* iptables pull request, add XT_RECENT_REAP support
@ 2010-03-17 18:48 Tim Gardner
2010-03-17 19:34 ` Eric Dumazet
` (2 more replies)
0 siblings, 3 replies; 11+ messages in thread
From: Tim Gardner @ 2010-03-17 18:48 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
The following changes since commit 21d1283750d9c4df7ca80165d2b9dc0b9bd214eb:
Jan Engelhardt (1):
iptables: correctly check for too-long chain/target/match names
are available in the git repository at:
git://kernel.ubuntu.com/rtg/iptables xt_recent
Tim Gardner (1):
xt_recent: Added XT_RECENT_REAP logic and man page documentation
extensions/libxt_recent.c | 20 ++++++++++++++++++++
extensions/libxt_recent.man | 5 +++++
include/linux/netfilter/xt_recent.h | 7 +++++++
3 files changed, 32 insertions(+), 0 deletions(-)
>From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001
From: Tim Gardner <tim.gardner@canonical.com>
Date: Mon, 1 Mar 2010 19:00:29 -0700
Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
extensions/libxt_recent.c | 20 ++++++++++++++++++++
extensions/libxt_recent.man | 5 +++++
include/linux/netfilter/xt_recent.h | 7 +++++++
3 files changed, 32 insertions(+), 0 deletions(-)
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
index 4ac32f7..7e3d280 100644
--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
@@ -19,6 +19,7 @@ static const struct option recent_opts[] = {
{ .name = "name", .has_arg = 1, .val = 208 },
{ .name = "rsource", .has_arg = 0, .val = 209 },
{ .name = "rdest", .has_arg = 0, .val = 210 },
+ { .name = "reap", .has_arg = 0, .val = 211 },
{ .name = NULL }
};
@@ -36,6 +37,7 @@ static void recent_help(void)
" --hitcount hits For check and update commands above.\n"
" Specifies that the match will only occur if source address seen hits times.\n"
" May be used in conjunction with the seconds option.\n"
+" --reap Remove entries that have expired. Can only be used with --seconds\n"
" --rttl For check and update commands above.\n"
" Specifies that the match will only occur if the source address and the TTL\n"
" match between this packet and the one which was set.\n"
@@ -62,6 +64,8 @@ static void recent_init(struct xt_entry_match *match)
(XT_RECENT_SET | XT_RECENT_CHECK | \
XT_RECENT_UPDATE | XT_RECENT_REMOVE)
+#define XT_RECENT_SECONDS 1 << 31
+
static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
@@ -103,6 +107,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
case 204:
info->seconds = atoi(optarg);
+ *flags |= XT_RECENT_SECONDS;
break;
case 205:
@@ -138,6 +143,11 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
info->side = XT_RECENT_DEST;
break;
+ case 211:
+ info->check_set |= XT_RECENT_REAP;
+ *flags |= XT_RECENT_REAP;
+ break;
+
default:
return 0;
}
@@ -156,6 +166,12 @@ static void recent_check(unsigned int flags)
xtables_error(PARAMETER_PROBLEM,
"recent: --rttl may only be used with --rcheck or "
"--update");
+ if ((flags & XT_RECENT_REAP) &&
+ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) ||
+ (!(flags & XT_RECENT_SECONDS))))
+ xtables_error(PARAMETER_PROBLEM,
+ "recent: --reap may only be used with --rcheck or "
+ "--update and --seconds");
}
static void recent_print(const void *ip, const struct xt_entry_match *match,
@@ -184,6 +200,8 @@ static void recent_print(const void *ip, const struct xt_entry_match *match,
printf("side: source ");
if (info->side == XT_RECENT_DEST)
printf("side: dest");
+ if (info->check_set & XT_RECENT_REAP)
+ printf("reap ");
}
static void recent_save(const void *ip, const struct xt_entry_match *match)
@@ -210,6 +228,8 @@ static void recent_save(const void *ip, const struct xt_entry_match *match)
printf("--rsource ");
if (info->side == XT_RECENT_DEST)
printf("--rdest ");
+ if (info->check_set & XT_RECENT_REAP)
+ printf("--reap ");
}
static struct xtables_match recent_mt_reg = {
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index 532c328..26e4fb9 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
address is in the list and was seen within the last given number of seconds.
.TP
+\fB\-\-reap\fP \fIreap\fP
+This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
+will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
+since the last packet was received.
