Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: iptables: Devel

[patch] ipt_recent

  

 
iptables devel RSS feed   Index | Next | Previous | View Threaded


azez at ufomechanic

Feb 20, 2006, 8:12 AM

Post #1 of 7 (683 views)
Permalink
[patch] ipt_recent
This patch fixes the previously mentioned bug in ipt_recent and adds:

--lt n # check less than n items in list
--gt n # checks more than n items in list
--eq n # check exactly n items in list

Which can be prefixed with ! to invert.

These preconditions are checked before any other conditions in
ipt_recent, and their failure will prevent any other actions or checks
from being considered.

Thus it is possible to make decisions based on the size of the
ipt_recent list (number of IP addresses in it).

iptables.recent.patch is the userland patch
ipt_recent.patch is a patch on kernel 2.6.11.7

Sam
Attachments: iptables.recent.patch (4.71 KB)
  ipt_recent.patch (5.60 KB)


kaber at trash

Mar 4, 2006, 2:00 AM

Post #2 of 7 (636 views)
Permalink
Re: [patch] ipt_recent [In reply to]
Amin Azez wrote:
> This patch fixes the previously mentioned bug in ipt_recent and adds:
>
> --lt n # check less than n items in list
> --gt n # checks more than n items in list
> --eq n # check exactly n items in list
>
> Which can be prefixed with ! to invert.
>
> --- include/linux/netfilter_ipv4/ipt_recent.h.nolimit 2006-02-20 10:12:06.000000000 +0000
> +++ include/linux/netfilter_ipv4/ipt_recent.h 2006-02-20 11:30:58.000000000 +0000
> @@ -10,6 +10,11 @@
> #define IPT_RECENT_REMOVE 8
> #define IPT_RECENT_TTL 16
>
> +#define IPT_RECENT_INVERT 1
> +#define IPT_RECENT_LT 2
> +#define IPT_RECENT_GT 4
> +#define IPT_RECENT_EQ (IPT_RECENT_LT | IPT_RECENT_GT)
> +
> #define IPT_RECENT_SOURCE 0
> #define IPT_RECENT_DEST 1
>
> @@ -20,6 +25,8 @@
> u_int32_t hit_count;
> u_int8_t check_set;
> u_int8_t invert;
> + u_int8_t check_count;
> + u_int32_t entry_count;
> char name[IPT_RECENT_NAME_LEN];
> u_int8_t side;
> };

Sorry, we can't do that since it breaks userspace compatibility. But I'm
really glad someone finally has the stomach to touch ipt_recent, I'll
review your other patches now.


azez at ufomechanic

Mar 7, 2006, 7:48 AM

Post #3 of 7 (628 views)
Permalink
Re: [patch] ipt_recent [In reply to]
Patrick McHardy wrote:
> Amin Azez wrote:
>
>>This patch fixes the previously mentioned bug in ipt_recent and adds:
>>
>>--lt n # check less than n items in list
>>--gt n # checks more than n items in list
>>--eq n # check exactly n items in list
>>
>>Which can be prefixed with ! to invert.
>>
>>--- include/linux/netfilter_ipv4/ipt_recent.h.nolimit 2006-02-20 10:12:06.000000000 +0000
>>+++ include/linux/netfilter_ipv4/ipt_recent.h 2006-02-20 11:30:58.000000000 +0000
>>@@ -10,6 +10,11 @@
>> #define IPT_RECENT_REMOVE 8
>> #define IPT_RECENT_TTL 16
>>
>>+#define IPT_RECENT_INVERT 1
>>+#define IPT_RECENT_LT 2
>>+#define IPT_RECENT_GT 4
>>+#define IPT_RECENT_EQ (IPT_RECENT_LT | IPT_RECENT_GT)
>>+
>> #define IPT_RECENT_SOURCE 0
>> #define IPT_RECENT_DEST 1
>>
>>@@ -20,6 +25,8 @@
>> u_int32_t hit_count;
>> u_int8_t check_set;
>> u_int8_t invert;
>>+ u_int8_t check_count;
>>+ u_int32_t entry_count;
>> char name[IPT_RECENT_NAME_LEN];
>> u_int8_t side;
>> };
>
>
> Sorry, we can't do that since it breaks userspace compatibility. But I'm
> really glad someone finally has the stomach to touch ipt_recent, I'll
> review your other patches now.

