[netfilter-cvslog] r3230 - in
trunk/patch-o-matic-ng/dstlimit/linux-2.6:
include/linux/netfilter_ipv4 net/ipv4/netfilter
/C=DE/ST=Berlin/L=Berlin/O=Netfilter
/C=DE/ST=Berlin/L=Berlin/O=Netfilter
Wed Oct 20 12:52:51 CEST 2004
Author: /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge at netfilter.org
Date: 2004-10-20 12:52:50 +0200 (Wed, 20 Oct 2004)
New Revision: 3230
Modified:
trunk/patch-o-matic-ng/dstlimit/linux-2.6/include/linux/netfilter_ipv4/ipt_dstlimit.h
trunk/patch-o-matic-ng/dstlimit/linux-2.6/net/ipv4/netfilter/ipt_dstlimit.c
Log:
implement source hashing, rename everything (but filenames) to hashlimit
Modified: trunk/patch-o-matic-ng/dstlimit/linux-2.6/include/linux/netfilter_ipv4/ipt_dstlimit.h
===================================================================
--- trunk/patch-o-matic-ng/dstlimit/linux-2.6/include/linux/netfilter_ipv4/ipt_dstlimit.h 2004-10-19 21:43:44 UTC (rev 3229)
+++ trunk/patch-o-matic-ng/dstlimit/linux-2.6/include/linux/netfilter_ipv4/ipt_dstlimit.h 2004-10-20 10:52:50 UTC (rev 3230)
@@ -1,20 +1,21 @@
-#ifndef _IPT_DSTLIMIT_H
-#define _IPT_DSTLIMIT_H
+#ifndef _IPT_HASHLIMIT_H
+#define _IPT_HASHLIMIT_H
/* timings are in milliseconds. */
-#define IPT_DSTLIMIT_SCALE 10000
+#define IPT_HASHLIMIT_SCALE 10000
/* 1/10,000 sec period => max of 10,000/sec. Min rate is then 429490
seconds, or one every 59 hours. */
/* details of this structure hidden by the implementation */
-struct ipt_dstlimit_htable;
+struct ipt_hashlimit_htable;
-#define IPT_DSTLIMIT_HASH_DIP 0x0001
-#define IPT_DSTLIMIT_HASH_DPT 0x0002
-#define IPT_DSTLIMIT_HASH_SIP 0x0004
+#define IPT_HASHLIMIT_HASH_DIP 0x0001
+#define IPT_HASHLIMIT_HASH_DPT 0x0002
+#define IPT_HASHLIMIT_HASH_SIP 0x0004
+#define IPT_HASHLIMIT_HASH_SPT 0x0008
-struct dstlimit_cfg {
- u_int32_t mode; /* bitmask of IPT_DSTLIMIT_HASH_* */
+struct hashlimit_cfg {
+ u_int32_t mode; /* bitmask of IPT_HASHLIMIT_HASH_* */
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
@@ -25,15 +26,15 @@
u_int32_t expire; /* when do entries expire? */
};
-struct ipt_dstlimit_info {
+struct ipt_hashlimit_info {
char name [IFNAMSIZ]; /* name */
- struct dstlimit_cfg cfg;
- struct ipt_dstlimit_htable *hinfo;
+ struct hashlimit_cfg cfg;
+ struct ipt_hashlimit_htable *hinfo;
/* Used internally by the kernel */
union {
void *ptr;
- struct ipt_dstlimit_info *master;
+ struct ipt_hashlimit_info *master;
} u;
};
-#endif /*_IPT_DSTLIMIT_H*/
+#endif /*_IPT_HASHLIMIT_H*/
Modified: trunk/patch-o-matic-ng/dstlimit/linux-2.6/net/ipv4/netfilter/ipt_dstlimit.c
===================================================================
--- trunk/patch-o-matic-ng/dstlimit/linux-2.6/net/ipv4/netfilter/ipt_dstlimit.c 2004-10-19 21:43:44 UTC (rev 3229)
+++ trunk/patch-o-matic-ng/dstlimit/linux-2.6/net/ipv4/netfilter/ipt_dstlimit.c 2004-10-20 10:52:50 UTC (rev 3230)
@@ -1,9 +1,9 @@
/* iptables match extension to limit the number of packets per second
- * seperately for each destination.
