From mboxrd@z Thu Jan 1 00:00:00 1970 From: Samuel Jean Subject: Re: Limit module accept negation? Date: Thu, 13 Jan 2005 20:20:48 -0500 Message-ID: <41E71E70.4080703@cookinglinux.org> References: <41E2E0CB.18071.252B3E2C@localhost> <41E6C745.7555.2118F01@localhost> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------060706090108030407060109" Return-path: In-Reply-To: <41E6C745.7555.2118F01@localhost> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org To: jagrelo@novadevices.com Cc: netfilter@lists.netfilter.org This is a multi-part message in MIME format. --------------060706090108030407060109 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Jorge Agrelo wrote: > Yes, I want to limit (drop) as soon as we receive more than 1/s packet > regardless of the source address?, Is there any other way to do that without using > limit match with negation? AFAIK, there isn't. > > Regards > The patch below is against ipt_limit.c from 2.6.10. It's *untested* but reflects what I told you. It's just an exemple of how you can make this module behaving the other way arround. (NOTE: ipt_limit.c was written to avoid flooding -j LOG) HTH, Samuel --------------060706090108030407060109 Content-Type: text/x-patch; name="ipt_limit.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipt_limit.patch" --- ipt_limit.c 2005-01-13 20:14:10.000000000 -0500 +++ ipt_limit.c.orig 2005-01-13 20:13:19.000000000 -0500 @@ -82,11 +82,11 @@ /* We're not limited. */ r->credit -= r->cost; spin_unlock_bh(&limit_lock); - return 0; + return 1; } spin_unlock_bh(&limit_lock); - return 1; + return 0; } /* Precision saver. */ --------------060706090108030407060109--