netfilter: hashlimit: byte-based limit mode

can be used e.g. for ingress traffic policing or to detect when a host/port consumes more bandwidth than expected. This is done by optionally making cost to mean "cost per 16-byte-chunk-of-data" instead of "cost per packet". Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2012-05-07 06:51:45 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2012-05-09 07:04:57 -0400
commit: 0197dee7d3182bb6b6a21955860dfa14fa022d84 (patch)
tree: 121237ff7991a5fea8d8ac6202ad6c92834e744e /include/linux
parent: 817e076f61bca3d0270af60632d1fe07cd4919f1 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
index b1925b5925e9..05fe7993dd76 100644
--- a/include/linux/netfilter/xt_hashlimit.h
+++ b/include/linux/netfilter/xt_hashlimit.h
@@ -6,7 +6,11 @@
 /* timings are in milliseconds. */
 #define XT_HASHLIMIT_SCALE 10000
 /* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
-   seconds, or one every 59 hours. */
+ * seconds, or one packet every 59 hours.
+ */
+/* packet length accounting is done in 16-byte steps */
+#define XT_HASHLIMIT_BYTE_SHIFT 4
 /* details of this structure hidden by the implementation */
 struct xt_hashlimit_htable;
@@ -17,6 +21,10 @@ enum {
        XT_HASHLIMIT_HASH_SIP = 1 << 2,
        XT_HASHLIMIT_HASH_SPT = 1 << 3,
        XT_HASHLIMIT_INVERT   = 1 << 4,
+        XT_HASHLIMIT_BYTES    = 1 << 5,
+#ifdef __KERNEL__
+        XT_HASHLIMIT_MAX      = 1 << 6,
+#endif
 };
 struct hashlimit_cfg {
author	Florian Westphal <fw@strlen.de>	2012-05-07 06:51:45 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2012-05-09 07:04:57 -0400
commit	0197dee7d3182bb6b6a21955860dfa14fa022d84 (patch)
tree	121237ff7991a5fea8d8ac6202ad6c92834e744e /include/linux
parent	817e076f61bca3d0270af60632d1fe07cd4919f1 (diff)