1 files changed, 116 insertions, 0 deletions
diff --git a/package/iptables/patches/011-recent-add-reap.patch b/package/iptables/patches/011-recent-add-reap.patch
new file mode 100644
index 000000000..275265b99
--- /dev/null
+++ b/package/iptables/patches/011-recent-add-reap.patch
@@ -0,0 +1,116 @@
+From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001
+From: Tim Gardner <tim.gardner@canonical.com>
+Date: Mon, 1 Mar 2010 19:00:29 -0700
+Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation
+
+Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
+---
+ extensions/libxt_recent.c           |   20 ++++++++++++++++++++
+ extensions/libxt_recent.man         |    5 +++++
+ include/linux/netfilter/xt_recent.h |    7 +++++++
+ 3 files changed, 32 insertions(+), 0 deletions(-)
+
+--- a/extensions/libxt_recent.c
++++ b/extensions/libxt_recent.c
+@@ -20,6 +20,7 @@ static const struct option recent_opts[]
+ 	{.name = "name",     .has_arg = true,  .val = 208},
+ 	{.name = "rsource",  .has_arg = false, .val = 209},
+ 	{.name = "rdest",    .has_arg = false, .val = 210},
++	{.name = "reap",     .has_arg = false, .val = 211},
+ 	XT_GETOPT_TABLEEND,
+ };
+ 
+@@ -37,6 +38,7 @@ static void recent_help(void)
+ "    --hitcount hits             For check and update commands above.\n"
+ "                                Specifies that the match will only occur if source address seen hits times.\n"
+ "                                May be used in conjunction with the seconds option.\n"
++"    --reap                      Remove entries that have expired. Can only be used with --seconds\n"
+ "    --rttl                      For check and update commands above.\n"
+ "                                Specifies that the match will only occur if the source address and the TTL\n"
+ "                                match between this packet and the one which was set.\n"
+@@ -63,6 +65,8 @@ static void recent_init(struct xt_entry_
+ 	(XT_RECENT_SET | XT_RECENT_CHECK | \
+ 	XT_RECENT_UPDATE | XT_RECENT_REMOVE)
+ 
++#define XT_RECENT_SECONDS 1 << 31
++
+ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_match **match)
+ {
+@@ -104,6 +108,7 @@ static int recent_parse(int c, char **ar
+ 
+ 		case 204:
+ 			info->seconds = atoi(optarg);
++			*flags |= XT_RECENT_SECONDS;
+ 			break;
+ 
+ 		case 205:
+@@ -139,6 +144,11 @@ static int recent_parse(int c, char **ar
+ 			info->side = XT_RECENT_DEST;
+ 			break;
+ 
++		case 211:
++			info->check_set |= XT_RECENT_REAP;
++			*flags |= XT_RECENT_REAP;
++			break;
++
+ 		default:
+ 			return 0;
+ 	}
+@@ -157,6 +167,12 @@ static void recent_check(unsigned int fl
+ 		xtables_error(PARAMETER_PROBLEM,
+ 		           "recent: --rttl may only be used with --rcheck or "
+ 		           "--update");
++	if ((flags & XT_RECENT_REAP) &&
++	    ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) ||
++	    (!(flags & XT_RECENT_SECONDS))))
++		xtables_error(PARAMETER_PROBLEM,
++		           "recent: --reap may only be used with --rcheck or "
++		           "--update and --seconds");
+ }
+ 
+ static void recent_print(const void *ip, const struct xt_entry_match *match,
+@@ -185,6 +201,8 @@ static void recent_print(const void *ip,
+ 		printf("side: source ");
+ 	if (info->side == XT_RECENT_DEST)
+ 		printf("side: dest ");
++	if (info->check_set & XT_RECENT_REAP)
++		printf("reap ");
+ }
+ 
+ static void recent_save(const void *ip, const struct xt_entry_match *match)
+@@ -211,6 +229,8 @@ static void recent_save(const void *ip, 
+ 		printf("--rsource ");
+ 	if (info->side == XT_RECENT_DEST)
+ 		printf("--rdest ");
++	if (info->check_set & XT_RECENT_REAP)
++		printf("--reap ");
+ }
+ 
+ static struct xtables_match recent_mt_reg = {
+--- a/extensions/libxt_recent.man
++++ b/extensions/libxt_recent.man
+@@ -41,6 +41,11 @@ This option must be used in conjunction 
+ \fB\-\-update\fP. When used, this will narrow the match to only happen when the
+ address is in the list and was seen within the last given number of seconds.
+ .TP
++\fB\-\-reap\fP \fIreap\fP
++This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
++will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
++since the last packet was received.
++.TP
+ \fB\-\-hitcount\fP \fIhits\fP
+ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
+ \fB\-\-update\fP. When used, this will narrow the match to only happen when the
+--- a/include/linux/netfilter/xt_recent.h
++++ b/include/linux/netfilter/xt_recent.h
+@@ -23,6 +23,9 @@ enum {
+ #define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
+ 			       XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
+ 
++/* Only allowed with --rcheck and --update */
++#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
++
+ struct xt_recent_mtinfo {
+ 	__u32 seconds;
+ 	__u32 hit_count;