I bypassed my own firewall (+ I'm stupid about "limit")
Paul Rusty Russell
Paul.Russell@rustcorp.com.au
Fri, 01 Oct 1999 12:40:08 +0930
In message <199909301824.LAA00503@mersenne.com.> you write:
> Here's a patch that adds a "limit_above" flag to ipt_rateinfo, and
> "--exceeds" and "--exceeds-burst" flags to the UI. I haven't copied
> it all over to my firewall for testing, but it's so simple, how could
> it fail? :-D
You could pass the 16-byte limit of the structure on 64-bit
machines. 8-) This structure has to fit inside the `union
ipt_targinfo'.
Would it be clearer if I rename `limit' to `limit-exceeded' (inverting
its current sense), and extend iptables to allow a `!' before -m, so:
iptables -A foo ! -m limit-exceeded --limit blah -j LOG
This is a larger architectural change (but actually a smaller change
to the limit module), but it could be useful for future match modules
as well, so I think it's the right choice...
Thoughts?
Rusty.
--
Hacking time.