+ * seperately for each hashbucket (sourceip/sourceport/dstip/dstport)
*
* (C) 2003 by Harald Welte <laforge at netfilter.org>
*
- * $Id: ipt_dstlimit.c,v 1.2 2004/02/22 18:22:22 laforge Exp $
+ * $Id$
*
* Development of this code was funded by Astaro AG, http://www.astaro.com/
*
@@ -39,7 +39,7 @@
#include <linux/netfilter_ipv4/listhelp.h>
#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_dstlimit.h>
+#include <linux/netfilter_ipv4/ipt_hashlimit.h>
/* FIXME: this is just for IP_NF_ASSERRT */
#include <linux/netfilter_ipv4/ip_conntrack.h>
@@ -51,7 +51,7 @@
MODULE_DESCRIPTION("iptables match for limiting per destination");
/* need to declare this at the top */
-static struct proc_dir_entry *dstlimit_procdir;
+static struct proc_dir_entry *hashlimit_procdir;
static struct file_operations dl_file_ops;
/* hash table crap */
@@ -59,7 +59,9 @@
struct dsthash_dst {
u_int32_t src_ip;
u_int32_t dst_ip;
- u_int16_t port;
+ /* ports have to be consecutive !!! */
+ u_int16_t src_port;
+ u_int16_t dst_port;
};
struct dsthash_ent {
@@ -76,11 +78,11 @@
} rateinfo;
};
-struct ipt_dstlimit_htable {
+struct ipt_hashlimit_htable {
struct list_head list; /* global list of all htables */
atomic_t use;
- struct dstlimit_cfg cfg; /* config */
+ struct hashlimit_cfg cfg; /* config */
/* used internally */
spinlock_t lock; /* lock for list_head */
@@ -94,26 +96,27 @@
struct list_head hash[0]; /* hashtable itself */
};
-DECLARE_RWLOCK(dstlimit_lock); /* protects htables list */
-static LIST_HEAD(dstlimit_htables);
-static kmem_cache_t *dstlimit_cachep;
+DECLARE_RWLOCK(hashlimit_lock); /* protects htables list */
+static LIST_HEAD(hashlimit_htables);
+static kmem_cache_t *hashlimit_cachep;
static inline int dst_cmp(const struct dsthash_ent *ent, struct dsthash_dst *b)
{
return (ent->dst.dst_ip == b->dst_ip
- && ent->dst.port == b->port
+ && ent->dst.dst_port == b->dst_port
+ && ent->dst.src_port == b->src_port
&& ent->dst.src_ip == b->src_ip);
}
static inline u_int32_t
-hash_dst(const struct ipt_dstlimit_htable *ht, const struct dsthash_dst *dst)
+hash_dst(const struct ipt_hashlimit_htable *ht, const struct dsthash_dst *dst)
{
- return (jhash_3words(dst->dst_ip, dst->port,
+ return (jhash_3words(dst->dst_ip, (dst->dst_port<<16 & dst->src_port),
dst->src_ip, ht->rnd) % ht->cfg.size);
}
static inline struct dsthash_ent *
-__dsthash_find(const struct ipt_dstlimit_htable *ht, struct dsthash_dst *dst)
+__dsthash_find(const struct ipt_hashlimit_htable *ht, struct dsthash_dst *dst)
{
struct dsthash_ent *ent;
u_int32_t hash = hash_dst(ht, dst);
@@ -124,7 +127,7 @@
/* allocate dsthash_ent, initialize dst, put in htable and lock it */
static struct dsthash_ent *
-__dsthash_alloc_init(struct ipt_dstlimit_htable *ht, struct dsthash_dst *dst)
+__dsthash_alloc_init(struct ipt_hashlimit_htable *ht, struct dsthash_dst *dst)
{
struct dsthash_ent *ent;
@@ -138,24 +141,25 @@
/* FIXME: do something. question is what.. */
if (net_ratelimit())
printk(KERN_WARNING
