* iptables: connlimit dstaddr support
@ 2011-01-19 17:32 Jan Engelhardt
2011-01-19 17:32 ` [PATCH 1/3] libxt_connlimit: reword help text to say prefix length Jan Engelhardt
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Jan Engelhardt @ 2011-01-19 17:32 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel, jan.rovner
The following changes since commit 9c60365e043a430f74115bbfaf58ce0df7585f49:
libxt_quota: print negation when it has been selected (2011-01-18 11:02:04 +0100)
are available in the git repository at:
git://dev.medozas.de/iptables master
Jan Engelhardt (3):
libxt_connlimit: reword help text to say prefix length
libxt_connlimit: add a --connlimit-upto option
libxt_connlimit: support for dstaddr-supporting revision 1
extensions/libxt_connlimit.c | 157 ++++++++++++++++++++++++--------
extensions/libxt_connlimit.man | 26 ++++-
include/linux/netfilter/xt_connlimit.h | 14 +++-
3 files changed, 152 insertions(+), 45 deletions(-)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/3] libxt_connlimit: reword help text to say prefix length
2011-01-19 17:32 iptables: connlimit dstaddr support Jan Engelhardt
@ 2011-01-19 17:32 ` Jan Engelhardt
2011-01-19 17:32 ` [PATCH 2/3] libxt_connlimit: add a --connlimit-upto option Jan Engelhardt
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Jan Engelhardt @ 2011-01-19 17:32 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel, jan.rovner
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libxt_connlimit.c | 2 +-
extensions/libxt_connlimit.man | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c
index 85c0ca8..693adbf 100644
--- a/extensions/libxt_connlimit.c
+++ b/extensions/libxt_connlimit.c
@@ -15,7 +15,7 @@ static void connlimit_help(void)
"connlimit match options:\n"
"[!] --connlimit-above n match if the number of existing "
" connections is (not) above n\n"
-" --connlimit-mask n group hosts using mask\n");
+" --connlimit-mask n group hosts using prefix length (default: max len)\n");
}
static const struct option connlimit_opts[] = {
diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man
index c0246fd..f8f9c7b 100644
--- a/extensions/libxt_connlimit.man
+++ b/extensions/libxt_connlimit.man
@@ -6,7 +6,8 @@ Match if the number of existing connections is (not) above \fIn\fP.
.TP
\fB\-\-connlimit\-mask\fP \fIprefix_length\fP
Group hosts using the prefix length. For IPv4, this must be a number between
-(including) 0 and 32. For IPv6, between 0 and 128.
+(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the
+maximum prefix length for the applicable protocol is used.
.P
Examples:
.TP
--
1.7.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/3] libxt_connlimit: add a --connlimit-upto option
2011-01-19 17:32 iptables: connlimit dstaddr support Jan Engelhardt
2011-01-19 17:32 ` [PATCH 1/3] libxt_connlimit: reword help text to say prefix length Jan Engelhardt
@ 2011-01-19 17:32 ` Jan Engelhardt
2011-01-19 17:32 ` [PATCH 3/3] libxt_connlimit: support for dstaddr-supporting revision 1 Jan Engelhardt
2011-01-20 10:21 ` iptables: connlimit dstaddr support Patrick McHardy
3 siblings, 0 replies; 5+ messages in thread
From: Jan Engelhardt @ 2011-01-19 17:32 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel, jan.rovner
Direct specifications like "upto" are easier to grasp than "not
above". This patch adds such an upto variant similar to what
libxt_hashlimit already has.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libxt_connlimit.c | 70 ++++++++++++++++++++++++---------------
extensions/libxt_connlimit.man | 9 +++--
2 files changed, 49 insertions(+), 30 deletions(-)
diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c
index 693adbf..b249259 100644
--- a/extensions/libxt_connlimit.c
+++ b/extensions/libxt_connlimit.c
@@ -9,16 +9,22 @@
#include <xtables.h>
#include <linux/netfilter/xt_connlimit.h>
+enum {
+ FL_LIMIT = 1 << 0,
+ FL_MASK = 1 << 1,
+};
+
static void connlimit_help(void)