+.TP
\fB\-\-hitcount\fP \fIhits\fP
This option must be used in conjunction with one of \fB\-\-rcheck\fP or
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
index d2c2766..e21acdf 100644
--- a/include/linux/netfilter/xt_recent.h
+++ b/include/linux/netfilter/xt_recent.h
@@ -9,6 +9,7 @@ enum {
XT_RECENT_UPDATE = 1 << 2,
XT_RECENT_REMOVE = 1 << 3,
XT_RECENT_TTL = 1 << 4,
+ XT_RECENT_REAP = 1 << 5,
XT_RECENT_SOURCE = 0,
XT_RECENT_DEST = 1,
@@ -16,6 +17,12 @@ enum {
XT_RECENT_NAME_LEN = 200,
};
+/* Only allowed with --rcheck and --update */
+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
+
+#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
+ XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
+
struct xt_recent_mtinfo {
__u32 seconds;
__u32 hit_count;
--
1.7.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: iptables pull request, add XT_RECENT_REAP support
2010-03-17 18:48 iptables pull request, add XT_RECENT_REAP support Tim Gardner
@ 2010-03-17 19:34 ` Eric Dumazet
2010-03-17 19:44 ` Tim Gardner
2010-03-17 20:40 ` Tim Gardner
2010-03-17 20:13 ` Jan Engelhardt
2010-03-17 20:14 ` Jan Engelhardt
2 siblings, 2 replies; 11+ messages in thread
From: Eric Dumazet @ 2010-03-17 19:34 UTC (permalink / raw)
To: Tim Gardner; +Cc: kaber, netfilter-devel
Le mercredi 17 mars 2010 à 12:48 -0600, Tim Gardner a écrit :
> diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
> index 532c328..26e4fb9 100644
> --- a/extensions/libxt_recent.man
> +++ b/extensions/libxt_recent.man
> @@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
> \fB\-\-update\fP. When used, this will narrow the match to only happen when the
> address is in the list and was seen within the last given number of seconds.
> .TP
> +\fB\-\-reap\fP \fIreap\fP
> +This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
> +will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
> +since the last packet was received.
> +.TP
> \fB\-\-hitcount\fP \fIhits\fP
> This option must be used in conjunction with one of \fB\-\-rcheck\fP or
> \fB\-\-update\fP. When used, this will narrow the match to only happen when the
Are you sure this "most recent timestamp older then " is correct ? ;)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: iptables pull request, add XT_RECENT_REAP support
2010-03-17 19:34 ` Eric Dumazet
@ 2010-03-17 19:44 ` Tim Gardner
2010-03-17 19:50 ` Eric Dumazet
2010-03-17 20:40 ` Tim Gardner
1 sibling, 1 reply; 11+ messages in thread
From: Tim Gardner @ 2010-03-17 19:44 UTC (permalink / raw)
To: Eric Dumazet; +Cc: kaber, netfilter-devel
On 03/17/2010 01:34 PM, Eric Dumazet wrote:
> Le mercredi 17 mars 2010 à 12:48 -0600, Tim Gardner a écrit :
>> diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
>> index 532c328..26e4fb9 100644
>> --- a/extensions/libxt_recent.man
>> +++ b/extensions/libxt_recent.man
>> @@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
>> \fB\-\-update\fP. When used, this will narrow the match to only happen when the
>> address is in the list and was seen within the last given number of seconds.
>> .TP
>> +\fB\-\-reap\fP \fIreap\fP
>> +This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
>> +will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
>> +since the last packet was received.
>> +.TP
>> \fB\-\-hitcount\fP \fIhits\fP
>> This option must be used in conjunction with one of \fB\-\-rcheck\fP or
>> \fB\-\-update\fP. When used, this will narrow the match to only happen when the
>
> Are you sure this "most recent timestamp older then " is correct ? ;)
>
>
>
That does kind of make my head hurt. Perhaps it is better stated, "When
used, this will remove entries that have not received a packet in the
time specified by --seconds."
rtg
--
Tim Gardner timg@tpi.com www.tpi.com
OR 503-601-0234 x102 MT 406-443-5357
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: iptables pull request, add XT_RECENT_REAP support
2010-03-17 19:44 ` Tim Gardner
@ 2010-03-17 19:50 ` Eric Dumazet
2010-03-17 20:21 ` Tim Gardner
0 siblings, 1 reply; 11+ messages in thread
From: Eric Dumazet @ 2010-03-17 19:50 UTC (permalink / raw)
To: timg; +Cc: kaber, netfilter-devel
Le mercredi 17 mars 2010 à 13:44 -0600, Tim Gardner a écrit :
> On 03/17/2010 01:34 PM, Eric Dumazet wrote:
> > Le mercredi 17 mars 2010 à 12:48 -0600, Tim Gardner a écrit :
> >> diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
> >> index 532c328..26e4fb9 100644
> >> --- a/extensions/libxt_recent.man
> >> +++ b/extensions/libxt_recent.man
> >> @@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
> >> \fB\-\-update\fP. When used, this will narrow the match to only happen when the
> >> address is in the list and was seen within the last given number of seconds.