- "ipt_dstlimit: max count of %u reached\n",
+ "ipt_hashlimit: max count of %u reached\n",
ht->cfg.max);
return NULL;
}
- ent = kmem_cache_alloc(dstlimit_cachep, GFP_ATOMIC);
+ ent = kmem_cache_alloc(hashlimit_cachep, GFP_ATOMIC);
if (!ent) {
if (net_ratelimit())
printk(KERN_ERR
- "ipt_dstlimit: can't allocate dsthash_ent\n");
+ "ipt_hashlimit: can't allocate dsthash_ent\n");
return NULL;
}
atomic_inc(&ht->count);
ent->dst.dst_ip = dst->dst_ip;
- ent->dst.port = dst->port;
+ ent->dst.dst_port = dst->dst_port;
ent->dst.src_ip = dst->src_ip;
+ ent->dst.src_port = dst->src_port;
list_add(&ent->list, &ht->hash[hash_dst(ht, dst)]);
@@ -163,21 +167,21 @@
}
static inline void
-__dsthash_free(struct ipt_dstlimit_htable *ht, struct dsthash_ent *ent)
+__dsthash_free(struct ipt_hashlimit_htable *ht, struct dsthash_ent *ent)
{
MUST_BE_LOCKED(&ht->lock);
list_del(&ent->list);
- kmem_cache_free(dstlimit_cachep, ent);
+ kmem_cache_free(hashlimit_cachep, ent);
atomic_dec(&ht->count);
}
static void htable_gc(unsigned long htlong);
-static int htable_create(struct ipt_dstlimit_info *minfo)
+static int htable_create(struct ipt_hashlimit_info *minfo)
{
int i;
unsigned int size;
- struct ipt_dstlimit_htable *hinfo;
+ struct ipt_hashlimit_htable *hinfo;
if (minfo->cfg.size)
size = minfo->cfg.size;
@@ -190,10 +194,10 @@
size = 16;
}
/* FIXME: don't use vmalloc() here or anywhere else -HW */
- hinfo = vmalloc(sizeof(struct ipt_dstlimit_htable)
+ hinfo = vmalloc(sizeof(struct ipt_hashlimit_htable)
+ (sizeof(struct list_head) * size));
if (!hinfo) {
- printk(KERN_ERR "ipt_dstlimit: Unable to create hashtable\n");
+ printk(KERN_ERR "ipt_hashlimit: Unable to create hashtable\n");
return -1;
}
minfo->hinfo = hinfo;
@@ -213,7 +217,7 @@
atomic_set(&hinfo->use, 1);
hinfo->rnd = 0;
hinfo->lock = SPIN_LOCK_UNLOCKED;
- hinfo->pde = create_proc_entry(minfo->name, 0, dstlimit_procdir);
+ hinfo->pde = create_proc_entry(minfo->name, 0, hashlimit_procdir);
if (!hinfo->pde) {
vfree(hinfo);
return -1;
@@ -227,25 +231,25 @@
hinfo->timer.function = htable_gc;
add_timer(&hinfo->timer);
- WRITE_LOCK(&dstlimit_lock);
- list_add(&hinfo->list, &dstlimit_htables);
- WRITE_UNLOCK(&dstlimit_lock);
+ WRITE_LOCK(&hashlimit_lock);
+ list_add(&hinfo->list, &hashlimit_htables);
+ WRITE_UNLOCK(&hashlimit_lock);
return 0;
}
-static int select_all(struct ipt_dstlimit_htable *ht, struct dsthash_ent *he)
+static int select_all(struct ipt_hashlimit_htable *ht, struct dsthash_ent *he)
{
return 1;
}
-static int select_gc(struct ipt_dstlimit_htable *ht, struct dsthash_ent *he)
+static int select_gc(struct ipt_hashlimit_htable *ht, struct dsthash_ent *he)
{
return (jiffies >= he->expires);
}
-static void htable_selective_cleanup(struct ipt_dstlimit_htable *ht,
- int (*select)(struct ipt_dstlimit_htable *ht,
+static void htable_selective_cleanup(struct ipt_hashlimit_htable *ht,
+ int (*select)(struct ipt_hashlimit_htable *ht,
struct dsthash_ent *he))
{
int i;
