From af1660fe0e88cd9f1c770864e1c643718cb2cc62 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 22 Oct 2008 18:53:39 +0200 Subject: Move libipt_recent to libxt_recent Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy --- extensions/libipt_recent.c | 232 ----------------------------- extensions/libipt_recent.man | 100 ------------- extensions/libxt_recent.c | 233 ++++++++++++++++++++++++++++++ extensions/libxt_recent.man | 100 +++++++++++++ include/linux/netfilter/xt_recent.h | 26 ++++ include/linux/netfilter_ipv4/ipt_recent.h | 27 ---- 6 files changed, 359 insertions(+), 359 deletions(-) delete mode 100644 extensions/libipt_recent.c delete mode 100644 extensions/libipt_recent.man create mode 100644 extensions/libxt_recent.c create mode 100644 extensions/libxt_recent.man create mode 100644 include/linux/netfilter/xt_recent.h delete mode 100644 include/linux/netfilter_ipv4/ipt_recent.h diff --git a/extensions/libipt_recent.c b/extensions/libipt_recent.c deleted file mode 100644 index 7281fe5f..00000000 --- a/extensions/libipt_recent.c +++ /dev/null @@ -1,232 +0,0 @@ -/* Shared library add-on to iptables to add recent matching support. */ -#include -#include -#include -#include -#include - -#include -#include - -/* Need these in order to not fail when compiling against an older kernel. */ -#ifndef RECENT_NAME -#define RECENT_NAME "ipt_recent" -#endif /* RECENT_NAME */ - -#ifndef RECENT_VER -#define RECENT_VER "unknown" -#endif /* RECENT_VER */ - -#ifndef IPT_RECENT_NAME_LEN -#define IPT_RECENT_NAME_LEN 200 -#endif /* IPT_RECENT_NAME_LEN */ - -static const struct option recent_opts[] = { - { .name = "set", .has_arg = 0, .val = 201 }, - { .name = "rcheck", .has_arg = 0, .val = 202 }, - { .name = "update", .has_arg = 0, .val = 203 }, - { .name = "seconds", .has_arg = 1, .val = 204 }, - { .name = "hitcount", .has_arg = 1, .val = 205 }, - { .name = "remove", .has_arg = 0, .val = 206 }, - { .name = "rttl", .has_arg = 0, .val = 207 }, - { .name = "name", .has_arg = 1, .val = 208 }, - { .name = "rsource", .has_arg = 0, .val = 209 }, - { .name = "rdest", .has_arg = 0, .val = 210 }, - { .name = NULL } -}; - -static void recent_help(void) -{ - printf( -"recent match options:\n" -"[!] --set Add source address to list, always matches.\n" -"[!] --rcheck Match if source address in list.\n" -"[!] --update Match if source address in list, also update last-seen time.\n" -"[!] --remove Match if source address in list, also removes that address from list.\n" -" --seconds seconds For check and update commands above.\n" -" Specifies that the match will only occur if source address last seen within\n" -" the last 'seconds' seconds.\n" -" --hitcount hits For check and update commands above.\n" -" Specifies that the match will only occur if source address seen hits times.\n" -" May be used in conjunction with the seconds option.\n" -" --rttl For check and update commands above.\n" -" Specifies that the match will only occur if the source address and the TTL\n" -" match between this packet and the one which was set.\n" -" Useful if you have problems with people spoofing their source address in order\n" -" to DoS you via this module.\n" -" --name name Name of the recent list to be used. DEFAULT used if none given.\n" -" --rsource Match/Save the source address of each packet in the recent list table (default).\n" -" --rdest Match/Save the destination address of each packet in the recent list table.\n" -RECENT_NAME " " RECENT_VER ": Stephen Frost . http://snowman.net/projects/ipt_recent/\n"); -} - -static void recent_init(struct xt_entry_match *match) -{ - struct ipt_recent_info *info = (struct ipt_recent_info *)(match)->data; - - - strncpy(info->name,"DEFAULT",IPT_RECENT_NAME_LEN); - /* eventhough IPT_RECENT_NAME_LEN is currently defined as 200, - * better be safe, than sorry */ - info->name[IPT_RECENT_NAME_LEN-1] = '\0'; - info->side = IPT_RECENT_SOURCE; -} - -#define RECENT_CMDS \ - (IPT_RECENT_SET | IPT_RECENT_CHECK | \ - IPT_RECENT_UPDATE | IPT_RECENT_REMOVE) - -static int recent_parse(int c, char **argv, int invert, unsigned int *flags, - const void *entry, struct xt_entry_match **match) -{ - struct ipt_recent_info *info = (struct ipt_recent_info *)(*match)->data; - switch (c) { - case 201: - if (*flags & RECENT_CMDS) - exit_error(PARAMETER_PROBLEM, - "recent: only one of `--set', `--rcheck' " - "`--update' or `--remove' may be set"); - check_inverse(optarg, &invert, &optind, 0); - info->check_set |= IPT_RECENT_SET; - if (invert) info->invert = 1; - *flags |= IPT_RECENT_SET; - break; - - case 202: - if (*flags & RECENT_CMDS) - exit_error(PARAMETER_PROBLEM, - "recent: only one of `--set', `--rcheck' " - "`--update' or `--remove' may be set"); - check_inverse(optarg, &invert, &optind, 0); - info->check_set |= IPT_RECENT_CHECK; - if(invert) info->invert = 1; - *flags |= IPT_RECENT_CHECK; - break; - - case 203: - if (*flags & RECENT_CMDS) - exit_error(PARAMETER_PROBLEM, - "recent: only one of `--set', `--rcheck' " - "`--update' or `--remove' may be set"); - check_inverse(optarg, &invert, &optind, 0); - info->check_set |= IPT_RECENT_UPDATE; - if (invert) info->invert = 1; - *flags |= IPT_RECENT_UPDATE; - break; - - case 206: - if (*flags & RECENT_CMDS) - exit_error(PARAMETER_PROBLEM, - "recent: only one of `--set', `--rcheck' " - "`--update' or `--remove' may be set"); - check_inverse(optarg, &invert, &optind, 0); - info->check_set |= IPT_RECENT_REMOVE; - if (invert) info->invert = 1; - *flags |= IPT_RECENT_REMOVE; - break; - - case 204: - info->seconds = atoi(optarg); - break; - - case 205: - info->hit_count = atoi(optarg); - break; - - case 207: - info->check_set |= IPT_RECENT_TTL; - *flags |= IPT_RECENT_TTL; - break; - - case 208: - strncpy(info->name,optarg,IPT_RECENT_NAME_LEN); - info->name[IPT_RECENT_NAME_LEN-1] = '\0'; - break; - - case 209: - info->side = IPT_RECENT_SOURCE; - break; - - case 210: - info->side = IPT_RECENT_DEST; - break; - - default: - return 0; - } - - return 1; -} - -static void recent_check(unsigned int flags) -{ - if (!(flags & RECENT_CMDS)) - exit_error(PARAMETER_PROBLEM, - "recent: you must specify one of `--set', `--rcheck' " - "`--update' or `--remove'"); - if ((flags & IPT_RECENT_TTL) && - (flags & (IPT_RECENT_SET | IPT_RECENT_REMOVE))) - exit_error(PARAMETER_PROBLEM, - "recent: --rttl may only be used with --rcheck or " - "--update"); -} - -static void recent_print(const void *ip, const struct xt_entry_match *match, - int numeric) -{ - struct ipt_recent_info *info = (struct ipt_recent_info *)match->data; - - if (info->invert) - fputc('!', stdout); - - printf("recent: "); - if(info->check_set & IPT_RECENT_SET) printf("SET "); - if(info->check_set & IPT_RECENT_CHECK) printf("CHECK "); - if(info->check_set & IPT_RECENT_UPDATE) printf("UPDATE "); - if(info->check_set & IPT_RECENT_REMOVE) printf("REMOVE "); - if(info->seconds) printf("seconds: %d ",info->seconds); - if(info->hit_count) printf("hit_count: %d ",info->hit_count); - if(info->check_set & IPT_RECENT_TTL) printf("TTL-Match "); - if(info->name) printf("name: %s ",info->name); - if(info->side == IPT_RECENT_SOURCE) printf("side: source "); - if(info->side == IPT_RECENT_DEST) printf("side: dest"); -} - -static void recent_save(const void *ip, const struct xt_entry_match *match) -{ - struct ipt_recent_info *info = (struct ipt_recent_info *)match->data; - - if (info->invert) - printf("! "); - - if(info->check_set & IPT_RECENT_SET) printf("--set "); - if(info->check_set & IPT_RECENT_CHECK) printf("--rcheck "); - if(info->check_set & IPT_RECENT_UPDATE) printf("--update "); - if(info->check_set & IPT_RECENT_REMOVE) printf("--remove "); - if(info->seconds) printf("--seconds %d ",info->seconds); - if(info->hit_count) printf("--hitcount %d ",info->hit_count); - if(info->check_set & IPT_RECENT_TTL) printf("--rttl "); - if(info->name) printf("--name %s ",info->name); - if(info->side == IPT_RECENT_SOURCE) printf("--rsource "); - if(info->side == IPT_RECENT_DEST) printf("--rdest "); -} - -static struct xtables_match recent_mt_reg = { - .name = "recent", - .version = XTABLES_VERSION, - .family = PF_INET, - .size = XT_ALIGN(sizeof(struct ipt_recent_info)), - .userspacesize = XT_ALIGN(sizeof(struct ipt_recent_info)), - .help = recent_help, - .init = recent_init, - .parse = recent_parse, - .final_check = recent_check, - .print = recent_print, - .save = recent_save, - .extra_opts = recent_opts, -}; - -void _init(void) -{ - xtables_register_match(&recent_mt_reg); -} diff --git a/extensions/libipt_recent.man b/extensions/libipt_recent.man deleted file mode 100644 index d5bdaa0b..00000000 --- a/extensions/libipt_recent.man +++ /dev/null @@ -1,100 +0,0 @@ -Allows you to dynamically create a list of IP addresses and then match -against that list in a few different ways. - -For example, you can create a `badguy' list out of people attempting -to connect to port 139 on your firewall and then DROP all future -packets from them without considering them. -.TP -.BI "--name " "name" -Specify the list to use for the commands. If no name is given then 'DEFAULT' -will be used. -.TP -[\fB!\fR] \fB--set\fR -This will add the source address of the packet to the list. If the -source address is already in the list, this will update the existing -entry. This will always return success (or failure if `!' is passed -in). -.TP -\fB--rsource\fP -Match/save the source address of each packet in the recent list table. This -is the default. -.TP -\fB--rdest\fP -Match/save the destination address of each packet in the recent list table. -.TP -[\fB!\fR] \fB--rcheck\fR -Check if the source address of the packet is currently in -the list. -.TP -[\fB!\fR] \fB--update\fR -Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it -matches. -.TP -[\fB!\fR] \fB--remove\fR -Check if the source address of the packet is currently in the list and -if so that address will be removed from the list and the rule will -return true. If the address is not found, false is returned. -.TP -[\fB!\fR] \fB--seconds \fIseconds\fR -This option must be used in conjunction with one of \fB--rcheck\fR or -\fB--update\fR. When used, this will narrow the match to only happen -when the address is in the list and was seen within the last given -number of seconds. -.TP -[\fB!\fR] \fB--hitcount \fIhits\fR -This option must be used in conjunction with one of \fB--rcheck\fR or -\fB--update\fR. When used, this will narrow the match to only happen -when the address is in the list and packets had been received greater -than or equal to the given value. This option may be used along with -\fB--seconds\fR to create an even narrower match requiring a certain -number of hits within a specific time frame. -.TP -\fB--rttl\fR -This option may only be used in conjunction with one of \fB--rcheck\fR or -\fB--update\fR. When used, this will narrow the match to only happen -when the address is in the list and the TTL of the current packet -matches that of the packet which hit the \fB--set\fR rule. This may be -useful if you have problems with people faking their source address in -order to DoS you via this module by disallowing others access to your -site by sending bogus packets to you. -.P -Examples: -.IP -# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP - -# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP -.P -Official website (http://snowman.net/projects/ipt_recent/) also has -some examples of usage. - -/proc/net/ipt_recent/* are the current lists of addresses and information -about each entry of each list. - -Each file in /proc/net/ipt_recent/ can be read from to see the current list -or written two using the following commands to modify the list: -.TP -echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT -to Add to the DEFAULT list -.TP -echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT -to Remove from the DEFAULT list -.TP -echo clear > /proc/net/ipt_recent/DEFAULT -to empty the DEFAULT list. -.P -The module itself accepts parameters, defaults shown: -.TP -.BI "ip_list_tot=" "100" -Number of addresses remembered per table -.TP -.BI "ip_pkt_list_tot=" "20" -Number of packets per address remembered -.TP -.BI "ip_list_hash_size=" "0" -Hash table size. 0 means to calculate it based on ip_list_tot, default: 512 -.TP -.BI "ip_list_perms=" "0644" -Permissions for /proc/net/ipt_recent/* files -.TP -.BI "debug=" "0" -Set to 1 to get lots of debugging info diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c new file mode 100644 index 00000000..028c5634 --- /dev/null +++ b/extensions/libxt_recent.c @@ -0,0 +1,233 @@ +/* Shared library add-on to iptables to add recent matching support. */ +#include +#include +#include +#include +#include + +#include +#include + +static const struct option recent_opts[] = { + { .name = "set", .has_arg = 0, .val = 201 }, + { .name = "rcheck", .has_arg = 0, .val = 202 }, + { .name = "update", .has_arg = 0, .val = 203 }, + { .name = "seconds", .has_arg = 1, .val = 204 }, + { .name = "hitcount", .has_arg = 1, .val = 205 }, + { .name = "remove", .has_arg = 0, .val = 206 }, + { .name = "rttl", .has_arg = 0, .val = 207 }, + { .name = "name", .has_arg = 1, .val = 208 }, + { .name = "rsource", .has_arg = 0, .val = 209 }, + { .name = "rdest", .has_arg = 0, .val = 210 }, + { .name = NULL } +}; + +static void recent_help(void) +{ + printf( +"recent match options:\n" +"[!] --set Add source address to list, always matches.\n" +"[!] --rcheck Match if source address in list.\n" +"[!] --update Match if source address in list, also update last-seen time.\n" +"[!] --remove Match if source address in list, also removes that address from list.\n" +" --seconds seconds For check and update commands above.\n" +" Specifies that the match will only occur if source address last seen within\n" +" the last 'seconds' seconds.\n" +" --hitcount hits For check and update commands above.\n" +" Specifies that the match will only occur if source address seen hits times.\n" +" May be used in conjunction with the seconds option.\n" +" --rttl For check and update commands above.\n" +" Specifies that the match will only occur if the source address and the TTL\n" +" match between this packet and the one which was set.\n" +" Useful if you have problems with people spoofing their source address in order\n" +" to DoS you via this module.\n" +" --name name Name of the recent list to be used. DEFAULT used if none given.\n" +" --rsource Match/Save the source address of each packet in the recent list table (default).\n" +" --rdest Match/Save the destination address of each packet in the recent list table.\n" +"xt_recent by: Stephen Frost . http://snowman.net/projects/ipt_recent/\n"); +} + +static void recent_init(struct xt_entry_match *match) +{ + struct xt_recent_mtinfo *info = (void *)(match)->data; + + strncpy(info->name,"DEFAULT", XT_RECENT_NAME_LEN); + /* even though XT_RECENT_NAME_LEN is currently defined as 200, + * better be safe, than sorry */ + info->name[XT_RECENT_NAME_LEN-1] = '\0'; + info->side = XT_RECENT_SOURCE; +} + +#define RECENT_CMDS \ + (XT_RECENT_SET | XT_RECENT_CHECK | \ + XT_RECENT_UPDATE | XT_RECENT_REMOVE) + +static int recent_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_recent_mtinfo *info = (void *)(*match)->data; + + switch (c) { + case 201: + if (*flags & RECENT_CMDS) + exit_error(PARAMETER_PROBLEM, + "recent: only one of `--set', `--rcheck' " + "`--update' or `--remove' may be set"); + check_inverse(optarg, &invert, &optind, 0); + info->check_set |= XT_RECENT_SET; + if (invert) info->invert = 1; + *flags |= XT_RECENT_SET; + break; + + case 202: + if (*flags & RECENT_CMDS) + exit_error(PARAMETER_PROBLEM, + "recent: only one of `--set', `--rcheck' " + "`--update' or `--remove' may be set"); + check_inverse(optarg, &invert, &optind, 0); + info->check_set |= XT_RECENT_CHECK; + if(invert) info->invert = 1; + *flags |= XT_RECENT_CHECK; + break; + + case 203: + if (*flags & RECENT_CMDS) + exit_error(PARAMETER_PROBLEM, + "recent: only one of `--set', `--rcheck' " + "`--update' or `--remove' may be set"); + check_inverse(optarg, &invert, &optind, 0); + info->check_set |= XT_RECENT_UPDATE; + if (invert) info->invert = 1; + *flags |= XT_RECENT_UPDATE; + break; + + case 206: + if (*flags & RECENT_CMDS) + exit_error(PARAMETER_PROBLEM, + "recent: only one of `--set', `--rcheck' " + "`--update' or `--remove' may be set"); + check_inverse(optarg, &invert, &optind, 0); + info->check_set |= XT_RECENT_REMOVE; + if (invert) info->invert = 1; + *flags |= XT_RECENT_REMOVE; + break; + + case 204: + info->seconds = atoi(optarg); + break; + + case 205: + info->hit_count = atoi(optarg); + break; + + case 207: + info->check_set |= XT_RECENT_TTL; + *flags |= XT_RECENT_TTL; + break; + + case 208: + strncpy(info->name,optarg, XT_RECENT_NAME_LEN); + info->name[XT_RECENT_NAME_LEN-1] = '\0'; + break; + + case 209: + info->side = XT_RECENT_SOURCE; + break; + + case 210: + info->side = XT_RECENT_DEST; + break; + + default: + return 0; + } + + return 1; +} + +static void recent_check(unsigned int flags) +{ + if (!