diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-05-31 18:08:06 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-06-06 15:49:47 +0200 |
commit | 57e4a095edc4dab19e14fc8d1bca3febde1ca86c (patch) | |
tree | c51aaa1f1d3a6d1b42d2ee3da073b46289524ea5 /src/netlink_linearize.c | |
parent | 3384849c113b1ec3906c7a22cc71d708aae1218e (diff) |
src: connlimit support
This patch adds support for the new connlimit stateful expression, that
provides a mapping with the connlimit iptables extension through meters.
eg.
nft add rule filter input tcp dport 22 \
meter test { ip saddr ct count over 2 } counter reject
This limits the maximum amount incoming of SSH connections per source
address up to 2 simultaneous connections.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink_linearize.c')
-rw-r--r-- | src/netlink_linearize.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 2ab8accf..13c3564f 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -734,6 +734,21 @@ static void netlink_gen_objref_stmt(struct netlink_linearize_ctx *ctx, } static struct nftnl_expr * +netlink_gen_connlimit_stmt(struct netlink_linearize_ctx *ctx, + const struct stmt *stmt) +{ + struct nftnl_expr *nle; + + nle = alloc_nft_expr("connlimit"); + nftnl_expr_set_u32(nle, NFTNL_EXPR_CONNLIMIT_COUNT, + stmt->connlimit.count); + nftnl_expr_set_u32(nle, NFTNL_EXPR_CONNLIMIT_FLAGS, + stmt->connlimit.flags); + + return nle; +} + +static struct nftnl_expr * netlink_gen_counter_stmt(struct netlink_linearize_ctx *ctx, const struct stmt *stmt) { @@ -789,6 +804,8 @@ netlink_gen_stmt_stateful(struct netlink_linearize_ctx *ctx, const struct stmt *stmt) { switch (stmt->ops->type) { + case STMT_CONNLIMIT: + return netlink_gen_connlimit_stmt(ctx, stmt); case STMT_COUNTER: return netlink_gen_counter_stmt(ctx, stmt); case STMT_LIMIT: @@ -1269,6 +1286,7 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx, return netlink_gen_set_stmt(ctx, stmt); case STMT_FWD: return netlink_gen_fwd_stmt(ctx, stmt); + case STMT_CONNLIMIT: case STMT_COUNTER: case STMT_LIMIT: case STMT_QUOTA: |