summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_hashlimit.c
Commit message (Collapse)AuthorAgeFilesLines
* build: resolve compile abort in libxt_limit on RHEL5Jan Engelhardt2012-10-101-0/+2
| | | | | | | | | | | | | | | | | | libxt_limit.c: In function 'print_rate': libxt_limit.c:124: error: 'INFINITY' undeclared (first use in this function) The default mode of glibc-2.15's <features.h> sets "-D_POSIX_C_SOURCE=200809L", and therefore "-D_ISOC99_SOURCE". However, on þe olde RHEL 5's glibc-2.5, it only has "-D_POSIX_C_SOURCE=200112L". Explicitly draw in the definition of INFINITY by always defining _ISOC99_SOURCE. By doing this, we are moving off of the default set, so _BSD_SOURCE also needs to be explicitly set to get at IFNAMSIZ that is used in xt_hashlimit.h. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_*limit: avoid division by zeroJan Engelhardt2012-07-311-5/+12
| | | | | | | | | | | | It was possible to specify -A mychain -m hashlimit --hashlimit 600059/minute; this would convert to r->avg=0, which subsequently causes a division by zero when printing with -S mychain. 1. Avoid division by zero in print_rate by printing infinity instead. 2. Rewrite the test in parse_rate to properly reject too high rates. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* libxt_hashlimit: add support for byte-based operationFlorian Westphal2012-07-141-11/+160
| | | | | | | | | | | | | | allows --hashlimit-(upto|above) Xb/s [ --hashlimit-burst Yb ] to make hashlimit match when X bytes/second are exceeded; optionally, Y bytes will not be matched (i.e. bursted). [ Pablo fixed minor compilation warning in this patch with gcc-4.6 and x86_64 ] libxt_hashlimit.c: In function ‘parse_bytes’: libxt_hashlimit.c:216:6: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘uint64_t’ [-Wformat] Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_hashlimit: observe new default gc-expire time when savingJan Engelhardt2011-08-211-13/+20
| | | | | | | | Since a while, --htable-gc-expire defaults to the chosen time quantum instead of 10 fixed seconds, which leads the expiry value to be always printed, which is redundant. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: remove inversion from hashlimit rev 0Jan Engelhardt2011-08-211-11/+2
| | | | | | | Revision 0 indeed did not have inversion support, nor presence of --hashlimit-above. This glitch was added in v1.4.11~16^2~10. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: default htable-expire must be in millisecondsJan Engelhardt2011-08-211-2/+2
| | | | | | Bug goes back to v1.4.12~3^2~11. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: use a more obvious expiry value by defaultJan Engelhardt2011-06-221-16/+41
| | | | | | | | | | Due to the previous default expiry of 10 sec, "--hashlimit 1/min" would allow matching up to 6/min if a properly timed. To do what the user expects, the minimum expiry must equal the selected time quantum however. Cc: Jan Rovner <jan.rovner@diadema.cz> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: use guided option parserJan Engelhardt2011-05-091-290/+129
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: remove redundant init functionsJan Engelhardt2011-02-191-1/+0
| | | | | | The main program already zeroes the per-extension data block. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: do not print trailing whitespacesJan Engelhardt2011-01-311-38/+38
| | | | | | | | | | | | | | | | | Due to the use of printf("foobar "), iptables emits spaces at the end-of-line, which looks odd to some users because it causes the terminal to wrap even if there is seemingly nothing to print. It may also have other points of annoyance, such as mailers interpreting a trailing space as an indicator that the paragraph continues when format=flowed is also on. And git highlights trailing spaces in red, so let's avoid :) Preexisting inconsistencies in outputting spaces in the right spot are also addressed right away. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: remove no longer necessary default: casesJan Engelhardt2011-01-081-2/+0
| | | | | | | Match and target parse functions now only get option characters they have defined themselves. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: use C99/POSIX typesJan Engelhardt2011-01-081-5/+5
| | | | | | "u_int" was a non-standardized extension predating C99 on some platforms. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* all: consistent syntax use in struct optionJan Engelhardt2010-07-231-10/+10
| | | | | | Try to inhibit copypasting old stuff. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: always print burst valueJan Engelhardt2010-06-241-4/+2
| | | | | | | | iptables -L lists the burst value, and so should iptables -S. I was certainly surprised to see it gone even when explicitly specifying --hashlimit-burst 5 on the command line. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables/extensions: make bundled options work againJan Engelhardt2009-11-031-8/+8
