diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-05-31 18:08:06 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-06-06 15:49:47 +0200 |
commit | 57e4a095edc4dab19e14fc8d1bca3febde1ca86c (patch) | |
tree | c51aaa1f1d3a6d1b42d2ee3da073b46289524ea5 /include | |
parent | 3384849c113b1ec3906c7a22cc71d708aae1218e (diff) |
src: connlimit support
This patch adds support for the new connlimit stateful expression, that
provides a mapping with the connlimit iptables extension through meters.
eg.
nft add rule filter input tcp dport 22 \
meter test { ip saddr ct count over 2 } counter reject
This limits the maximum amount incoming of SSH connections per source
address up to 2 simultaneous connections.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 21 | ||||
-rw-r--r-- | include/statement.h | 10 |
2 files changed, 30 insertions, 1 deletions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 51d54d67..40d43271 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -1018,6 +1018,24 @@ enum nft_limit_attributes { }; #define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1) +enum nft_connlimit_flags { + NFT_CONNLIMIT_F_INV = (1 << 0), +}; + +/** + * enum nft_connlimit_attributes - nf_tables connlimit expression netlink attributes + * + * @NFTA_CONNLIMIT_COUNT: number of connections (NLA_U32) + * @NFTA_CONNLIMIT_FLAGS: flags (NLA_U32: enum nft_connlimit_flags) + */ +enum nft_connlimit_attributes { + NFTA_CONNLIMIT_UNSPEC, + NFTA_CONNLIMIT_COUNT, + NFTA_CONNLIMIT_FLAGS, + __NFTA_CONNLIMIT_MAX +}; +#define NFTA_CONNLIMIT_MAX (__NFTA_CONNLIMIT_MAX - 1) + /** * enum nft_counter_attributes - nf_tables counter expression netlink attributes * @@ -1328,7 +1346,8 @@ enum nft_ct_helper_attributes { #define NFT_OBJECT_QUOTA 2 #define NFT_OBJECT_CT_HELPER 3 #define NFT_OBJECT_LIMIT 4 -#define __NFT_OBJECT_MAX 5 +#define NFT_OBJECT_CONNLIMIT 5 +#define __NFT_OBJECT_MAX 6 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) /** diff --git a/include/statement.h b/include/statement.h index de26549b..d4bcaf3a 100644 --- a/include/statement.h +++ b/include/statement.h @@ -25,6 +25,13 @@ struct objref_stmt { const char *objref_type_name(uint32_t type); struct stmt *objref_stmt_alloc(const struct location *loc); +struct connlimit_stmt { + uint32_t count; + uint32_t flags; +}; + +extern struct stmt *connlimit_stmt_alloc(const struct location *loc); + struct counter_stmt { uint64_t packets; uint64_t bytes; @@ -247,6 +254,7 @@ extern struct stmt *xt_stmt_alloc(const struct location *loc); * @STMT_OBJREF: stateful object reference statement * @STMT_EXTHDR: extension header statement * @STMT_FLOW_OFFLOAD: flow offload statement + * @STMT_CONNLIMIT: connection limit statement * @STMT_MAP: map statement */ enum stmt_types { @@ -272,6 +280,7 @@ enum stmt_types { STMT_OBJREF, STMT_EXTHDR, STMT_FLOW_OFFLOAD, + STMT_CONNLIMIT, STMT_MAP, }; @@ -318,6 +327,7 @@ struct stmt { struct expr *expr; struct exthdr_stmt exthdr; struct meter_stmt meter; + struct connlimit_stmt connlimit; struct counter_stmt counter; struct payload_stmt payload; struct meta_stmt meta; |