I've reworked that functionality significantly in a new patch to send
next week. I will see if I can find a way to make use of existing
structures to add the functionality.

I heard tell that ipt_recent needed a maintainer?

Sam


azez at ufomechanic

Mar 7, 2006, 7:48 AM

Post #4 of 7 (630 views)
Permalink
Re: [patch] ipt_recent [In reply to]
Patrick McHardy wrote:
> Amin Azez wrote:
>
>>This patch fixes the previously mentioned bug in ipt_recent and adds:
>>
>>--lt n # check less than n items in list
>>--gt n # checks more than n items in list
>>--eq n # check exactly n items in list
>>
>>Which can be prefixed with ! to invert.
>>
>>--- include/linux/netfilter_ipv4/ipt_recent.h.nolimit 2006-02-20 10:12:06.000000000 +0000
>>+++ include/linux/netfilter_ipv4/ipt_recent.h 2006-02-20 11:30:58.000000000 +0000
>>@@ -10,6 +10,11 @@
>> #define IPT_RECENT_REMOVE 8
>> #define IPT_RECENT_TTL 16
>>
>>+#define IPT_RECENT_INVERT 1
>>+#define IPT_RECENT_LT 2
>>+#define IPT_RECENT_GT 4
>>+#define IPT_RECENT_EQ (IPT_RECENT_LT | IPT_RECENT_GT)
>>+
>> #define IPT_RECENT_SOURCE 0
>> #define IPT_RECENT_DEST 1
>>
>>@@ -20,6 +25,8 @@
>> u_int32_t hit_count;
>> u_int8_t check_set;
>> u_int8_t invert;
>>+ u_int8_t check_count;
>>+ u_int32_t entry_count;
>> char name[IPT_RECENT_NAME_LEN];
>> u_int8_t side;
>> };
>
>
> Sorry, we can't do that since it breaks userspace compatibility. But I'm
> really glad someone finally has the stomach to touch ipt_recent, I'll
> review your other patches now.

I've reworked that functionality significantly in a new patch to send
next week. I will see if I can find a way to make use of existing
structures to add the functionality.

I heard tell that ipt_recent needed a maintainer?

Sam


kaber at trash

Mar 8, 2006, 4:16 AM

Post #5 of 7 (635 views)
Permalink
Re: [patch] ipt_recent [In reply to]
Amin Azez wrote:
> Patrick McHardy wrote:
>
>>> @@ -20,6 +25,8 @@
>>> u_int32_t hit_count;
>>> u_int8_t check_set;
>>> u_int8_t invert;
>>> + u_int8_t check_count;
>>> + u_int32_t entry_count;
>>> char name[IPT_RECENT_NAME_LEN];
>>> u_int8_t side;
>>> };
>>
>>
>>
>> Sorry, we can't do that since it breaks userspace compatibility. But I'm
>> really glad someone finally has the stomach to touch ipt_recent, I'll
>> review your other patches now.
>
>
> I've reworked that functionality significantly in a new patch to send
> next week. I will see if I can find a way to make use of existing
> structures to add the functionality.

Otherwise you can you versioning as in ipt_MARK and a couple of other
targets.

>
> I heard tell that ipt_recent needed a maintainer?

Yes, we need someone familiar with the code to review patches, fix
bugs and clean it up.


azez at ufomechanic

Mar 22, 2006, 4:04 AM

Post #6 of 7 (584 views)
Permalink
Re: [patch] ipt_recent [In reply to]
Patrick McHardy wrote:
...
>
> Otherwise you can you versioning as in ipt_MARK and a couple of other
> targets.

I posted a rework with versioning (although I couldn't see anything in
ipt_MARK to copy) and posted this on 13th March.

I forgot to Cc you then, and so notify you now.

Sam


azez at ufomechanic

Mar 22, 2006, 4:04 AM

Post #7 of 7 (592 views)
Permalink
Re: [patch] ipt_recent [In reply to]
Patrick McHardy wrote:
...
>
> Otherwise you can you versioning as in ipt_MARK and a couple of other
> targets.

I posted a rework with versioning (although I couldn't see anything in
ipt_MARK to copy) and posted this on 13th March.

I forgot to Cc you then, and so notify you now.

Sam

iptables devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.