| | | | | | | | | | | | | When using a bundled option like "-ptcp", 'argv[optind-1]' would logically point to "-ptcp", but this is obviously not right. 'optarg' is needed instead, which if properly offset to "tcp". Not all places change optind-based access to optarg; where look-ahead is needed, such as for tcp's --tcp-flags option for example, optind is ok. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: hand argv to xtables_check_inverseJan Engelhardt2009-11-031-8/+8
| | | | | | | | | In going to fix NF bug #611, "argv" is needed in xtables_check_inverse to set "optarg" to the right spot in case of an intrapositional negation. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: collapse data variables to use multi-reg callsJan Engelhardt2009-06-261-49/+47
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: collapse registration structuresJan Engelhardt2009-06-261-18/+1
| | | | | | | | | | | | There are no different code paths between IPV4 and IPV6, so data can be consolidated here. text data bss dec hex filename 243757 12212 2576 258545 3f1f1 ip6tables-static[before.i586] 243613 9428 2576 255617 3e681 ip6tables-static[after.i586] -144 -2784 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: replace open-coded sizeof by ARRAY_SIZEJan Engelhardt2009-05-261-2/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add const qualifiers in print/save functionsJan Engelhardt2009-05-261-4/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: add missing space for iptables-save outputJan Engelhardt2009-03-241-1/+1
| | | | | Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=568 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix exit_error to xtables_errorJan Engelhardt2009-02-211-16/+16
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - move check_inverse to xtables.cJan Engelhardt2009-01-301-8/+8
| | | | | | | This also adds a warning that intrapositional negation support is deprecated. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - param_actJan Engelhardt2009-01-301-29/+29
| | | | | | | | Changes: exittype -> xtables_exittype P_* -> XTF_* flags Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - strtouiJan Engelhardt2009-01-271-12/+12
| | | | | | This commit also throws out the redundant string_to_number_*. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: use UINT_MAX constants over open-coded numbers (2/2)Jan Engelhardt2009-01-271-8/+8
| | | | | | Use the handy constants for ranges. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: use NFPROTO_ constantsJan Engelhardt2008-11-181-4/+4
| | | | | | | | Resync netfilter.h from the latest kernel and make use of the new NFPROTO_ constants that have been introduced. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: update comments part IIJan Engelhardt2008-09-041-2/+2
| | | | | | | | A number of comments are redundant, some outdated and others outright wrong in their own way. Remove and fixup. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: Update commentsJan Engelhardt2008-09-011-7/+0
| | | | | | | | A number of comments are redundant, some outdated and others outright wrong in their own way. Remove and fixup. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables-save: fix hashlimit outputPhil Oester2008-08-041-1/+1
| | | | | | | | | In bugzilla 550, Xeb notes that the --hashlimit-htable-gcinterval argument is saved incorrectly. Patch below corrects. Patch-from: Xeb <xeb@mail.ru> Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: remove dependency on libiptc headersJan Engelhardt2008-08-041-0/+1
| | | | | | | | xtables.h does not need really need libxtc.h, and we can drop it from the install as it is internal-only. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Remove old functions, constantsJan Engelhardt2008-04-151-7/+7
|
* Add support for xt_hashlimit match revision 1Jan Engelhardt2008-04-131-27/+371
|
* Fix -Wshadow warnings and clean up xt_sctp.hJan Engelhardt2008-04-061-2/+2
| | | | | Note: xt_sctp.h is still not merged upstream in the kernel as of this commit. But a refactoring was really needed.
* fix gcc warningsMax Kellermann2008-01-291-1/+1
| | | | Max Kellermann <max@duempel.org>
* libxt_hashlimit checksJan Engelhardt2008-01-201-0/+17
| | | | | | Add checks for libxt_hashlimit so that options cannot be passed twice Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* Unique symbols 1/6Jan Engelhardt2007-10-041-32/+27
| | | | | | | | | | | Give symbols of libxt matches unique names (1/3). Adds unique prefixes to all functions (most of them - especially the hook functions) so that debugging programs can unambiguously map a symbol to an address. Also unifies the names of the xtables_match/xtables_target structs, (based upon libxt_connmark.c/libip6t_*.c). Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Constify data structuresJan Engelhardt2007-10-041-1/+1
| | | | | | Constify more data structures. Make functions static. Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Fix sparse warnings: non-ANSI function declarations, 0 used as pointerPatrick McHardy2007-09-081-9/+9
|
* Remove last vestiges of NFC (Peter Riley <Peter.Riley@hotpop.com>)Peter Riley2007-09-021-2/+1
|
* Unifies libip[6]t_hashlimit into libxt_hashlimitYasuyuki KOZAKAI2007-08-041-0/+386