{
printf(
"connlimit match options:\n"
-"[!] --connlimit-above n match if the number of existing "
-" connections is (not) above n\n"
-" --connlimit-mask n group hosts using prefix length (default: max len)\n");
+" --connlimit-upto n match if the number of existing connections is 0..n\n"
+" --connlimit-above n match if the number of existing connections is >n\n"
+" --connlimit-mask n group hosts using prefix length (default: max len)\n");
}
static const struct option connlimit_opts[] = {
+ {.name = "connlimit-upto", .has_arg = true, .val = 'U'},
{.name = "connlimit-above", .has_arg = true, .val = 'A'},
{.name = "connlimit-mask", .has_arg = true, .val = 'M'},
XT_GETOPT_TABLEEND,
@@ -61,21 +67,28 @@ static int connlimit_parse(int c, char **argv, int invert, unsigned int *flags,
int i;
switch (c) {
- case 'A':
- if (*flags & 0x1)
- xtables_error(PARAMETER_PROBLEM,
- "--connlimit-above may be given only once");
- *flags |= 0x1;
- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
- info->limit = strtoul(optarg, NULL, 0);
- info->inverse = invert;
- break;
- case 'M':
- if (*flags & 0x2)
- xtables_error(PARAMETER_PROBLEM,
- "--connlimit-mask may be given only once");
-
- *flags |= 0x2;
+ case 'A': /* --connlimit-above */
+ xtables_param_act(XTF_ONLY_ONCE, "connlimit",
+ "--connlimit-{upto,above}", *flags & FL_LIMIT);
+ *flags |= FL_LIMIT;
+ if (invert)
+ info->inverse = true;
+ info->limit = strtoul(optarg, NULL, 0);
+ return true;
+ case 'U': /* --connlimit-upto */
+ xtables_param_act(XTF_ONLY_ONCE, "connlimit",
+ "--connlimit-{upto,above}", *flags & FL_LIMIT);
+ *flags |= FL_LIMIT;
+ if (!invert)
+ info->inverse = true;
+ info->limit = strtoul(optarg, NULL, 0);
+ return true;
+ case 'M': /* --connlimit-mask */
+ xtables_param_act(XTF_NO_INVERT, "connlimit",
+ "--connlimit-mask", invert);
+ xtables_param_act(XTF_ONLY_ONCE, "connlimit",
+ "--connlimit-mask", *flags & FL_MASK);
+ *flags |= FL_MASK;
i = strtoul(optarg, &err, 0);
if (family == NFPROTO_IPV6) {
if (i > 128 || *err != '\0')
@@ -93,10 +106,9 @@ static int connlimit_parse(int c, char **argv, int invert, unsigned int *flags,
else
info->v4_mask = htonl(0xFFFFFFFF << (32 - i));
}
- break;
+ return true;
}
-
- return 1;
+ return false;
}
static int connlimit_parse4(int c, char **argv, int invert,
@@ -164,18 +176,22 @@ static void connlimit_save4(const void *ip, const struct xt_entry_match *match)
{
const struct xt_connlimit_info *info = (const void *)match->data;
- printf("%s--connlimit-above %u --connlimit-mask %u ",
- info->inverse ? "! " : "", info->limit,
- count_bits4(info->v4_mask));
+ if (info->inverse)
+ printf("--connlimit-upto %u ", info->limit);
+ else
+ printf("--connlimit-above %u ", info->limit);
+ printf("--connlimit-mask %u ", count_bits4(info->v4_mask));
}
static void connlimit_save6(const void *ip, const struct xt_entry_match *match)
{
const struct xt_connlimit_info *info = (const void *)match->data;
- printf("%s--connlimit-above %u --connlimit-mask %u ",
- info->inverse ? "! " : "", info->limit,
- count_bits6(info->v6_mask));
+ if (info->inverse)
+ printf("--connlimit-upto %u ", info->limit);
+ else
+ printf("--connlimit-above %u ", info->limit);
+ printf("--connlimit-mask %u ", count_bits6(info->v6_mask));
}
static struct xtables_match connlimit_mt_reg[] = {
diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man
index f8f9c7b..ecc8027 100644
--- a/extensions/libxt_connlimit.man
+++ b/extensions/libxt_connlimit.man
@@ -1,8 +1,11 @@
Allows you to restrict the number of parallel connections to a server per
client IP address (or client address block).
.TP
-[\fB!\fP] \fB\-\-connlimit\-above\fP \fIn\fP
-Match if the number of existing connections is (not) above \fIn\fP.
+\fB\-\-connlimit\-upto\fP \fIn\fP
+Match if the number of existing connections is below or equal \fIn\fP.
+.TP
+\fB\-\-connlimit\-above\fP \fIn\fP
+Match if the number of existing connections is above \fIn\fP.
