removing black listed ip

removing black listed ip

[ratheesh k]

Hi ,

 I need to remove black listed ip if   last seen packet is  x time
ago  . I have changed code , but here it is comparing with first seen
packet time . i need to compare last seen packet .

**************************************************************************************************

--- xt_recent.c.old	2010-04-11 03:51:10.000000000 +0530
+++ xt_recent.c	2010-04-11 03:50:06.000000000 +0530
@@ -113,12 +113,13 @@
 	       (ip_list_hash_size - 1);
 }

+static void recent_entry_remove(struct recent_table *, struct recent_entry *);
 static struct recent_entry *
 recent_entry_lookup(const struct recent_table *table,
 		    const union nf_inet_addr *addrp, u_int16_t family,
 		    u_int8_t ttl)
 {
-	struct recent_entry *e;
+	struct recent_entry *e ,*next;
 	unsigned int h;

 	if (family == NFPROTO_IPV4)
@@ -126,7 +127,17 @@
 	else
 		h = recent_entry_hash6(addrp);

-	list_for_each_entry(e, &table->iphash[h], list)
+	
+          list_for_each_entry_safe(e,next , &table->iphash[h], list) {
+          if (e->family == family && (jiffies - e->stamps[0] > 10000 )  ) {
+                       printk("\n Removing one entry  %lu  %lu \n" ,
e->stamps[0] ,jiffies);
+                       printk(KERN_INFO "\nRemoving  ip entry:
%d.%d.%d.%d\n", NIPQUAD(e->addr));
+                      recent_entry_remove(table, e);
+                      }
+
+          }
+
+        list_for_each_entry(e, &table->iphash[h], list)
 		if (e->family == family &&
 		    memcmp(&e->addr, addrp, sizeof(e->addr)) == 0 &&
 		    (ttl == e->ttl || ttl == 0 || e->ttl == 0))
@@ -178,6 +189,10 @@
 		e->nstamps = e->index;
 	e->index %= ip_pkt_list_tot;
 	list_move_tail(&e->lru_list, &t->lru_list);
+
+
+
+
 }

 static struct recent_table *recent_table_lookup(const char *name)


***************************************************************************************

Re: removing black listed ip

[Jan Engelhardt]

On Saturday 2010-04-10 19:03, ratheesh k wrote:

>Hi ,
>
> I need to remove black listed ip if   last seen packet is  x time
>ago  . I have changed code , but here it is comparing with first seen
>packet time . i need to compare last seen packet .

xt_recent works by comparing the difference between an entry's 
timestamps and the current time with the chosen --seconds parameter.


>@@ -178,6 +189,10 @@
> 		e->nstamps = e->index;
> 	e->index %= ip_pkt_list_tot;
> 	list_move_tail(&e->lru_list, &t->lru_list);
>+
>+
>+
>+
> }
>
> static struct recent_table *recent_table_lookup(const char *name)
>
>

What's with all this whitespace...

Re: removing black listed ip

[ratheesh k]

> xt_recent works by comparing the difference between an entry's
> timestamps and the current time with the chosen --seconds parameter.


If an ip is black listed , when it will get removed ? . How can i
remove the list .i first thought of kernel timers ( timer_list ) , but
i have to take care of race condition and it will dampen the
performace .


> What's with all this whitespace...
>

sorry . by mistake i added space .

thanks,
ratheesh

On Sat, Apr 10, 2010 at 10:42 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Saturday 2010-04-10 19:03, ratheesh k wrote:
>
>>Hi ,
>>
>> I need to remove black listed ip if   last seen packet is  x time
>>ago  . I have changed code , but here it is comparing with first seen
>>packet time . i need to compare last seen packet .
>
> xt_recent works by comparing the difference between an entry's
> timestamps and the current time with the chosen --seconds parameter.
>
>
>>@@ -178,6 +189,10 @@
>>               e->nstamps = e->index;
>>       e->index %= ip_pkt_list_tot;
>>       list_move_tail(&e->lru_list, &t->lru_list);
>>+
>>+
>>+
>>+
>> }
>>
>> static struct recent_table *recent_table_lookup(const char *name)
>>
>>
>
> What's with all this whitespace...
>

Re: removing black listed ip

[Jan Engelhardt]

On Saturday 2010-04-10 19:20, ratheesh k wrote:

>> xt_recent works by comparing the difference between an entry's
>> timestamps and the current time with the chosen --seconds parameter.
>
>If an ip is black listed , when it will get removed 

It will not get removed. If you want any action, such as blacklisting, 
to stop after a given time, you use --seconds as I just told.