> >> .TP
> >> +\fB\-\-reap\fP \fIreap\fP
> >> +This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
> >> +will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
> >> +since the last packet was received.
> >> +.TP
> >> \fB\-\-hitcount\fP \fIhits\fP
> >> This option must be used in conjunction with one of \fB\-\-rcheck\fP or
> >> \fB\-\-update\fP. When used, this will narrow the match to only happen when the
> >
> > Are you sure this "most recent timestamp older then " is correct ? ;)
> >
> >
> >
>
> That does kind of make my head hurt. Perhaps it is better stated, "When
> used, this will remove entries that have not received a packet in the
> time specified by --seconds."
>
Well, it will remove the oldest entry, if its age is more than time
specifed by --seconds.
ie you wrote "most recent" instead of "least recent" ----> "oldest"
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: iptables pull request, add XT_RECENT_REAP support
2010-03-17 18:48 iptables pull request, add XT_RECENT_REAP support Tim Gardner
2010-03-17 19:34 ` Eric Dumazet
@ 2010-03-17 20:13 ` Jan Engelhardt
2010-03-17 20:26 ` Tim Gardner
2010-03-17 20:14 ` Jan Engelhardt
2 siblings, 1 reply; 11+ messages in thread
From: Jan Engelhardt @ 2010-03-17 20:13 UTC (permalink / raw)
To: Tim Gardner; +Cc: kaber, netfilter-devel
On Wednesday 2010-03-17 19:48, Tim Gardner wrote:
>
>@@ -36,6 +37,7 @@ static void recent_help(void)
> " --hitcount hits For check and update commands above.\n"
> " Specifies that the match will only occur if source address seen hits times.\n"
> " May be used in conjunction with the seconds option.\n"
>+" --reap Remove entries that have expired. Can only be used with --seconds\n"
What's going to happen if you mix a "--reap --seconds 60" rule with
"--reap --seconds 3600" rule?
>+/* Only allowed with --rcheck and --update */
>+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
>+
>+#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
>+ XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
>+
Since these two are only used on the kernel side, it would have made
sense to put them into xt_recent.c only.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: iptables pull request, add XT_RECENT_REAP support
2010-03-17 18:48 iptables pull request, add XT_RECENT_REAP support Tim Gardner
2010-03-17 19:34 ` Eric Dumazet
2010-03-17 20:13 ` Jan Engelhardt
@ 2010-03-17 20:14 ` Jan Engelhardt
2010-03-17 20:29 ` Tim Gardner
2 siblings, 1 reply; 11+ messages in thread
From: Jan Engelhardt @ 2010-03-17 20:14 UTC (permalink / raw)
To: Tim Gardner; +Cc: kaber, netfilter-devel
On Wednesday 2010-03-17 19:48, Tim Gardner wrote:
>@@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
> \fB\-\-update\fP. When used, this will narrow the match to only happen when the
> address is in the list and was seen within the last given number of seconds.
> .TP
>+\fB\-\-reap\fP \fIreap\fP
>+This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
>+will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
>+since the last packet was received.
>+.TP
--reap does not take any argument.
Also, this option does not need to be used (!must be), it's optional.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: iptables pull request, add XT_RECENT_REAP support
2010-03-17 19:50 ` Eric Dumazet
@ 2010-03-17 20:21 ` Tim Gardner
0 siblings, 0 replies; 11+ messages in thread
From: Tim Gardner @ 2010-03-17 20:21 UTC (permalink / raw)
To: Eric Dumazet; +Cc: kaber, netfilter-devel
On 03/17/2010 01:50 PM, Eric Dumazet wrote:
> Le mercredi 17 mars 2010 à 13:44 -0600, Tim Gardner a écrit :
>> On 03/17/2010 01:34 PM, Eric Dumazet wrote:
>>> Le mercredi 17 mars 2010 à 12:48 -0600, Tim Gardner a écrit :
>>>> diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
>>>> index 532c328..26e4fb9 100644
>>>> --- a/extensions/libxt_recent.man
>>>> +++ b/extensions/libxt_recent.man
>>>> @@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
>>>> \fB\-\-update\fP. When used, this will narrow the match to only happen when the
>>>> address is in the list and was seen within the last given number of seconds.