.TP
\fB\-\-connlimit\-mask\fP \fIprefix_length\fP
Group hosts using the prefix length. For IPv4, this must be a number between
@@ -15,7 +18,7 @@ Examples:
iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-above 2 \-j REJECT
.TP
# you can also match the other way around:
-iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit ! \-\-connlimit\-above 2 \-j ACCEPT
+iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-upto 2 \-j ACCEPT
.TP
# limit the number of parallel HTTP requests to 16 per class C sized \
network (24 bit netmask)
--
1.7.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/3] libxt_connlimit: support for dstaddr-supporting revision 1
2011-01-19 17:32 iptables: connlimit dstaddr support Jan Engelhardt
2011-01-19 17:32 ` [PATCH 1/3] libxt_connlimit: reword help text to say prefix length Jan Engelhardt
2011-01-19 17:32 ` [PATCH 2/3] libxt_connlimit: add a --connlimit-upto option Jan Engelhardt
@ 2011-01-19 17:32 ` Jan Engelhardt
2011-01-20 10:21 ` iptables: connlimit dstaddr support Patrick McHardy
3 siblings, 0 replies; 5+ messages in thread
From: Jan Engelhardt @ 2011-01-19 17:32 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel, jan.rovner
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libxt_connlimit.c | 97 +++++++++++++++++++++++++++-----
extensions/libxt_connlimit.man | 14 ++++-
include/linux/netfilter/xt_connlimit.h | 14 ++++-
3 files changed, 106 insertions(+), 19 deletions(-)
diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c
index b249259..75eadf9 100644
--- a/extensions/libxt_connlimit.c
+++ b/extensions/libxt_connlimit.c
@@ -12,6 +12,7 @@
enum {
FL_LIMIT = 1 << 0,
FL_MASK = 1 << 1,
+ FL_ADDR = 1 << 2,
};
static void connlimit_help(void)
@@ -20,13 +21,17 @@ static void connlimit_help(void)
"connlimit match options:\n"
" --connlimit-upto n match if the number of existing connections is 0..n\n"
" --connlimit-above n match if the number of existing connections is >n\n"
-" --connlimit-mask n group hosts using prefix length (default: max len)\n");
+" --connlimit-mask n group hosts using prefix length (default: max len)\n"
+" --connlimit-saddr select source address for grouping\n"
+" --connlimit-daddr select destination addresses for grouping\n");
}
static const struct option connlimit_opts[] = {
{.name = "connlimit-upto", .has_arg = true, .val = 'U'},
{.name = "connlimit-above", .has_arg = true, .val = 'A'},
{.name = "connlimit-mask", .has_arg = true, .val = 'M'},
+ {.name = "connlimit-saddr", .has_arg = false, .val = 's'},
+ {.name = "connlimit-daddr", .has_arg = false, .val = 'd'},
XT_GETOPT_TABLEEND,
};
@@ -60,9 +65,12 @@ static void prefix_to_netmask(uint32_t *mask, unsigned int prefix_len)
mask[3] = htonl(mask[3]);
}
-static int connlimit_parse(int c, char **argv, int invert, unsigned int *flags,
- struct xt_connlimit_info *info, unsigned int family)
+static int
+connlimit_parse(int c, char **argv, int invert, unsigned int *flags,
+ struct xt_entry_match **match, unsigned int family)
{
+ struct xt_connlimit_info *info = (void *)(*match)->data;
+ const unsigned int revision = (*match)->u.user.revision;
char *err;
int i;
@@ -72,7 +80,7 @@ static int connlimit_parse(int c, char **argv, int invert, unsigned int *flags,
"--connlimit-{upto,above}", *flags & FL_LIMIT);
*flags |= FL_LIMIT;
if (invert)
- info->inverse = true;
+ info->flags |= XT_CONNLIMIT_INVERT;
info->limit = strtoul(optarg, NULL, 0);
return true;
case 'U': /* --connlimit-upto */
@@ -80,7 +88,7 @@ static int connlimit_parse(int c, char **argv, int invert, unsigned int *flags,
"--connlimit-{upto,above}", *flags & FL_LIMIT);
*flags |= FL_LIMIT;
if (!invert)
- info->inverse = true;
+ info->flags |= XT_CONNLIMIT_INVERT;
info->limit = strtoul(optarg, NULL, 0);
return true;
case 'M': /* --connlimit-mask */
@@ -107,6 +115,16 @@ static int connlimit_parse(int c, char **argv, int invert, unsigned int *flags,
info->v4_mask = htonl(0xFFFFFFFF << (32 - i));
}
return true;
+ case 's': /* --connlimit-saddr */
+ info->flags &= ~XT_CONNLIMIT_DADDR;
+ return true;
+ case 'd': /* --connlimit-daddr */
+ if (revision < 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "xt_connlimit.0 does not support "
