diff options
| author | Jan Engelhardt <jengelh@computergmbh.de> | 2008-01-31 04:48:13 -0800 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-31 19:28:04 -0800 |
| commit | 09e410def6432458c7d7e771a1807b157f4c2577 (patch) | |
| tree | 409cb903573639d08b3dbe0418477a0ac6e87eee /net/netfilter/x_tables.c | |
| parent | d33b7c06bd721e21534c120d1c4a5944dc3eb9ce (diff) | |
[NETFILTER]: xt_hashlimit match, revision 1
Introduces the xt_hashlimit match revision 1. It adds support for
kernel-level inversion and grouping source and/or destination IP
addresses, allowing to limit on a per-subnet basis. While this would
technically obsolete xt_limit, xt_hashlimit is a more expensive due
to the hashbucketing.
Kernel-level inversion: Previously you had to do user-level inversion:
iptables -N foo
iptables -A foo -m hashlimit --hashlimit(-upto) 5/s -j RETURN
iptables -A foo -j DROP
iptables -A INPUT -j foo
now it is simpler:
iptables -A INPUT -m hashlimit --hashlimit-over 5/s -j DROP
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter/x_tables.c')
0 files changed, 0 insertions, 0 deletions