@@ -267,7 +271,7 @@
/* hash table garbage collector, run by timer */
static void htable_gc(unsigned long htlong)
{
- struct ipt_dstlimit_htable *ht = (struct ipt_dstlimit_htable *)htlong;
+ struct ipt_hashlimit_htable *ht = (struct ipt_hashlimit_htable *)htlong;
htable_selective_cleanup(ht, select_gc);
@@ -276,42 +280,42 @@
add_timer(&ht->timer);
}
-static void htable_destroy(struct ipt_dstlimit_htable *hinfo)
+static void htable_destroy(struct ipt_hashlimit_htable *hinfo)
{
/* remove timer, if it is pending */
if (timer_pending(&hinfo->timer))
del_timer(&hinfo->timer);
/* remove proc entry */
- remove_proc_entry(hinfo->pde->name, dstlimit_procdir);
+ remove_proc_entry(hinfo->pde->name, hashlimit_procdir);
htable_selective_cleanup(hinfo, select_all);
vfree(hinfo);
}
-static struct ipt_dstlimit_htable *htable_find_get(char *name)
+static struct ipt_hashlimit_htable *htable_find_get(char *name)
{
- struct ipt_dstlimit_htable *hinfo;
+ struct ipt_hashlimit_htable *hinfo;
- READ_LOCK(&dstlimit_lock);
- list_for_each_entry(hinfo, &dstlimit_htables, list) {
+ READ_LOCK(&hashlimit_lock);
+ list_for_each_entry(hinfo, &hashlimit_htables, list) {
if (!strcmp(name, hinfo->pde->name)) {
atomic_inc(&hinfo->use);
- READ_UNLOCK(&dstlimit_lock);
+ READ_UNLOCK(&hashlimit_lock);
return hinfo;
}
}
- READ_UNLOCK(&dstlimit_lock);
+ READ_UNLOCK(&hashlimit_lock);
return NULL;
}
-static void htable_put(struct ipt_dstlimit_htable *hinfo)
+static void htable_put(struct ipt_hashlimit_htable *hinfo)
{
if (atomic_dec_and_test(&hinfo->use)) {
- WRITE_LOCK(&dstlimit_lock);
+ WRITE_LOCK(&hashlimit_lock);
list_del(&hinfo->list);
- WRITE_UNLOCK(&dstlimit_lock);
+ WRITE_UNLOCK(&hashlimit_lock);
htable_destroy(hinfo);
}
}
@@ -360,9 +364,9 @@
/* If multiplying would overflow... */
if (user > 0xFFFFFFFF / (HZ*CREDITS_PER_JIFFY))
/* Divide first. */
- return (user / IPT_DSTLIMIT_SCALE) * HZ * CREDITS_PER_JIFFY;
+ return (user / IPT_HASHLIMIT_SCALE) * HZ * CREDITS_PER_JIFFY;
- return (user * HZ * CREDITS_PER_JIFFY) / IPT_DSTLIMIT_SCALE;
+ return (user * HZ * CREDITS_PER_JIFFY) / IPT_HASHLIMIT_SCALE;
}
static inline void rateinfo_recalc(struct dsthash_ent *dh, unsigned long now)
@@ -373,62 +377,95 @@
dh->rateinfo.credit = dh->rateinfo.credit_cap;
}
+static inline int get_ports(struct sk_buff *skb, int offset, u16 ports[2])
+{
+ union {
+ struct tcphdr th;
+ struct udphdr uh;
+ sctp_sctphdr_t sctph;
+ } hdr_u, *ptr_u;
+
+#if 0
+ union {
+ struct tcphdr *th;
+ struct udphdr *uh;
+ sctp_sctphdr_t *scth;
+ } ptr_u;
+#endif
+
+ /* Must not be a fragment. */
+ if (offset)
+ return 1;
+
+ /* Must be big enough to read ports (both UDP and TCP have
+ them at the start). */
+ ptr_u = skb_header_pointer(skb, skb->nh.iph->ihl*4, 8, &hdr_u);
+ if (!ptr_u)
+ return 1;
+
+ switch (skb->nh.iph->protocol) {
+ case IPPROTO_TCP:
+ ports[0] = ptr_u.th->source;
+ ports[1] = ptr_u.th->dest;
+ break;
+ case IPPROTO_UDP:
+ ports[0] = ptr_u.uh->source;
+ ports[1] = ptr_u.uh->dest;
