From cefba2ca2fc2eac0289b93faa38de5e03b5022ee Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 10 Mar 2011 13:51:37 +0000 Subject: [PATCH] iptables: add support for ipt_recent --reap option SVN-Revision: 26008 --- package/iptables/Makefile | 4 +- .../patches/011-recent-add-reap.patch | 122 ++++++++++++++++++ 2 files changed, 124 insertions(+), 2 deletions(-) create mode 100644 package/iptables/patches/011-recent-add-reap.patch diff --git a/package/iptables/Makefile b/package/iptables/Makefile index 4bef3388e7..898104bff3 100644 --- a/package/iptables/Makefile +++ b/package/iptables/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2010 OpenWrt.org +# Copyright (C) 2006-2011 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=iptables PKG_VERSION:=1.4.10 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 diff --git a/package/iptables/patches/011-recent-add-reap.patch b/package/iptables/patches/011-recent-add-reap.patch new file mode 100644 index 0000000000..082c4c5ec0 --- /dev/null +++ b/package/iptables/patches/011-recent-add-reap.patch @@ -0,0 +1,122 @@ +From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001 +From: Tim Gardner +Date: Mon, 1 Mar 2010 19:00:29 -0700 +Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation + +Signed-off-by: Tim Gardner +--- + extensions/libxt_recent.c | 20 ++++++++++++++++++++ + extensions/libxt_recent.man | 5 +++++ + include/linux/netfilter/xt_recent.h | 7 +++++++ + 3 files changed, 32 insertions(+), 0 deletions(-) + +diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c +index 4ac32f7..7e3d280 100644 +--- a/extensions/libxt_recent.c ++++ b/extensions/libxt_recent.c +@@ -20,6 +20,7 @@ static const struct option recent_opts[] = { + {.name = "name", .has_arg = true, .val = 208}, + {.name = "rsource", .has_arg = false, .val = 209}, + {.name = "rdest", .has_arg = false, .val = 210}, ++ {.name = "reap", .has_arg = false, .val = 211}, + XT_GETOPT_TABLEEND, + }; + +@@ -36,6 +37,7 @@ static void recent_help(void) + " --hitcount hits For check and update commands above.\n" + " Specifies that the match will only occur if source address seen hits times.\n" + " May be used in conjunction with the seconds option.\n" ++" --reap Remove entries that have expired. Can only be used with --seconds\n" + " --rttl For check and update commands above.\n" + " Specifies that the match will only occur if the source address and the TTL\n" + " match between this packet and the one which was set.\n" +@@ -62,6 +64,8 @@ static void recent_init(struct xt_entry_match *match) + (XT_RECENT_SET | XT_RECENT_CHECK | \ + XT_RECENT_UPDATE | XT_RECENT_REMOVE) + ++#define XT_RECENT_SECONDS 1 << 31 ++ + static int recent_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) + { +@@ -103,6 +107,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags, + + case 204: + info->seconds = atoi(optarg); ++ *flags |= XT_RECENT_SECONDS; + break; + + case 205: +@@ -138,6 +143,11 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags, + info->side = XT_RECENT_DEST; + break; + ++ case 211: ++ info->check_set |= XT_RECENT_REAP; ++ *flags |= XT_RECENT_REAP; ++ break; ++ + default: + return 0; + } +@@ -156,6 +166,12 @@ static void recent_check(unsigned int flags) + xtables_error(PARAMETER_PROBLEM, + "recent: --rttl may only be used with --rcheck or " + "--update"); ++ if ((flags & XT_RECENT_REAP) && ++ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) || ++ (!(flags & XT_RECENT_SECONDS)))) ++ xtables_error(PARAMETER_PROBLEM, ++ "recent: --reap may only be used with --rcheck or " ++ "--update and --seconds"); + } + + static void recent_print(const void *ip, const struct xt_entry_match *match, +@@ -185,6 +201,8 @@ + printf("side: source "); + if (info->side == XT_RECENT_DEST) + printf("side: dest "); ++ if (info->check_set & XT_RECENT_REAP) ++ printf("reap "); + } + + static void recent_save(const void *ip, const struct xt_entry_match *match) +@@ -210,6 +228,8 @@ static void recent_save(const void *ip, const struct xt_entry_match *match) + printf("--rsource "); + if (info->side == XT_RECENT_DEST) + printf("--rdest "); ++ if (info->check_set & XT_RECENT_REAP) ++ printf("--reap "); + } + + static struct xtables_match recent_mt_reg = { +diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man +index 532c328..26e4fb9 100644 +--- a/extensions/libxt_recent.man ++++ b/extensions/libxt_recent.man +@@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or + \fB\-\-update\fP. When used, this will narrow the match to only happen when the + address is in the list and was seen within the last given number of seconds. + .TP ++\fB\-\-reap\fP \fIreap\fP ++This option must be used in conjunction with \fB\-\-seconds\fP. When used, this ++will remove entries with the most recent timestamp older then \fB\-\-seconds\fP ++since the last packet was received. ++.TP + \fB\-\-hitcount\fP \fIhits\fP + This option must be used in conjunction with one of \fB\-\-rcheck\fP or + \fB\-\-update\fP. When used, this will narrow the match to only happen when the +diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h +index d2c2766..e21acdf 100644 +--- a/include/linux/netfilter/xt_recent.h ++++ b/include/linux/netfilter/xt_recent.h +@@ -16,6 +17,9 @@ enum { + XT_RECENT_NAME_LEN = 200, + }; + ++/* Only allowed with --rcheck and --update */ ++#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP) ++ + struct xt_recent_mtinfo { + __u32 seconds; + __u32 hit_count;