aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorJan Engelhardt <jengelh@computergmbh.de>2008-01-31 07:48:13 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-31 22:28:04 -0500
commit09e410def6432458c7d7e771a1807b157f4c2577 (patch)
tree409cb903573639d08b3dbe0418477a0ac6e87eee /include
parentd33b7c06bd721e21534c120d1c4a5944dc3eb9ce (diff)
[NETFILTER]: xt_hashlimit match, revision 1
Introduces the xt_hashlimit match revision 1. It adds support for kernel-level inversion and grouping source and/or destination IP addresses, allowing to limit on a per-subnet basis. While this would technically obsolete xt_limit, xt_hashlimit is a more expensive due to the hashbucketing. Kernel-level inversion: Previously you had to do user-level inversion: iptables -N foo iptables -A foo -m hashlimit --hashlimit(-upto) 5/s -j RETURN iptables -A foo -j DROP iptables -A INPUT -j foo now it is simpler: iptables -A INPUT -m hashlimit --hashlimit-over 5/s -j DROP Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/linux/netfilter/xt_hashlimit.h37
1 files changed, 32 insertions, 5 deletions
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
index c19972e4564d..58b818ee41ca 100644
--- a/include/linux/netfilter/xt_hashlimit.h
+++ b/include/linux/netfilter/xt_hashlimit.h
@@ -9,13 +9,16 @@
9/* details of this structure hidden by the implementation */ 9/* details of this structure hidden by the implementation */
10struct xt_hashlimit_htable; 10struct xt_hashlimit_htable;
11 11
12#define XT_HASHLIMIT_HASH_DIP 0x0001 12enum {
13#define XT_HASHLIMIT_HASH_DPT 0x0002 13 XT_HASHLIMIT_HASH_DIP = 1 << 0,
14#define XT_HASHLIMIT_HASH_SIP 0x0004 14 XT_HASHLIMIT_HASH_DPT = 1 << 1,
15#define XT_HASHLIMIT_HASH_SPT 0x0008 15 XT_HASHLIMIT_HASH_SIP = 1 << 2,
16 XT_HASHLIMIT_HASH_SPT = 1 << 3,
17 XT_HASHLIMIT_INVERT = 1 << 4,
18};
16 19
17struct hashlimit_cfg { 20struct hashlimit_cfg {
18 u_int32_t mode; /* bitmask of IPT_HASHLIMIT_HASH_* */ 21 u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */
19 u_int32_t avg; /* Average secs between packets * scale */ 22 u_int32_t avg; /* Average secs between packets * scale */
20 u_int32_t burst; /* Period multiplier for upper limit. */ 23 u_int32_t burst; /* Period multiplier for upper limit. */
21 24
@@ -37,4 +40,28 @@ struct xt_hashlimit_info {
37 struct xt_hashlimit_info *master; 40 struct xt_hashlimit_info *master;
38 } u; 41 } u;
39}; 42};
43
44struct hashlimit_cfg1 {
45 u_int32_t mode; /* bitmask of XT_HASHLIMIT_HASH_* */
46 u_int32_t avg; /* Average secs between packets * scale */
47 u_int32_t burst; /* Period multiplier for upper limit. */
48
49 /* user specified */
50 u_int32_t size; /* how many buckets */
51 u_int32_t max; /* max number of entries */
52 u_int32_t gc_interval; /* gc interval */
53 u_int32_t expire; /* when do entries expire? */
54
55 u_int8_t srcmask, dstmask;
56};
57
58struct xt_hashlimit_mtinfo1 {
59 char name[IFNAMSIZ];
60 struct hashlimit_cfg1 cfg;
61
62 /* Used internally by the kernel */
63 struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
64 struct xt_hashlimit_mtinfo1 *master __attribute__((aligned(8)));
65};
66
40#endif /*_XT_HASHLIMIT_H*/ 67#endif /*_XT_HASHLIMIT_H*/