Le dimanche 28 février 2010 à 16:12 -0700, Tim Gardner a écrit :
> You are right about the reaper pointer. I'd forgotten that the LRU list
> was already sorted oldest to newest. Doh! I've cleaned that up some.
>
> This version adds the '--reap' flag and only looks at the head of the
> LRU list once per ip_reaper_freq packets.
>
> I also added a check that makes sure --rttl and --reap modify only the
> --rcheck and --update options.
>
> rtg
@@ -272,6 +295,16 @@ recent_mt(const struct sk_buff *skb, const struct
xt_match_param *par)
break;
}
}
+
+ /*
+ * Run the reaper every ip_reaper_freq packets.
+ */
+ if ((info->check_set & XT_RECENT_REAP) &&
+ info->seconds &&
This (info->seconds) test is redundant, if you test it _once_ in
recent_mt_check()
+ (++t->reaper_cnt >= ip_reaper_freq)) {
+ t->reaper_cnt = 0;
+ recent_entry_reap(t, time);
+ }
}
ie :
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index fc70a49..66d68f3 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -294,6 +294,8 @@ static bool recent_mt_check(const struct
xt_mtchk_param *par)
if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) &&
(info->seconds || info->hit_count))
return false;
+ if ((info->check_set & XT_RECENT_REAP) && !info->seconds)
+ return false;
if (info->hit_count > ip_pkt_list_tot)
return false;
if (info->name[0] == '\0' ||
Then, now that reaping is done as a rule option only, I am not sure we
still need the reaper_cnt logic, since you probably want ip_reaper_freq
= 1, or else table size will probably grow at its limit, even in non DOS
situation.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