>>>> .TP
>>>> +\fB\-\-reap\fP \fIreap\fP
>>>> +This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
>>>> +will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
>>>> +since the last packet was received.
>>>> +.TP
>>>> \fB\-\-hitcount\fP \fIhits\fP
>>>> This option must be used in conjunction with one of \fB\-\-rcheck\fP or
>>>> \fB\-\-update\fP. When used, this will narrow the match to only happen when the
>>>
>>> Are you sure this "most recent timestamp older then " is correct ? ;)
>>>
>>>
>>>
>>
>> That does kind of make my head hurt. Perhaps it is better stated, "When
>> used, this will remove entries that have not received a packet in the
>> time specified by --seconds."
>>
>
> Well, it will remove the oldest entry, if its age is more than time
> specifed by --seconds.
>
> ie you wrote "most recent" instead of "least recent" ----> "oldest"
>
>
>
Which is probably why my head hurt. Do you agree that the second version
is clearer?
rtg
--
Tim Gardner timg@tpi.com www.tpi.com
OR 503-601-0234 x102 MT 406-443-5357
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: iptables pull request, add XT_RECENT_REAP support
2010-03-17 20:13 ` Jan Engelhardt
@ 2010-03-17 20:26 ` Tim Gardner
0 siblings, 0 replies; 11+ messages in thread
From: Tim Gardner @ 2010-03-17 20:26 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: kaber, netfilter-devel
On 03/17/2010 02:13 PM, Jan Engelhardt wrote:
>
> On Wednesday 2010-03-17 19:48, Tim Gardner wrote:
>>
>> @@ -36,6 +37,7 @@ static void recent_help(void)
>> " --hitcount hits For check and update commands above.\n"
>> " Specifies that the match will only occur if source address seen hits times.\n"
>> " May be used in conjunction with the seconds option.\n"
>> +" --reap Remove entries that have expired. Can only be used with --seconds\n"
>
> What's going to happen if you mix a "--reap --seconds 60" rule with
> "--reap --seconds 3600" rule?
>
If both rules are operating on the same '--name', then I would expect
the rule that is invoked to reap according to the '--seconds' specified
in that rule.
Mixing rules like this on the same table doesn't seem like a likely
scenario to me.
>> +/* Only allowed with --rcheck and --update */
>> +#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
>> +
>> +#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
>> + XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
>> +
>
> Since these two are only used on the kernel side, it would have made
> sense to put them into xt_recent.c only.
>
rtg
--
Tim Gardner timg@tpi.com www.tpi.com
OR 503-601-0234 x102 MT 406-443-5357
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: iptables pull request, add XT_RECENT_REAP support
2010-03-17 20:14 ` Jan Engelhardt
@ 2010-03-17 20:29 ` Tim Gardner
0 siblings, 0 replies; 11+ messages in thread
From: Tim Gardner @ 2010-03-17 20:29 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: kaber, netfilter-devel
On 03/17/2010 02:14 PM, Jan Engelhardt wrote:
>
> On Wednesday 2010-03-17 19:48, Tim Gardner wrote:
>> @@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
>> \fB\-\-update\fP. When used, this will narrow the match to only happen when the
>> address is in the list and was seen within the last given number of seconds.
>> .TP
>> +\fB\-\-reap\fP \fIreap\fP
>> +This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
>> +will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
>> +since the last packet was received.
>> +.TP
>
> --reap does not take any argument.
>
> Also, this option does not need to be used (!must be), it's optional.
>
You're correct. Looks like a copy/paste error. I'll fix it and push a
new patch.
rtg
--
Tim Gardner timg@tpi.com www.tpi.com
OR 503-601-0234 x102 MT 406-443-5357
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: iptables pull request, add XT_RECENT_REAP support
2010-03-17 19:34 ` Eric Dumazet
2010-03-17 19:44 ` Tim Gardner
@ 2010-03-17 20:40 ` Tim Gardner
2010-03-18 13:05 ` Patrick McHardy
1 sibling, 1 reply; 11+ messages in thread
From: Tim Gardner @ 2010-03-17 20:40 UTC (permalink / raw)
To: Eric Dumazet, Jan Engelhardt; +Cc: kaber, netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 1195 bytes --]
On 03/17/2010 01:34 PM, Eric Dumazet wrote:
> Le mercredi 17 mars 2010 à 12:48 -0600, Tim Gardner a écrit :
>> diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
>> index 532c328..26e4fb9 100644
>> --- a/extensions/libxt_recent.man
>> +++ b/extensions/libxt_recent.man
>> @@ -41,6 +41,11 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
>> \fB\-\-update\fP. When used, this will narrow the match to only happen when the
>> address is in the list and was seen within the last given number of seconds.