(flags & RECENT_CMDS)) + exit_error(PARAMETER_PROBLEM, + "recent: you must specify one of `--set', `--rcheck' " + "`--update' or `--remove'"); + if ((flags & XT_RECENT_TTL) && + (flags & (XT_RECENT_SET | XT_RECENT_REMOVE))) + exit_error(PARAMETER_PROBLEM, + "recent: --rttl may only be used with --rcheck or " + "--update"); +} + +static void recent_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct xt_recent_mtinfo *info = (const void *)match->data; + + if (info->invert) + fputc('!', stdout); + + printf("recent: "); + if (info->check_set & XT_RECENT_SET) + printf("SET "); + if (info->check_set & XT_RECENT_CHECK) + printf("CHECK "); + if (info->check_set & XT_RECENT_UPDATE) + printf("UPDATE "); + if (info->check_set & XT_RECENT_REMOVE) + printf("REMOVE "); + if(info->seconds) printf("seconds: %d ",info->seconds); + if(info->hit_count) printf("hit_count: %d ",info->hit_count); + if (info->check_set & XT_RECENT_TTL) + printf("TTL-Match "); + if(info->name) printf("name: %s ",info->name); + if (info->side == XT_RECENT_SOURCE) + printf("side: source "); + if (info->side == XT_RECENT_DEST) + printf("side: dest"); +} + +static void recent_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_recent_mtinfo *info = (const void *)match->data; + + if (info->invert) + printf("! "); + + if (info->check_set & XT_RECENT_SET) + printf("--set "); + if (info->check_set & XT_RECENT_CHECK) + printf("--rcheck "); + if (info->check_set & XT_RECENT_UPDATE) + printf("--update "); + if (info->check_set & XT_RECENT_REMOVE) + printf("--remove "); + if(info->seconds) printf("--seconds %d ",info->seconds); + if(info->hit_count) printf("--hitcount %d ",info->hit_count); + if (info->check_set & XT_RECENT_TTL) + printf("--rttl "); + if(info->name) printf("--name %s ",info->name); + if (info->side == XT_RECENT_SOURCE) + printf("--rsource "); + if (info->side == XT_RECENT_DEST) + printf("--rdest "); +} + +static struct xtables_match recent_mt_reg = { + .name = "recent", + .version = XTABLES_VERSION, + .family = PF_INET, + .size = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_recent_mtinfo)), + .help = recent_help, + .init = recent_init, + .parse = recent_parse, + .final_check = recent_check, + .print = recent_print, + .save = recent_save, + .extra_opts = recent_opts, +}; + +void _init(void) +{ + xtables_register_match(&recent_mt_reg); +} diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man new file mode 100644 index 00000000..f36457c9 --- /dev/null +++ b/extensions/libxt_recent.man @@ -0,0 +1,100 @@ +Allows you to dynamically create a list of IP addresses and then match +against that list in a few different ways. + +For example, you can create a `badguy' list out of people attempting +to connect to port 139 on your firewall and then DROP all future +packets from them without considering them. +.TP +.BI "--name " "name" +Specify the list to use for the commands. If no name is given then 'DEFAULT' +will be used. +.TP +[\fB!\fR] \fB--set\fR +This will add the source address of the packet to the list. If the +source address is already in the list, this will update the existing +entry. This will always return success (or failure if `!' is passed +in). +.TP +\fB--rsource\fP +Match/save the source address of each packet in the recent list table. This +is the default. +.TP +\fB--rdest\fP +Match/save the destination address of each packet in the recent list table. +.TP +[\fB!\fR] \fB--rcheck\fR +Check if the source address of the packet is currently in +the list. +.TP +[\fB!\fR] \fB--update\fR +Like \fB--rcheck\fR, except it will update the "last seen" timestamp if it +matches. +.TP +[\fB!