+ "--connlimit-daddr");
+ info->flags |= XT_CONNLIMIT_DADDR;
+ return true;
}
return false;
}
@@ -115,16 +133,14 @@ static int connlimit_parse4(int c, char **argv, int invert,
unsigned int *flags, const void *entry,
struct xt_entry_match **match)
{
- return connlimit_parse(c, argv, invert, flags,
- (void *)(*match)->data, NFPROTO_IPV4);
+ return connlimit_parse(c, argv, invert, flags, match, NFPROTO_IPV4);
}
static int connlimit_parse6(int c, char **argv, int invert,
unsigned int *flags, const void *entry,
struct xt_entry_match **match)
{
- return connlimit_parse(c, argv, invert, flags,
- (void *)(*match)->data, NFPROTO_IPV6);
+ return connlimit_parse(c, argv, invert, flags, match, NFPROTO_IPV6);
}
static void connlimit_check(unsigned int flags)
@@ -160,43 +176,93 @@ static void connlimit_print4(const void *ip,
{
const struct xt_connlimit_info *info = (const void *)match->data;
- printf("#conn/%u %s %u ", count_bits4(info->v4_mask),
- info->inverse ? "<=" : ">", info->limit);
+ printf("#conn %s/%u %s %u ",
+ (info->flags & XT_CONNLIMIT_DADDR) ? "dst" : "src",
+ count_bits4(info->v4_mask),
+ (info->flags & XT_CONNLIMIT_INVERT) ? "<=" : ">", info->limit);
}
static void connlimit_print6(const void *ip,
const struct xt_entry_match *match, int numeric)
{
const struct xt_connlimit_info *info = (const void *)match->data;
- printf("#conn/%u %s %u ", count_bits6(info->v6_mask),
- info->inverse ? "<=" : ">", info->limit);
+
+ printf("#conn %s/%u %s %u ",
+ (info->flags & XT_CONNLIMIT_DADDR) ? "dst" : "src",
+ count_bits6(info->v6_mask),
+ (info->flags & XT_CONNLIMIT_INVERT) ? "<=" : ">", info->limit);
}
static void connlimit_save4(const void *ip, const struct xt_entry_match *match)
{
const struct xt_connlimit_info *info = (const void *)match->data;
+ const int revision = match->u.user.revision;
- if (info->inverse)
+ if (info->flags & XT_CONNLIMIT_INVERT)
printf("--connlimit-upto %u ", info->limit);
else
printf("--connlimit-above %u ", info->limit);
printf("--connlimit-mask %u ", count_bits4(info->v4_mask));
+ if (revision >= 1) {
+ if (info->flags & XT_CONNLIMIT_DADDR)
+ printf("--connlimit-daddr ");
+ else
+ printf("--connlimit-saddr ");
+ }
}
static void connlimit_save6(const void *ip, const struct xt_entry_match *match)
{
const struct xt_connlimit_info *info = (const void *)match->data;
+ const int revision = match->u.user.revision;
- if (info->inverse)
+ if (info->flags & XT_CONNLIMIT_INVERT)
printf("--connlimit-upto %u ", info->limit);
else
printf("--connlimit-above %u ", info->limit);
printf("--connlimit-mask %u ", count_bits6(info->v6_mask));
+ if (revision >= 1) {
+ if (info->flags & XT_CONNLIMIT_DADDR)
+ printf("--connlimit-daddr ");
+ else
+ printf("--connlimit-saddr ");
+ }
}
static struct xtables_match connlimit_mt_reg[] = {
{
.name = "connlimit",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_connlimit_info)),
+ .userspacesize = offsetof(struct xt_connlimit_info, data),
+ .help = connlimit_help,
+ .init = connlimit_init,
+ .parse = connlimit_parse4,
+ .final_check = connlimit_check,
+ .print = connlimit_print4,
+ .save = connlimit_save4,
+ .extra_opts = connlimit_opts,
+ },
+ {
+ .name = "connlimit",
+ .revision = 0,
+ .family = NFPROTO_IPV6,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_connlimit_info)),
+ .userspacesize = offsetof(struct xt_connlimit_info, data),
+ .help = connlimit_help,
+ .init = connlimit_init,
+ .parse = connlimit_parse6,
+ .final_check = connlimit_check,
+ .print = connlimit_print6,
+ .save = connlimit_save6,
+ .extra_opts = connlimit_opts,
+ },
+ {
+ .name = "connlimit",
+ .revision = 1,
.family = NFPROTO_IPV4,
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connlimit_info)),
@@ -211,6 +277,7 @@ static struct xtables_match connlimit_mt_reg[] = {
},
{
.name = "connlimit",
+ .revision = 1,
.family = NFPROTO_IPV6,
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_connlimit_info)),
diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man
index ecc8027..bd369a6 100644
--- a/extensions/libxt_connlimit.man
+++ b/extensions/libxt_connlimit.man
@@ -11,7 +11,13 @@ Match if the number of existing connections is above \fIn\fP.
