From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@computergmbh.de>
Cc: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH 12/27] xt_hashlimit match, revision 1
Date: Fri, 04 Jan 2008 15:59:38 +0100 [thread overview]
Message-ID: <477E49DA.40207@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0801022128370.14900@fbirervta.pbzchgretzou.qr>
Jan Engelhardt wrote:
> commit 98815424093ca5426885218bc0afa5aa18f3e86e
> Author: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Wed Jan 2 17:58:05 2008 +0100
>
> [NETFILTER]: xt_hashlimit match, revision 1
>
> Introduces the xt_hashlimit match revision 1. It adds support for
> kernel-level inversion and grouping source and/or destination IP
> addresses, allowing to limit on a per-subnet basis. While this would
> technically obsolete xt_limit, xt_hashlimit is a more expensive due to
> the hashbucketing.
>
> Kernel-level inversion: Previously you had to do user-level inversion:
> iptables -N foo
> iptables -A foo -m hashlimit --hashlimit 5/s -j RETURN
> iptables -A foo -j DROP
> iptables -A INPUT -j foo
> now it is simpler:
> iptables -A INPUT -m hashlimit --hashlimit-over 5/s -j DROP
>
> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
>
> include/linux/netfilter/xt_hashlimit.h | 37 +++-
> net/netfilter/xt_hashlimit.c | 311 +++++++++++++++++++++---
> 2 files changed, 315 insertions(+), 33 deletions(-)
>
> diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
> index c19972e..f15b104 100644
> --- a/include/linux/netfilter/xt_hashlimit.h
> +++ b/include/linux/netfilter/xt_hashlimit.h
> @@ -9,13 +9,16 @@
> /* details of this structure hidden by the implementation */
> struct xt_hashlimit_htable;
>
> -#define XT_HASHLIMIT_HASH_DIP 0x0001
> -#define XT_HASHLIMIT_HASH_DPT 0x0002
> -#define XT_HASHLIMIT_HASH_SIP 0x0004
> -#define XT_HASHLIMIT_HASH_SPT 0x0008
> +enum {
> + XT_HASHLIMIT_HASH_DIP = 1 << 0,
> + XT_HASHLIMIT_HASH_DPT = 1 << 1,
> + XT_HASHLIMIT_HASH_SIP = 1 << 2,
> + XT_HASHLIMIT_HASH_SPT = 1 << 3,
> + XT_HASHLIMIT_INVERT = 1 << 4,
> +};
Do we really need a full new revision for this? It seems simply adding
the inversion flag would work fine, old userspace code will always
have it set to zero.
next prev parent reply other threads:[~2008-01-04 15:02 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-02 20:18 [PATCH 0/27] Netfilter update Jan Engelhardt
2008-01-02 20:24 ` [PATCH 1/27] remove ipt_TOS.c Jan Engelhardt
2008-01-02 20:25 ` Jan Engelhardt
2008-01-04 14:25 ` Patrick McHardy
2008-01-02 20:25 ` [PATCH 2/27] Change semantic of mask value in xt_TOS Jan Engelhardt
2008-01-04 14:27 ` Patrick McHardy
2008-01-02 20:26 ` [PATCH 3/27] Properly set the TOS field " Jan Engelhardt
2008-01-04 14:30 ` Patrick McHardy
2008-01-02 20:26 ` [PATCH 4/27] Annotate start of kernel fields in NF headers Jan Engelhardt
2008-01-04 14:33 ` Patrick McHardy
2008-01-02 20:26 ` [PATCH 5/27] Remove CONFIG_COMPAT code in xt_hashlimit, xt_limit Jan Engelhardt
2008-01-04 14:37 ` Patrick McHardy
2008-01-10 23:01 ` Jan Engelhardt
2008-01-11 9:36 ` Patrick McHardy
2008-01-02 20:27 ` [PATCH 6/27] xt_CONNMARK target, revision 1 Jan Engelhardt
2008-01-04 14:41 ` Patrick McHardy
2008-01-04 14:46 ` Jan Engelhardt
2008-01-04 14:45 ` Patrick McHardy
2008-01-04 15:02 ` Jan Engelhardt
2008-01-04 15:00 ` Patrick McHardy
2008-01-02 20:27 ` [PATCH 7/27] xt_MARK target, revision 2 Jan Engelhardt
2008-01-04 14:46 ` Patrick McHardy
2008-01-02 20:27 ` [PATCH 8/27] xt_connmark match, revision 1 Jan Engelhardt
2008-01-04 14:47 ` Patrick McHardy
2008-01-04 14:56 ` Patrick McHardy
2008-01-04 15:03 ` Jan Engelhardt
2008-01-04 15:05 ` Patrick McHardy
2008-01-02 20:28 ` [PATCH 9/27] Extend nf_inet_addr with in{,6}_addr Jan Engelhardt
2008-01-04 14:49 ` Patrick McHardy
