diff options
author | Jan Engelhardt <jengelh@medozas.de> | 2011-01-18 18:04:57 +0100 |
---|---|---|
committer | Jan Engelhardt <jengelh@medozas.de> | 2011-01-18 18:04:57 +0100 |
commit | 2cae5334de3a817947742e0b466355e5f5566474 (patch) | |
tree | a4d308dc555d2341d8d1f08c01dbdb099bc6f3ab /extensions/libxt_connlimit.man | |
parent | 8d5e773508b154dcfa8d866f68f64ef1ad773957 (diff) |
libxt_connlimit: add a --connlimit-upto option
Direct specifications like "upto" are easier to grasp than "not
above". This patch adds such an upto variant similar to what
libxt_hashlimit already has.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Diffstat (limited to 'extensions/libxt_connlimit.man')
-rw-r--r-- | extensions/libxt_connlimit.man | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man index f8f9c7b8..ecc80272 100644 --- a/extensions/libxt_connlimit.man +++ b/extensions/libxt_connlimit.man @@ -1,8 +1,11 @@ Allows you to restrict the number of parallel connections to a server per client IP address (or client address block). .TP -[\fB!\fP] \fB\-\-connlimit\-above\fP \fIn\fP -Match if the number of existing connections is (not) above \fIn\fP. +\fB\-\-connlimit\-upto\fP \fIn\fP +Match if the number of existing connections is below or equal \fIn\fP. +.TP +\fB\-\-connlimit\-above\fP \fIn\fP +Match if the number of existing connections is above \fIn\fP. .TP \fB\-\-connlimit\-mask\fP \fIprefix_length\fP Group hosts using the prefix length. For IPv4, this must be a number between @@ -15,7 +18,7 @@ Examples: iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-above 2 \-j REJECT .TP # you can also match the other way around: -iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit ! \-\-connlimit\-above 2 \-j ACCEPT +iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-upto 2 \-j ACCEPT .TP # limit the number of parallel HTTP requests to 16 per class C sized \ network (24 bit netmask) |