+ break;
+ case IPPROTO_SCTP:
+ ports[0] = ptr_u.sctph->source;
+ ports[1] = ptr_u.sctph->dest;
+ break;
+ default:
+ /* all other protocols don't supprot per-port hash
+ * buckets */
+ ports[0] = ports[1] = 0;
+ break;
+ }
+
+ return 0;
+}
+
+
static int
-dstlimit_match(const struct sk_buff *skb,
+hashlimit_match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
int *hotdrop)
{
- struct ipt_dstlimit_info *r =
- ((struct ipt_dstlimit_info *)matchinfo)->u.master;
- struct ipt_dstlimit_htable *hinfo = r->hinfo;
+ struct ipt_hashlimit_info *r =
+ ((struct ipt_hashlimit_info *)matchinfo)->u.master;
+ struct ipt_hashlimit_htable *hinfo = r->hinfo;
unsigned long now = jiffies;
struct dsthash_ent *dh;
struct dsthash_dst dst;
- memset(&dst, 0, sizeof(dst));
+ if (hinfo->cfg.mode & IPT_HASHLIMIT_HASH_DIP)
+ dst.dst_ip = skb->nh.iph->daddr;
+ else
+ dst.dst_ip = 0;
- /* dest ip is always in hash */
- dst.dst_ip = skb->nh.iph->daddr;
-
- /* source ip only if respective hashmode, otherwise set to
- * zero */
- if (hinfo->cfg.mode & IPT_DSTLIMIT_HASH_SIP)
+ /* source ip only if respective hashmode */
+ if (hinfo->cfg.mode & IPT_HASHLIMIT_HASH_SIP)
dst.src_ip = skb->nh.iph->saddr;
+ else
+ dst.src_ip = 0;
- /* dest port only if respective mode */
- if (hinfo->cfg.mode & IPT_DSTLIMIT_HASH_DPT) {
- u16 ports[2];
-
- /* Must not be a fragment. */
- if (offset)
- return 0;
-
- /* Must be big enough to read ports (both UDP and TCP have
- them at the start). */
- if (skb_copy_bits(skb, skb->nh.iph->ihl*4, ports, sizeof(ports)) < 0) {
+ /* ports only if respective mode */
+ if (hinfo->cfg.mode & IPT_HASHLIMIT_HASH_DPT
+ ||hinfo->cfg.mode & IPT_HASHLIMIT_HASH_SPT) {
+ if (get_ports(skb, offset, &dst.src_port)) {
/* We've been asked to examine this packet, and we
- can't. Hence, no choice but to drop. */
+ can't. Hence, no choice but to drop. */
*hotdrop = 1;
return 0;
}
-
- switch (skb->nh.iph->protocol) {
- struct tcphdr *th;
- struct udphdr *uh;
- case IPPROTO_TCP:
- th = (void *)skb->nh.iph+skb->nh.iph->ihl*4;
- dst.port = th->dest;
- break;
- case IPPROTO_UDP:
- uh = (void *)skb->nh.iph+skb->nh.iph->ihl*4;
- dst.port = uh->dest;
- break;
- default:
- break;
- }
+ if (!(hinfo->cfg.mode & IPT_HASHLIMIT_HASH_DPT))
+ dst.dst_port = 0;
+ if (!(hinfo->cfg.mode & IPT_HASHLIMIT_HASH_SPT))
+ dst.src_port = 0;
}
LOCK_BH(&hinfo->lock);
@@ -475,30 +512,31 @@
}
static int
-dstlimit_checkentry(const char *tablename,
+hashlimit_checkentry(const char *tablename,
const struct ipt_ip *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
- struct ipt_dstlimit_info *r = matchinfo;
+ struct ipt_hashlimit_info *r = matchinfo;
- if (matchsize != IPT_ALIGN(sizeof(struct ipt_dstlimit_info)))
+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_hashlimit_info)))
return 0;
/* Check for overflow. */
if (r->cfg.burst == 0
|| user2credits(r->cfg.avg * r->cfg.burst) <
user2credits(r->cfg.avg)) {
- printk(KERN_ERR "ipt_dstlimit: Overflow, try lower: %u/%u\n",