2008-01-04 15:01 ` Jan Engelhardt
2008-01-02 20:28 ` [PATCH 10/27] xt_conntrack match, revision 1 Jan Engelhardt
2008-01-04 14:53 ` Patrick McHardy
2008-01-04 15:05 ` Jan Engelhardt
2008-01-04 15:07 ` Patrick McHardy
2008-01-04 15:28 ` Jan Engelhardt
2008-01-15 6:48 ` Patrick McHardy
2008-01-15 12:31 ` Jan Engelhardt
2008-01-15 14:13 ` Patrick McHardy
2008-01-16 18:02 ` [NETFILTER]: xt_conntrack: add port and direction matching Jan Engelhardt
2008-01-17 13:52 ` Pablo Neira Ayuso
2008-01-17 15:00 ` Jan Engelhardt
2008-01-20 13:00 ` Patrick McHardy
2008-01-20 13:12 ` Jan Engelhardt
2008-01-20 13:15 ` Patrick McHardy
2008-01-20 16:48 ` Jan Engelhardt
2008-01-20 16:55 ` Patrick McHardy
2008-01-21 1:14 ` Pablo Neira Ayuso
2008-01-21 1:15 ` Jan Engelhardt
2008-01-21 1:18 ` Pablo Neira Ayuso
2008-01-21 1:31 ` Jan Engelhardt
2008-01-21 1:19 ` Patrick McHardy
2008-01-02 20:28 ` [PATCH 11/27] xt_hashlimit: use the new union nf_inet_addr Jan Engelhardt
2008-01-04 14:57 ` Patrick McHardy
2008-01-15 5:53 ` Patrick McHardy
2008-01-02 20:28 ` [PATCH 12/27] xt_hashlimit match, revision 1 Jan Engelhardt
2008-01-04 14:59 ` Patrick McHardy [this message]
2008-01-04 15:07 ` Jan Engelhardt
2008-01-02 20:29 ` [PATCH 13/27] xt_helper: Do not bypass RCU Jan Engelhardt
2008-01-04 15:01 ` Patrick McHardy
2008-01-04 15:09 ` Jan Engelhardt
2008-01-02 20:29 ` [PATCH 14/27] xt_helper match, revision 1 Jan Engelhardt
2008-01-04 15:03 ` Patrick McHardy
2008-01-02 20:29 ` [PATCH 15/27] xt_length " Jan Engelhardt
2008-01-04 15:22 ` Patrick McHardy
2008-01-04 15:43 ` Jan Engelhardt
2008-01-02 20:30 ` [PATCH 16/27] xt_mark " Jan Engelhardt
2008-01-04 15:23 ` Patrick McHardy
2008-01-02 20:30 ` [PATCH 17/27] xt_pkttype: Add explicit check for IPv4 Jan Engelhardt
2008-01-04 15:24 ` Patrick McHardy
2008-01-02 20:30 ` [PATCH 18/27] xt_pkttype IPv6 multicast address recognition Jan Engelhardt
2008-01-04 15:26 ` Patrick McHardy
2008-01-02 20:30 ` [PATCH 19/27] xt_policy: use the new unoin nf_inet_addr Jan Engelhardt
2008-01-08 15:48 ` Patrick McHardy
2008-01-08 15:54 ` Jan Engelhardt
2008-01-08 15:54 ` Patrick McHardy
2008-01-08 16:42 ` Jan Engelhardt
2008-01-02 20:30 ` [PATCH 20/27] Update modules' descriptions Jan Engelhardt
2008-01-08 15:50 ` Patrick McHardy
2008-01-08 15:55 ` Jan Engelhardt
2008-01-08 15:54 ` Patrick McHardy
2008-01-08 16:13 ` Jan Engelhardt
2008-01-08 16:18 ` Patrick McHardy
2008-01-02 20:31 ` [PATCH 21/27] Convert unfixated types to fixated ones Jan Engelhardt
2008-01-08 15:52 ` Patrick McHardy
2008-01-08 16:14 ` Jan Engelhardt
2008-01-02 20:31 ` [PATCH 22/27] Rename ipt_iprange to xt_iprange Jan Engelhardt
2008-01-08 15:55 ` Patrick McHardy
2008-01-08 16:16 ` Jan Engelhardt
2008-01-08 16:22 ` Patrick McHardy
2008-01-08 16:25 ` Patrick McHardy
2008-01-09 13:55 ` Jan Engelhardt
2008-01-10 15:52 ` Patrick McHardy
2008-01-02 20:31 ` [PATCH 23/27] xt_iprange match, revision 1 Jan Engelhardt
2008-01-08 15:56 ` Patrick McHardy
2008-01-08 16:22 ` Jan Engelhardt
2008-01-08 16:26 ` Patrick McHardy
2008-01-02 20:33 ` [PATCH 24/27] Merge ipt_REJECT and ip6t_REJECT into xt_REJECT Jan Engelhardt
2008-01-08 15:59 ` Patrick McHardy
2008-01-02 20:34 ` [PATCH 25/27] Merge ipt_ah and ip6t_ah into xt_ah Jan Engelhardt
2008-01-08 16:03 ` Patrick McHardy
2008-01-02 20:34 ` [PATCH 26/27] Unknot xt_ah IPv6 logic Jan Engelhardt
2008-01-02 20:34 ` [PATCH 27/27] Update feature-removal-schedule.txt Jan Engelhardt
2008-01-08 16:33 ` Patrick McHardy
2008-01-08 16:38 ` Jan Engelhardt
2008-01-08 16:39 ` Patrick McHardy
2008-01-08 16:56 ` Jan Engelhardt
2008-01-15 16:16 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=477E49DA.40207@trash.net \
--to=kaber@trash.net \
--cc=jengelh@computergmbh.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.