diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-06-02 22:38:51 +0300 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-06-03 02:18:29 +0300 |
commit | 290180e2448c02d6b391455937098882a73a9494 (patch) | |
tree | 46a80a6504c141f693b7c59a3fc05b6fbbe12d45 /net/netfilter/Kconfig | |
parent | 371ebcbb9ee62fb46a0a27f358941588f7048678 (diff) | |
download | linux-290180e2448c02d6b391455937098882a73a9494.tar.xz |
netfilter: nf_tables: add connlimit support
This features which allows you to limit the maximum number of
connections per arbitrary key. The connlimit expression is stateful,
therefore it can be used from meters to dynamically populate a set, this
provides a mapping to the iptables' connlimit match. This patch also
comes that allows you define static connlimit policies.
This extension depends on the nf_conncount infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/Kconfig')
-rw-r--r-- | net/netfilter/Kconfig | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 41240abd755f..dbd7d1fad277 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -517,6 +517,15 @@ config NFT_COUNTER This option adds the "counter" expression that you can use to include packet and byte counters in a rule. +config NFT_CONNLIMIT + tristate "Netfilter nf_tables connlimit module" + depends on NF_CONNTRACK + depends on NETFILTER_ADVANCED + select NETFILTER_CONNCOUNT + help + This option adds the "connlimit" expression that you can use to + ratelimit rule matchings per connections. + config NFT_LOG tristate "Netfilter nf_tables log module" help |