Commit 39b46fc6 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller

[NETFILTER]: x_tables: add port of hashlimit match for IPv4 and IPv6

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent d7a5c324
...@@ -14,6 +14,7 @@ header-y += xt_dscp.h ...@@ -14,6 +14,7 @@ header-y += xt_dscp.h
header-y += xt_DSCP.h header-y += xt_DSCP.h
header-y += xt_esp.h header-y += xt_esp.h
header-y += xt_helper.h header-y += xt_helper.h
header-y += xt_hashlimit.h
header-y += xt_length.h header-y += xt_length.h
header-y += xt_limit.h header-y += xt_limit.h
header-y += xt_mac.h header-y += xt_mac.h
......
#ifndef _XT_HASHLIMIT_H
#define _XT_HASHLIMIT_H
/* timings are in milliseconds. */
#define XT_HASHLIMIT_SCALE 10000
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
seconds, or one every 59 hours. */
/* details of this structure hidden by the implementation */
struct xt_hashlimit_htable;
#define XT_HASHLIMIT_HASH_DIP 0x0001
#define XT_HASHLIMIT_HASH_DPT 0x0002
#define XT_HASHLIMIT_HASH_SIP 0x0004
#define XT_HASHLIMIT_HASH_SPT 0x0008
struct hashlimit_cfg {
u_int32_t mode; /* bitmask of IPT_HASHLIMIT_HASH_* */
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
/* user specified */
u_int32_t size; /* how many buckets */
u_int32_t max; /* max number of entries */
u_int32_t gc_interval; /* gc interval */
u_int32_t expire; /* when do entries expire? */
};
struct xt_hashlimit_info {
char name [IFNAMSIZ]; /* name */
struct hashlimit_cfg cfg;
struct xt_hashlimit_htable *hinfo;
/* Used internally by the kernel */
union {
void *ptr;
struct xt_hashlimit_info *master;
} u;
};
#endif /*_XT_HASHLIMIT_H*/
#ifndef _IPT_HASHLIMIT_H #ifndef _IPT_HASHLIMIT_H
#define _IPT_HASHLIMIT_H #define _IPT_HASHLIMIT_H
/* timings are in milliseconds. */ #include <linux/netfilter/xt_hashlimit.h>
#define IPT_HASHLIMIT_SCALE 10000
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
seconds, or one every 59 hours. */
/* details of this structure hidden by the implementation */ #define IPT_HASHLIMIT_SCALE XT_HASHLIMIT_SCALE
struct ipt_hashlimit_htable; #define IPT_HASHLIMIT_HASH_DIP XT_HASHLIMIT_HASH_DIP
#define IPT_HASHLIMIT_HASH_DPT XT_HASHLIMIT_HASH_DPT
#define IPT_HASHLIMIT_HASH_SIP XT_HASHLIMIT_HASH_SIP
#define IPT_HASHLIMIT_HASH_SPT XT_HASHLIMIT_HASH_SPT
#define IPT_HASHLIMIT_HASH_DIP 0x0001 #define ipt_hashlimit_info xt_hashlimit_info
#define IPT_HASHLIMIT_HASH_DPT 0x0002
#define IPT_HASHLIMIT_HASH_SIP 0x0004
#define IPT_HASHLIMIT_HASH_SPT 0x0008
struct hashlimit_cfg { #endif /* _IPT_HASHLIMIT_H */
u_int32_t mode; /* bitmask of IPT_HASHLIMIT_HASH_* */
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
/* user specified */
u_int32_t size; /* how many buckets */
u_int32_t max; /* max number of entries */
u_int32_t gc_interval; /* gc interval */
u_int32_t expire; /* when do entries expire? */
};
struct ipt_hashlimit_info {
char name [IFNAMSIZ]; /* name */
struct hashlimit_cfg cfg;
struct ipt_hashlimit_htable *hinfo;
/* Used internally by the kernel */
union {
void *ptr;
struct ipt_hashlimit_info *master;
} u;
};
#endif /*_IPT_HASHLIMIT_H*/
...@@ -326,20 +326,6 @@ config IP_NF_MATCH_ADDRTYPE ...@@ -326,20 +326,6 @@ config IP_NF_MATCH_ADDRTYPE
If you want to compile it as a module, say M here and read If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'. <file:Documentation/modules.txt>. If unsure, say `N'.
config IP_NF_MATCH_HASHLIMIT
tristate 'hashlimit match support'
depends on IP_NF_IPTABLES
help
This option adds a new iptables `hashlimit' match.
As opposed to `limit', this match dynamically creates a hash table
of limit buckets, based on your selection of source/destination
ip addresses and/or ports.
It enables you to express policies like `10kpps for any given
destination IP' or `500pps from any given source IP' with a single
IPtables rule.
# `filter', generic and specific targets # `filter', generic and specific targets
config IP_NF_FILTER config IP_NF_FILTER
tristate "Packet filtering" tristate "Packet filtering"
......
...@@ -53,7 +53,6 @@ obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o ...@@ -53,7 +53,6 @@ obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
# matches # matches
obj-$(CONFIG_IP_NF_MATCH_HASHLIMIT) += ipt_hashlimit.o
obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
......
...@@ -464,5 +464,19 @@ config NETFILTER_XT_MATCH_TCPMSS ...@@ -464,5 +464,19 @@ config NETFILTER_XT_MATCH_TCPMSS
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_MATCH_HASHLIMIT
tristate '"hashlimit" match support'
depends on NETFILTER_XTABLES
help
This option adds a `hashlimit' match.
As opposed to `limit', this match dynamically creates a hash table
of limit buckets, based on your selection of source/destination
addresses and/or ports.
It enables you to express policies like `10kpps for any given
destination address' or `500pps from any given source address'
with a single rule.
endmenu endmenu
...@@ -59,3 +59,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o ...@@ -59,3 +59,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment