git.baikalelectronics.ru Git - kernel.git/commit

author	Jan Engelhardt <jengelh@computergmbh.de>
	Thu, 31 Jan 2008 12:48:13 +0000 (04:48 -0800)
committer	David S. Miller <davem@davemloft.net>
	Fri, 1 Feb 2008 03:28:04 +0000 (19:28 -0800)
commit	4f3d5da03f903315c75ae17d916281cffd64c0a9
tree	409cb903573639d08b3dbe0418477a0ac6e87eee	tree \| snapshot
parent	067e3a5a7172935aee39af149dbdc08f0efb726b	commit \| diff

[NETFILTER]: xt_hashlimit match, revision 1

Introduces the xt_hashlimit match revision 1. It adds support for
kernel-level inversion and grouping source and/or destination IP
addresses, allowing to limit on a per-subnet basis. While this would
technically obsolete xt_limit, xt_hashlimit is a more expensive due
to the hashbucketing.

Kernel-level inversion: Previously you had to do user-level inversion:

iptables -N foo
iptables -A foo -m hashlimit --hashlimit(-upto) 5/s -j RETURN
iptables -A foo -j DROP
iptables -A INPUT -j foo

now it is simpler:

iptables -A INPUT -m hashlimit --hashlimit-over 5/s -j DROP

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/linux/netfilter/xt_hashlimit.h		diff \| blob \| history
net/netfilter/xt_hashlimit.c		diff \| blob \| history