aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux/netfilter/xt_hashlimit.h (follow)
AgeCommit message (Collapse)AuthorFilesLines
2012-10-09UAPI: (Scripted) Disintegrate include/linux/netfilterDavid Howells1-70/+1
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Michael Kerrisk <mtk.manpages@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Dave Jones <davej@redhat.com>
2012-05-17netfilter: xt_hashlimit: use _ALL macro to reject unknown flag bitsFlorian Westphal1-2/+4
David Miller says: The canonical way to validate if the set bits are in a valid range is to have a "_ALL" macro, and test: if (val & ~XT_HASHLIMIT_ALL) goto err;" make it so. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-05-09netfilter: hashlimit: byte-based limit modeFlorian Westphal1-1/+9
can be used e.g. for ingress traffic policing or to detect when a host/port consumes more bandwidth than expected. This is done by optionally making cost to mean "cost per 16-byte-chunk-of-data" instead of "cost per packet". Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-03-26make netfilter use strict integer typesArnd Bergmann1-15/+17
Netfilter traditionally uses BSD integer types in its interface headers. This changes it to use the Linux strict integer types, like everyone else. Cc: netfilter-devel@vger.kernel.org Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-02-19[NETFILTER]: xt_hashlimit: remove unneeded struct memberJan Engelhardt1-1/+0
By allocating ->hinfo, we already have the needed indirection to cope with the per-cpu xtables struct match_entry. [Patrick: do this now before the revision 1 struct is used by userspace] Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-31[NETFILTER]: xt_hashlimit match, revision 1Jan Engelhardt1-5/+32
Introduces the xt_hashlimit match revision 1. It adds support for kernel-level inversion and grouping source and/or destination IP addresses, allowing to limit on a per-subnet basis. While this would technically obsolete xt_limit, xt_hashlimit is a more expensive due to the hashbucketing. Kernel-level inversion: Previously you had to do user-level inversion: iptables -N foo iptables -A foo -m hashlimit --hashlimit(-upto) 5/s -j RETURN iptables -A foo -j DROP iptables -A INPUT -j foo now it is simpler: iptables -A INPUT -m hashlimit --hashlimit-over 5/s -j DROP Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: Annotate start of kernel fields in NF headersJan Engelhardt1-1/+1
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[NETFILTER]: x_tables: add port of hashlimit match for IPv4 and IPv6Patrick McHardy1-0/+40
Signed-off-by: Patrick McHardy <kaber@trash.net>
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.