The following example allows you to make up to two ssh connections per
destination host:
nft add table x
nft add chain x y { type filter hook output priority 0\; }
nft add rule x y tcp dport 22 meter prueba { ip daddr ct count over 2 } counter reject
Internally, there is hashtable per meter. Then, each element in the
hashtable has a list of connections per key - destination address in the
example above.
Semantics are equivalent to those of connlimit, one exception is that
the element is released once the list of connection becomes empty. This
is done from garbage collector, instead of doing it from packet path.
I think this should be fine since it should allow us to also convert the
list to use RCU and cache the number of elements from the garbage
collector path, when searching for empty lists.
Pablo Neira Ayuso (6):
netfilter: nf_tables: pass context to object destroy indirection
netfilter: nf_conncount: expose connection list interface
netfilter: nf_tables: pass ctx to nf_tables_expr_destroy()
netfilter: nf_tables: garbage collection of stale expressions
netfilter: nf_tables: add destroy_clone expression
netfilter: nf_tables: add connlimit support
include/net/netfilter/nf_conntrack_count.h | 15 ++
include/net/netfilter/nf_tables.h | 13 +-
include/uapi/linux/netfilter/nf_tables.h | 21 +-
net/netfilter/Kconfig | 9 +
net/netfilter/Makefile | 1 +
net/netfilter/nf_conncount.c | 68 +++++--
net/netfilter/nf_tables_api.c | 38 ++--
net/netfilter/nft_connlimit.c | 308 +++++++++++++++++++++++++++++
net/netfilter/nft_counter.c | 4 +-
net/netfilter/nft_ct.c | 3 +-
net/netfilter/nft_dynset.c | 9 +
net/netfilter/nft_set_hash.c | 22 ++-
12 files changed, 473 insertions(+), 38 deletions(-)
create mode 100644 net/netfilter/nft_connlimit.c
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