\fR] \fB--remove\fR +Check if the source address of the packet is currently in the list and +if so that address will be removed from the list and the rule will +return true. If the address is not found, false is returned. +.TP +[\fB!\fR] \fB--seconds \fIseconds\fR +This option must be used in conjunction with one of \fB--rcheck\fR or +\fB--update\fR. When used, this will narrow the match to only happen +when the address is in the list and was seen within the last given +number of seconds. +.TP +[\fB!\fR] \fB--hitcount \fIhits\fR +This option must be used in conjunction with one of \fB--rcheck\fR or +\fB--update\fR. When used, this will narrow the match to only happen +when the address is in the list and packets had been received greater +than or equal to the given value. This option may be used along with +\fB--seconds\fR to create an even narrower match requiring a certain +number of hits within a specific time frame. +.TP +\fB--rttl\fR +This option may only be used in conjunction with one of \fB--rcheck\fR or +\fB--update\fR. When used, this will narrow the match to only happen +when the address is in the list and the TTL of the current packet +matches that of the packet which hit the \fB--set\fR rule. This may be +useful if you have problems with people faking their source address in +order to DoS you via this module by disallowing others access to your +site by sending bogus packets to you. +.P +Examples: +.IP +# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP + +# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP +.P +Official website (http://snowman.net/projects/ipt_recent/) also has +some examples of usage. + +/proc/net/ipt_recent/* are the current lists of addresses and information +about each entry of each list. + +Each file in /proc/net/ipt_recent/ can be read from to see the current list +or written two using the following commands to modify the list: +.TP +echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT +to Add to the DEFAULT list +.TP +echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT +to Remove from the DEFAULT list +.TP +echo clear > /proc/net/ipt_recent/DEFAULT +to empty the DEFAULT list. +.P +The module itself accepts parameters, defaults shown: +.TP +.BI "ip_list_tot=" "100" +Number of addresses remembered per table +.TP +.BI "ip_pkt_list_tot=" "20" +Number of packets per address remembered +.TP +.BI "ip_list_hash_size=" "0" +Hash table size. 0 means to calculate it based on ip_list_tot, default: 512 +.TP +.BI "ip_list_perms=" "0644" +Permissions for /proc/net/ipt_recent/* files +.TP +.BI "debug=" "0" +Set to 1 to get lots of debugging info diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h new file mode 100644 index 00000000..5cfeb81c --- /dev/null +++ b/include/linux/netfilter/xt_recent.h @@ -0,0 +1,26 @@ +#ifndef _LINUX_NETFILTER_XT_RECENT_H +#define _LINUX_NETFILTER_XT_RECENT_H 1 + +enum { + XT_RECENT_CHECK = 1 << 0, + XT_RECENT_SET = 1 << 1, + XT_RECENT_UPDATE = 1 << 2, + XT_RECENT_REMOVE = 1 << 3, + XT_RECENT_TTL = 1 << 4, + + XT_RECENT_SOURCE = 0, + XT_RECENT_DEST = 1, + + XT_RECENT_NAME_LEN = 200, +}; + +struct xt_recent_mtinfo { + u_int32_t seconds; + u_int32_t hit_count; + u_int8_t check_set; + u_int8_t invert; + char name[XT_RECENT_NAME_LEN]; + u_int8_t side; +}; + +#endif /* _LINUX_NETFILTER_XT_RECENT_H */ diff --git a/include/linux/netfilter_ipv4/ipt_recent.h b/include/linux/netfilter_ipv4/ipt_recent.h deleted file mode 100644 index 6508a459..00000000 --- a/include/linux/netfilter_ipv4/ipt_recent.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef _IPT_RECENT_H -#define _IPT_RECENT_H - -#define RECENT_NAME "ipt_recent" -#define RECENT_VER "v0.3.1" - -#define IPT_RECENT_CHECK 1 -#define IPT_RECENT_SET 2 -#define IPT_RECENT_UPDATE 4 -#define IPT_RECENT_REMOVE 8 -#define IPT_RECENT_TTL 16 - -#define IPT_RECENT_SOURCE 0 -#define IPT_RECENT_DEST 1 - -#define IPT_RECENT_NAME_LEN 200 - -struct ipt_recent_info { - u_int32_t seconds; - u_int32_t hit_count; - u_int8_t check_set; - u_int8_t invert; - char name[IPT_RECENT_NAME_LEN]; - u_int8_t side; -}; - -#endif /*_IPT_RECENT_H*/ -- cgit v1.2.3