diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-09-07 06:22:18 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-09-12 12:49:50 -0400 |
| commit | dbd2be0646e3239022630c426cbceefa15714bca (patch) | |
| tree | f3e2edf1b08504893250595b00df4c3681d2c2bb /include/uapi/linux | |
| parent | 70ca767ea1b2748f45e96192400e515dddbe517c (diff) | |
netfilter: nft_dynset: allow to invert match criteria
The dynset expression matches if we can fit a new entry into the set.
If there is no room for it, then it breaks the rule evaluation.
This patch introduces the inversion flag so you can add rules to
explicitly drop packets that don't fit into the set. For example:
# nft filter input flow table xyz size 4 { ip saddr timeout 120s counter } overflow drop
This is useful to provide a replacement for connlimit.
For the rule above, every new entry uses the IPv4 address as key in the
set, this entry gets a timeout of 120 seconds that gets refresh on every
packet seen. If we get new flow and our set already contains 4 entries
already, then this packet is dropped.
You can already express this in positive logic, assuming default policy
to drop:
# nft filter input flow table xyz size 4 { ip saddr timeout 10s counter } accept
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/uapi/linux')
| -rw-r--r-- | include/uapi/linux/netfilter/nf_tables.h | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 8c653bbd1ead..bc0eb6a1066d 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h | |||
| @@ -575,6 +575,10 @@ enum nft_dynset_ops { | |||
| 575 | NFT_DYNSET_OP_UPDATE, | 575 | NFT_DYNSET_OP_UPDATE, |
| 576 | }; | 576 | }; |
| 577 | 577 | ||
| 578 | enum nft_dynset_flags { | ||
| 579 | NFT_DYNSET_F_INV = (1 << 0), | ||
| 580 | }; | ||
| 581 | |||
| 578 | /** | 582 | /** |
| 579 | * enum nft_dynset_attributes - dynset expression attributes | 583 | * enum nft_dynset_attributes - dynset expression attributes |
| 580 | * | 584 | * |
| @@ -585,6 +589,7 @@ enum nft_dynset_ops { | |||
| 585 | * @NFTA_DYNSET_SREG_DATA: source register of the data (NLA_U32) | 589 | * @NFTA_DYNSET_SREG_DATA: source register of the data (NLA_U32) |
| 586 | * @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64) | 590 | * @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64) |
| 587 | * @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes) | 591 | * @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes) |
| 592 | * @NFTA_DYNSET_FLAGS: flags (NLA_U32) | ||
| 588 | */ | 593 | */ |
| 589 | enum nft_dynset_attributes { | 594 | enum nft_dynset_attributes { |
| 590 | NFTA_DYNSET_UNSPEC, | 595 | NFTA_DYNSET_UNSPEC, |
| @@ -596,6 +601,7 @@ enum nft_dynset_attributes { | |||
| 596 | NFTA_DYNSET_TIMEOUT, | 601 | NFTA_DYNSET_TIMEOUT, |
| 597 | NFTA_DYNSET_EXPR, | 602 | NFTA_DYNSET_EXPR, |
| 598 | NFTA_DYNSET_PAD, | 603 | NFTA_DYNSET_PAD, |
| 604 | NFTA_DYNSET_FLAGS, | ||
| 599 | __NFTA_DYNSET_MAX, | 605 | __NFTA_DYNSET_MAX, |
| 600 | }; | 606 | }; |
| 601 | #define NFTA_DYNSET_MAX (__NFTA_DYNSET_MAX - 1) | 607 | #define NFTA_DYNSET_MAX (__NFTA_DYNSET_MAX - 1) |