Merge branch 'connlimit' of git://dev.medozas.de/linux

Conflicts: Documentation/feature-removal-schedule.txt Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Patrick McHardy <kaber@trash.net> 2011-01-20 04:33:55 -0500
committer: Patrick McHardy <kaber@trash.net> 2011-01-20 04:33:55 -0500
commit: 82d800d8e7fa731b50deb851d16b68050673f587 (patch)
tree: 60acee6699b1cdb7fe5e2802947737dffeeeb6c9
parent: 28a51ba59a1a983d63d4775e9bb8230fe0fb3b29 (diff)
parent: cc4fc022571376412986e27e08b0765e9cb2aafb (diff)
3 files changed, 49 insertions, 14 deletions
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 8c594c45b6a1..05b248aa91f1 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -611,3 +611,10 @@ Why:	The adm9240, w83792d and w83793 hardware monitoring drivers have
 Who:    Jean Delvare <khali@linux-fr.org>
 ----------------------------
+What:   xt_connlimit rev 0
+When:   2012
+Who:    Jan Engelhardt <jengelh@medozas.de>
+Files:  net/netfilter/xt_connlimit.c
+----------------------------
diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h
index 7e3284bcbd2b..8884efc605c7 100644
--- a/include/linux/netfilter/xt_connlimit.h
+++ b/include/linux/netfilter/xt_connlimit.h
@@ -3,6 +3,11 @@
 struct xt_connlimit_data;
+enum {
+        XT_CONNLIMIT_INVERT = 1 << 0,
+        XT_CONNLIMIT_DADDR  = 1 << 1,
+};
 struct xt_connlimit_info {
        union {
                union nf_inet_addr mask;
@@ -14,6 +19,13 @@ struct xt_connlimit_info {
 #endif
        };
        unsigned int limit, inverse;
+        union {
+                /* revision 0 */
+                unsigned int inverse;
+                /* revision 1 */
+                __u32 flags;
+        };
        /* Used internally by the kernel */
        struct xt_connlimit_data *data __attribute__((aligned(8)));
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 452bc16af56c..7fd3fd51f274 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -193,10 +193,12 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
        if (par->family == NFPROTO_IPV6) {
                const struct ipv6hdr *iph = ipv6_hdr(skb);
-                memcpy(&addr.ip6, &iph->saddr, sizeof(iph->saddr));
+                memcpy(&addr.ip6, (info->flags & XT_CONNLIMIT_DADDR) ?
+                       &iph->daddr : &iph->saddr, sizeof(addr.ip6));
        } else {
                const struct iphdr *iph = ip_hdr(skb);
-                addr.ip = iph->saddr;
+                addr.ip = (info->flags & XT_CONNLIMIT_DADDR) ?
+                          iph->daddr : iph->saddr;
        }
        spin_lock_bh(&info->data->lock);
@@ -208,7 +210,8 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
                /* kmalloc failed, drop it entirely */
                goto hotdrop;
-        return (connections > info->limit) ^ info->inverse;
+        return (connections > info->limit) ^
+               !!(info->flags & XT_CONNLIMIT_INVERT);
 hotdrop:
        par->hotdrop = true;
@@ -266,25 +269,38 @@ static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
        kfree(info->data);
 }
-static struct xt_match connlimit_mt_reg __read_mostly = {
+static struct xt_match connlimit_mt_reg[] __read_mostly = {
-        .name       = "connlimit",
+        {
-        .revision   = 0,
+                .name       = "connlimit",
-        .family     = NFPROTO_UNSPEC,
+                .revision   = 0,
-        .checkentry = connlimit_mt_check,
+                .family     = NFPROTO_UNSPEC,
-        .match      = connlimit_mt,
+                .checkentry = connlimit_mt_check,
-        .matchsize  = sizeof(struct xt_connlimit_info),
+                .match      = connlimit_mt,
-        .destroy    = connlimit_mt_destroy,
+                .matchsize  = sizeof(struct xt_connlimit_info),
-        .me         = THIS_MODULE,
+                .destroy    = connlimit_mt_destroy,
+                .me         = THIS_MODULE,
+        },
+        {
+                .name       = "connlimit",
+                .revision   = 1,
+                .family     = NFPROTO_UNSPEC,
+                .checkentry = connlimit_mt_check,
+                .match      = connlimit_mt,
+                .matchsize  = sizeof(struct xt_connlimit_info),
+                .destroy    = connlimit_mt_destroy,
+                .me         = THIS_MODULE,
+        },
 };
 static int __init connlimit_mt_init(void)
 {
-        return xt_register_match(&connlimit_mt_reg);
+        return xt_register_matches(connlimit_mt_reg,
+               ARRAY_SIZE(connlimit_mt_reg));
 }
 static void __exit connlimit_mt_exit(void)
 {
-        xt_unregister_match(&connlimit_mt_reg);
+        xt_unregister_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg));
 }
 module_init(connlimit_mt_init);
author	Patrick McHardy <kaber@trash.net>	2011-01-20 04:33:55 -0500
committer	Patrick McHardy <kaber@trash.net>	2011-01-20 04:33:55 -0500
commit	82d800d8e7fa731b50deb851d16b68050673f587 (patch)
tree	60acee6699b1cdb7fe5e2802947737dffeeeb6c9
parent	28a51ba59a1a983d63d4775e9bb8230fe0fb3b29 (diff)
parent	cc4fc022571376412986e27e08b0765e9cb2aafb (diff)