Group hosts using the prefix length. For IPv4, this must be a number between
(including) 0 and 32. For IPv6, between 0 and 128. If not specified, the
maximum prefix length for the applicable protocol is used.
-.P
+.TP
+\fB\-\-connlimit\-saddr\fP
+Apply the limit onto the source group.
+.TP
+\fB\-\-connlimit\-daddr\fP
+Apply the limit onto the destination group.
+.PP
Examples:
.TP
# allow 2 telnet connections per client host
@@ -21,7 +27,7 @@ iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-abo
iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-upto 2 \-j ACCEPT
.TP
# limit the number of parallel HTTP requests to 16 per class C sized \
-network (24 bit netmask)
+source network (24 bit netmask)
iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16
\-\-connlimit\-mask 24 \-j REJECT
.TP
@@ -29,3 +35,7 @@ iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16
(ipv6)
ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above
16 \-\-connlimit\-mask 64 \-j REJECT
+.TP
+# Limit the number of connections to a particular host:
+ip6tables \-p tcp \-\-syn \-\-dport 49152:65535 \-d 2001:db8::1 \-m connlimit
+\-\-connlimit-above 100 \-j REJECT
diff --git a/include/linux/netfilter/xt_connlimit.h b/include/linux/netfilter/xt_connlimit.h
index 7e3284b..d6c84c9 100644
--- a/include/linux/netfilter/xt_connlimit.h
+++ b/include/linux/netfilter/xt_connlimit.h
@@ -3,17 +3,27 @@
struct xt_connlimit_data;
+enum {
+ XT_CONNLIMIT_INVERT = 1 << 0,
+ XT_CONNLIMIT_DADDR = 1 << 1,
+};
+
struct xt_connlimit_info {
union {
union nf_inet_addr mask;
-#ifndef __KERNEL__
union {
__be32 v4_mask;
__be32 v6_mask[4];
};
-#endif
};
unsigned int limit, inverse;
+ union {
+ /* revision 0 */
+ unsigned int inverse;
+
+ /* revision 1 */
+ __u32 flags;
+ };
/* Used internally by the kernel */
struct xt_connlimit_data *data __attribute__((aligned(8)));
--
1.7.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: iptables: connlimit dstaddr support
2011-01-19 17:32 iptables: connlimit dstaddr support Jan Engelhardt
` (2 preceding siblings ...)
2011-01-19 17:32 ` [PATCH 3/3] libxt_connlimit: support for dstaddr-supporting revision 1 Jan Engelhardt
@ 2011-01-20 10:21 ` Patrick McHardy
3 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2011-01-20 10:21 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel, jan.rovner
Am 19.01.2011 18:32, schrieb Jan Engelhardt:
> The following changes since commit 9c60365e043a430f74115bbfaf58ce0df7585f49:
>
> libxt_quota: print negation when it has been selected (2011-01-18 11:02:04 +0100)
>
> are available in the git repository at:
> git://dev.medozas.de/iptables master
>
> Jan Engelhardt (3):
> libxt_connlimit: reword help text to say prefix length
> libxt_connlimit: add a --connlimit-upto option
> libxt_connlimit: support for dstaddr-supporting revision 1
>
Pulled, thanks Jan.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-01-20 10:21 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-01-19 17:32 iptables: connlimit dstaddr support Jan Engelhardt
2011-01-19 17:32 ` [PATCH 1/3] libxt_connlimit: reword help text to say prefix length Jan Engelhardt
2011-01-19 17:32 ` [PATCH 2/3] libxt_connlimit: add a --connlimit-upto option Jan Engelhardt
2011-01-19 17:32 ` [PATCH 3/3] libxt_connlimit: support for dstaddr-supporting revision 1 Jan Engelhardt
2011-01-20 10:21 ` iptables: connlimit dstaddr support Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.