diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-09-07 10:22:18 (GMT) |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-09-12 16:49:50 (GMT) |
commit | dbd2be0646e3239022630c426cbceefa15714bca (patch) | |
tree | f3e2edf1b08504893250595b00df4c3681d2c2bb /crypto/rsa_helper.c | |
parent | 70ca767ea1b2748f45e96192400e515dddbe517c (diff) | |
download | linux-dbd2be0646e3239022630c426cbceefa15714bca.tar.xz |
netfilter: nft_dynset: allow to invert match criteria
The dynset expression matches if we can fit a new entry into the set.
If there is no room for it, then it breaks the rule evaluation.
This patch introduces the inversion flag so you can add rules to
explicitly drop packets that don't fit into the set. For example:
# nft filter input flow table xyz size 4 { ip saddr timeout 120s counter } overflow drop
This is useful to provide a replacement for connlimit.
For the rule above, every new entry uses the IPv4 address as key in the
set, this entry gets a timeout of 120 seconds that gets refresh on every
packet seen. If we get new flow and our set already contains 4 entries
already, then this packet is dropped.
You can already express this in positive logic, assuming default policy
to drop:
# nft filter input flow table xyz size 4 { ip saddr timeout 10s counter } accept
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'crypto/rsa_helper.c')
0 files changed, 0 insertions, 0 deletions