diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-08-26 11:19:18 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-08-29 20:30:28 +0200 |
commit | 1ed9a3726c01fda218f37b7f4555c8b7106521ef (patch) | |
tree | 6bfab3347d55dceb89f1f1845a63de6c3f4160bd /include/statement.h | |
parent | d089630ecbc783d7f0c6df972033694b1671c009 (diff) |
src: add quota statement
This new statement is stateful, so it can be used from flow tables, eg.
# nft add rule filter input \
flow table http { ip saddr timeout 60s quota over 50 mbytes } drop
This basically sets a quota per source IP address of 50 mbytes after
which packets are dropped. Note that the timeout releases the entry if
no traffic is seen from this IP after 60 seconds.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/statement.h')
-rw-r--r-- | include/statement.h | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/include/statement.h b/include/statement.h index 1b215517..e278b706 100644 --- a/include/statement.h +++ b/include/statement.h @@ -105,6 +105,13 @@ struct queue_stmt { extern struct stmt *queue_stmt_alloc(const struct location *loc); +struct quota_stmt { + uint64_t bytes; + uint32_t flags; +}; + +struct stmt *quota_stmt_alloc(const struct location *loc); + #include <ct.h> struct ct_stmt { enum nft_ct_keys key; @@ -200,6 +207,7 @@ extern struct stmt *xt_stmt_alloc(const struct location *loc); * @STMT_DUP: dup statement * @STMT_FWD: forward statement * @STMT_XT: XT statement + * @STMT_QUOTA: quota statement */ enum stmt_types { STMT_INVALID, @@ -221,6 +229,7 @@ enum stmt_types { STMT_DUP, STMT_FWD, STMT_XT, + STMT_QUOTA, }; /** @@ -272,6 +281,7 @@ struct stmt { struct masq_stmt masq; struct redir_stmt redir; struct queue_stmt queue; + struct quota_stmt quota; struct ct_stmt ct; struct set_stmt set; struct dup_stmt dup; |