diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-08-03 15:50:03 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-09-23 12:16:13 +0200 |
commit | 6615676d825e02d271fe7a9ca78a77ac3773ab93 (patch) | |
tree | 4b87a754e50301cb2f8c6c47e44670cc6a27356f /include | |
parent | 5174b6850291b67769ebd018e5c90837897969c2 (diff) |
src: add per-bytes limit
This example show how to accept packets below the ratelimit:
... limit rate 1024 mbytes/second counter accept
You need a Linux kernel >= 4.3-rc1.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/datatype.h | 4 | ||||
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 9 | ||||
-rw-r--r-- | include/statement.h | 1 |
3 files changed, 14 insertions, 0 deletions
diff --git a/include/datatype.h b/include/datatype.h index 2a6a4fca..ebafa655 100644 --- a/include/datatype.h +++ b/include/datatype.h @@ -235,4 +235,8 @@ extern void time_print(uint64_t seconds); extern struct error_record *time_parse(const struct location *loc, const char *c, uint64_t *res); +extern struct error_record *rate_parse(const struct location *loc, + const char *str, uint64_t *rate, + uint64_t *unit); + #endif /* NFTABLES_DATATYPE_H */ diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 33056dc2..db0457d9 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -747,16 +747,25 @@ enum nft_ct_attributes { }; #define NFTA_CT_MAX (__NFTA_CT_MAX - 1) +enum nft_limit_type { + NFT_LIMIT_PKTS, + NFT_LIMIT_PKT_BYTES +}; + /** * enum nft_limit_attributes - nf_tables limit expression netlink attributes * * @NFTA_LIMIT_RATE: refill rate (NLA_U64) * @NFTA_LIMIT_UNIT: refill unit (NLA_U64) + * @NFTA_LIMIT_BURST: burst (NLA_U32) + * @NFTA_LIMIT_TYPE: type of limit (NLA_U32: enum nft_limit_type) */ enum nft_limit_attributes { NFTA_LIMIT_UNSPEC, NFTA_LIMIT_RATE, NFTA_LIMIT_UNIT, + NFTA_LIMIT_BURST, + NFTA_LIMIT_TYPE, __NFTA_LIMIT_MAX }; #define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1) diff --git a/include/statement.h b/include/statement.h index 48e61307..d2d0852e 100644 --- a/include/statement.h +++ b/include/statement.h @@ -51,6 +51,7 @@ extern struct stmt *log_stmt_alloc(const struct location *loc); struct limit_stmt { uint64_t rate; uint64_t unit; + enum nft_limit_type type; }; extern struct stmt *limit_stmt_alloc(const struct location *loc); |