diff options
author | Jan Engelhardt <jengelh@computergmbh.de> | 2008-01-31 07:48:13 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-31 22:28:04 -0500 |
commit | 09e410def6432458c7d7e771a1807b157f4c2577 (patch) | |
tree | 409cb903573639d08b3dbe0418477a0ac6e87eee /include | |
parent | d33b7c06bd721e21534c120d1c4a5944dc3eb9ce (diff) |
[NETFILTER]: xt_hashlimit match, revision 1
Introduces the xt_hashlimit match revision 1. It adds support for
kernel-level inversion and grouping source and/or destination IP
addresses, allowing to limit on a per-subnet basis. While this would
technically obsolete xt_limit, xt_hashlimit is a more expensive due
to the hashbucketing.
Kernel-level inversion: Previously you had to do user-level inversion:
iptables -N foo
iptables -A foo -m hashlimit --hashlimit(-upto) 5/s -j RETURN
iptables -A foo -j DROP
iptables -A INPUT -j foo
now it is simpler:
iptables -A INPUT -m hashlimit --hashlimit-over 5/s -j DROP
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/netfilter/xt_hashlimit.h | 37 |
1 files changed, 32 insertions, 5 deletions
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h index c19972e4564d..58b818ee41ca 100644 --- a/include/linux/netfilter/xt_hashlimit.h +++ b/include/linux/netfilter/xt_hashlimit.h | |||
@@ -9,13 +9,16 @@ | |||
9 | /* details of this structure hidden by the implementation */ | 9 | /* details of this structure hidden by the implementation */ |
10 | struct xt_hashlimit_htable; | 10 | struct xt_hashlimit_htable; |
11 | 11 | ||
12 | #define XT_HASHLIMIT_HASH_DIP 0x0001 | 12 | enum { |
13 | #define XT_HASHLIMIT_HASH_DPT 0x0002 | 13 | XT_HASHLIMIT_HASH_DIP = 1 << 0, |
14 | #define XT_HASHLIMIT_HASH_SIP 0x0004 | 14 | XT_HASHLIMIT_HASH_DPT = 1 << 1, |
15 | #define XT_HASHLIMIT_HASH_SPT 0x0008 | 15 | XT_HASHLIMIT_HASH_SIP = 1 << 2, |
16 | XT_HASHLIMIT_HASH_SPT = 1 << 3, | ||
17 | XT_HASHLIMIT_INVERT = 1 << 4, | ||
18 | }; | ||
16 | 19 | ||
17 | struct hashlimit_cfg { | 20 | struct hashlimit_cfg { |
18 | u_int32_t mode; /* bitmask of IPT_HASHLIMIT_HASH_* */ | 21 | u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */ |
19 | u_int32_t avg; /* Average secs between packets * scale */ | 22 | u_int32_t avg; /* Average secs between packets * scale */ |
20 | u_int32_t burst; /* Period multiplier for upper limit. */ | 23 | u_int32_t burst; /* Period multiplier for upper limit. */ |
21 | 24 | ||
@@ -37,4 +40,28 @@ struct xt_hashlimit_info { | |||
37 | struct xt_hashlimit_info *master; | 40 | struct xt_hashlimit_info *master; |
38 | } u; | 41 | } u; |
39 | }; | 42 | }; |
43 | |||
44 | struct hashlimit_cfg1 { | ||
45 | u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */ | ||
46 | u_int32_t avg; /* Average secs between packets * scale */ | ||
47 | u_int32_t burst; /* Period multiplier for upper limit. */ | ||
48 | |||
49 | /* user specified */ | ||
50 | u_int32_t size; /* how many buckets */ | ||
51 | u_int32_t max; /* max number of entries */ | ||
52 | u_int32_t gc_interval; /* gc interval */ | ||
53 | u_int32_t expire; /* when do entries expire? */ | ||
54 | |||
55 | u_int8_t srcmask, dstmask; | ||
56 | }; | ||
57 | |||
58 | struct xt_hashlimit_mtinfo1 { | ||
59 | char name[IFNAMSIZ]; | ||
60 | struct hashlimit_cfg1 cfg; | ||
61 | |||
62 | /* Used internally by the kernel */ | ||
63 | struct xt_hashlimit_htable *hinfo __attribute__((aligned(8))); | ||
64 | struct xt_hashlimit_mtinfo1 *master __attribute__((aligned(8))); | ||
65 | }; | ||
66 | |||
40 | #endif /*_XT_HASHLIMIT_H*/ | 67 | #endif /*_XT_HASHLIMIT_H*/ |