Re: removing black listed ip

[ratheesh k]

On Sat, Apr 10, 2010 at 11:12 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Saturday 2010-04-10 19:20, ratheesh k wrote:
>
>>> xt_recent works by comparing the difference between an entry's
>>> timestamps and the current time with the chosen --seconds parameter.
>>
>>If an ip is black listed , when it will get removed
>
> It will not get removed. If you want any action, such as blacklisting,
> to stop after a given time, you use --seconds as I just told.
>

if  number of ip balcklisted ip is more than  ip_list_tot , old
entries will be replaced by new ip addresses ? . { once list if full ,
what will happen for new black listing }

Thanks,
Ratheesh

Re: removing black listed ip

[Jan Engelhardt]

On Monday 2010-04-12 08:24, ratheesh k wrote:
>On Sat, Apr 10, 2010 at 11:12 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
>> On Saturday 2010-04-10 19:20, ratheesh k wrote:
>>
>>>> xt_recent works by comparing the difference between an entry's
>>>> timestamps and the current time with the chosen --seconds parameter.
>>>
>>>If an ip is black listed , when it will get removed
>>
>> It will not get removed. If you want any action, such as blacklisting,
>> to stop after a given time, you use --seconds as I just told.
>
>if  number of ip balcklisted ip is more than  ip_list_tot , old
>entries will be replaced by new ip addresses ? . { once list if full ,
>what will happen for new black listing }

As I see it yes.

Re: removing black listed ip

[ratheesh k]

On Mon, Apr 12, 2010 at 6:00 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> On Monday 2010-04-12 08:24, ratheesh k wrote:
>>On Sat, Apr 10, 2010 at 11:12 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
>>> On Saturday 2010-04-10 19:20, ratheesh k wrote:
>>>
>>>>> xt_recent works by comparing the difference between an entry's
>>>>> timestamps and the current time with the chosen --seconds parameter.
>>>>
>>>>If an ip is black listed , when it will get removed
>>>
>>> It will not get removed. If you want any action, such as blacklisting,
>>> to stop after a given time, you use --seconds as I just told.
>>
>>if  number of ip balcklisted ip is more than  ip_list_tot , old
>>entries will be replaced by new ip addresses ? . { once list if full ,
>>what will happen for new black listing }
>
> As I see it yes.
>

suppose one particular ip is blacklisted by accident ...I want to
remove the ip from black list . How can i do that ?

Re: removing black listed ip

[Jan Engelhardt]

On Tuesday 2010-04-20 04:46, ratheesh k wrote:
>>>
>>>if  number of ip balcklisted ip is more than  ip_list_tot , old
>>>entries will be replaced by new ip addresses ? . { once list if full ,
>>>what will happen for new black listing }
>>
>> As I see it yes.
>
>suppose one particular ip is blacklisted by accident ...I want to
>remove the ip from black list . How can i do that ?

How do you define accident?

Manually:
 "echo -2a01:198:476::1" >/proc/net/xt_recent/foo

Automatically:
 If you can automatically detect an accident, you can also
 have it removed with -m recent --remove. Or in fact,
 avoid it in the first place.

Re: removing black listed ip

[ratheesh k]

On Tue, Apr 20, 2010 at 1:36 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> On Tuesday 2010-04-20 04:46, ratheesh k wrote:
>>>>
>>>>if  number of ip balcklisted ip is more than  ip_list_tot , old
>>>>entries will be replaced by new ip addresses ? . { once list if full ,
>>>>what will happen for new black listing }
>>>
>>> As I see it yes.
>>
>>suppose one particular ip is blacklisted by accident ...I want to
>>remove the ip from black list . How can i do that ?
>
> How do you define accident?
>
> Manually:
>  "echo -2a01:198:476::1" >/proc/net/xt_recent/foo
>
> Automatically:
>  If you can automatically detect an accident, you can also
>  have it removed with -m recent --remove. Or in fact,
>  avoid it in the first place.
>

Thanks a ton .