the last packet was received.
|
||||||
|
+.TP
|
||||||
|
\fB\-\-hitcount\fP \fIhits\fP
|
||||||
|
This option must be used in conjunction with one of \fB\-\-rcheck\fP or
|
||||||
|
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
|
||||||
|
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
|
||||||
|
index d2c2766..e21acdf 100644
|
||||||
|
--- a/include/linux/netfilter/xt_recent.h
|
||||||
|
+++ b/include/linux/netfilter/xt_recent.h
|
||||||
|
@@ -16,6 +17,9 @@ enum {
|
||||||
|
XT_RECENT_NAME_LEN = 200,
|
||||||
|
};
|
||||||
|
|
||||||
|
+/* Only allowed with --rcheck and --update */
|
||||||
|
+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
|
||||||
|
+
|
||||||
|
struct xt_recent_mtinfo {
|
||||||
|
__u32 seconds;
|
||||||
|
__u32 hit_count;
|
Loading…
Reference in New Issue
Block a user