>> .TP
>> +\fB\-\-reap\fP \fIreap\fP
>> +This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
>> +will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
>> +since the last packet was received.
>> +.TP
>> \fB\-\-hitcount\fP \fIhits\fP
>> This option must be used in conjunction with one of \fB\-\-rcheck\fP or
>> \fB\-\-update\fP. When used, this will narrow the match to only happen when the
>
> Are you sure this "most recent timestamp older then " is correct ? ;)
>
>
>
How about this (attached):
rtg
--
Tim Gardner timg@tpi.com www.tpi.com
OR 503-601-0234 x102 MT 406-443-5357
[-- Attachment #2: 0001-xt_recent-Simplified-and-corrected-some-man-page-ver.patch --]
[-- Type: text/x-diff, Size: 1369 bytes --]
>From e89de2a97d4336795503bb3406ba494338a06292 Mon Sep 17 00:00:00 2001
From: Tim Gardner <tim.gardner@canonical.com>
Date: Wed, 17 Mar 2010 14:36:17 -0600
Subject: [PATCH] xt_recent: Simplified and corrected some man page verbage about --reap
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
extensions/libxt_recent.man | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index 26e4fb9..342c383 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -41,10 +41,10 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
address is in the list and was seen within the last given number of seconds.
.TP
-\fB\-\-reap\fP \fIreap\fP
-This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
-will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
-since the last packet was received.
+\fB\-\-reap\fP
+This option may be used in conjunction with \fB\-\-seconds\fP. When used, this
+will remove entries that have not received a packet within the time specified by
+\fB\-\-seconds\fP.
.TP
\fB\-\-hitcount\fP \fIhits\fP
This option must be used in conjunction with one of \fB\-\-rcheck\fP or
--
1.7.0
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: iptables pull request, add XT_RECENT_REAP support
2010-03-17 20:40 ` Tim Gardner
@ 2010-03-18 13:05 ` Patrick McHardy
0 siblings, 0 replies; 11+ messages in thread
From: Patrick McHardy @ 2010-03-18 13:05 UTC (permalink / raw)
To: timg; +Cc: Eric Dumazet, Jan Engelhardt, netfilter-devel
Tim Gardner wrote:
> On 03/17/2010 01:34 PM, Eric Dumazet wrote:
>> Le mercredi 17 mars 2010 à 12:48 -0600, Tim Gardner a écrit :
>>> diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
>>> index 532c328..26e4fb9 100644
>>> --- a/extensions/libxt_recent.man
>>> +++ b/extensions/libxt_recent.man
>>> @@ -41,6 +41,11 @@ This option must be used in conjunction with one
>>> of \fB\-\-rcheck\fP or
>>> \fB\-\-update\fP. When used, this will narrow the match to only
>>> happen when the
>>> address is in the list and was seen within the last given number of
>>> seconds.
>>> .TP
>>> +\fB\-\-reap\fP \fIreap\fP
>>> +This option must be used in conjunction with \fB\-\-seconds\fP. When
>>> used, this
>>> +will remove entries with the most recent timestamp older then
>>> \fB\-\-seconds\fP
>>> +since the last packet was received.
>>> +.TP
>>> \fB\-\-hitcount\fP \fIhits\fP
>>> This option must be used in conjunction with one of
>>> \fB\-\-rcheck\fP or
>>> \fB\-\-update\fP. When used, this will narrow the match to only
>>> happen when the
>>
>> Are you sure this "most recent timestamp older then " is correct ? ;)
>>
>>
>>
>
> How about this (attached):
Looks fine to me. Any further objections?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2010-03-18 13:05 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-17 18:48 iptables pull request, add XT_RECENT_REAP support Tim Gardner
2010-03-17 19:34 ` Eric Dumazet
2010-03-17 19:44 ` Tim Gardner
2010-03-17 19:50 ` Eric Dumazet
2010-03-17 20:21 ` Tim Gardner
2010-03-17 20:40 ` Tim Gardner
2010-03-18 13:05 ` Patrick McHardy
2010-03-17 20:13 ` Jan Engelhardt
2010-03-17 20:26 ` Tim Gardner
2010-03-17 20:14 ` Jan Engelhardt
2010-03-17 20:29 ` Tim Gardner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.