+ printk(KERN_ERR "ipt_hashlimit: Overflow, try lower: %u/%u\n",
r->cfg.avg, r->cfg.burst);
return 0;
}
if (r->cfg.mode == 0
- || r->cfg.mode > (IPT_DSTLIMIT_HASH_DPT
- |IPT_DSTLIMIT_HASH_DIP
- |IPT_DSTLIMIT_HASH_SIP))
+ || r->cfg.mode > (IPT_HASHLIMIT_HASH_DPT
+ |IPT_HASHLIMIT_HASH_DIP
+ |IPT_HASHLIMIT_HASH_SIP
+ |IPT_HASHLIMIT_HASH_SPT))
return 0;
if (!r->cfg.gc_interval)
@@ -519,19 +557,19 @@
}
static void
-dstlimit_destroy(void *matchinfo, unsigned int matchsize)
+hashlimit_destroy(void *matchinfo, unsigned int matchsize)
{
- struct ipt_dstlimit_info *r = (struct ipt_dstlimit_info *) matchinfo;
+ struct ipt_hashlimit_info *r = (struct ipt_hashlimit_info *) matchinfo;
htable_put(r->hinfo);
}
-static struct ipt_match ipt_dstlimit = {
+static struct ipt_match ipt_hashlimit = {
.list = { .prev = NULL, .next = NULL },
- .name = "dstlimit",
- .match = dstlimit_match,
- .checkentry = dstlimit_checkentry,
- .destroy = dstlimit_destroy,
+ .name = "hashlimit",
+ .match = hashlimit_match,
+ .checkentry = hashlimit_checkentry,
+ .destroy = hashlimit_destroy,
.me = THIS_MODULE
};
@@ -540,7 +578,7 @@
static void *dl_seq_start(struct seq_file *s, loff_t *pos)
{
struct proc_dir_entry *pde = s->private;
- struct ipt_dstlimit_htable *htable = pde->data;
+ struct ipt_hashlimit_htable *htable = pde->data;
unsigned int *bucket;
LOCK_BH(&htable->lock);
@@ -558,7 +596,7 @@
static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
struct proc_dir_entry *pde = s->private;
- struct ipt_dstlimit_htable *htable = pde->data;
+ struct ipt_hashlimit_htable *htable = pde->data;
unsigned int *bucket = (unsigned int *)v;
*pos = ++(*bucket);
@@ -572,7 +610,7 @@
static void dl_seq_stop(struct seq_file *s, void *v)
{
struct proc_dir_entry *pde = s->private;
- struct ipt_dstlimit_htable *htable = pde->data;
+ struct ipt_hashlimit_htable *htable = pde->data;
unsigned int *bucket = (unsigned int *)v;
kfree(bucket);
@@ -585,10 +623,10 @@
/* recalculate to show accurate numbers */
rateinfo_recalc(ent, jiffies);
- return seq_printf(s, "%ld %u.%u.%u.%u->%u.%u.%u.%u:%u %u %u %u\n",
+ return seq_printf(s, "%ld %u.%u.%u.%u:%u->%u.%u.%u.%u:%u %u %u %u\n",
(ent->expires - jiffies)/HZ,
- NIPQUAD(ent->dst.src_ip),
- NIPQUAD(ent->dst.dst_ip), ntohs(ent->dst.port),
+ NIPQUAD(ent->dst.src_ip), ntohs(ent->dst.src_port)
+ NIPQUAD(ent->dst.dst_ip), ntohs(ent->dst.dst_port),
ent->rateinfo.credit, ent->rateinfo.credit_cap,
ent->rateinfo.cost);
}
@@ -596,7 +634,7 @@
static int dl_seq_show(struct seq_file *s, void *v)
{
struct proc_dir_entry *pde = s->private;
- struct ipt_dstlimit_htable *htable = pde->data;
+ struct ipt_hashlimit_htable *htable = pde->data;
unsigned int *bucket = (unsigned int *)v;
if (LIST_FIND_W(&htable->hash[*bucket], dl_seq_real_show,
@@ -640,24 +678,24 @@
if (fini)
goto cleanup;
- if (ipt_register_match(&ipt_dstlimit)) {
+ if (ipt_register_match(&ipt_hashlimit)) {
ret = -EINVAL;
goto cleanup_nothing;
}
/* FIXME: do we really want HWCACHE_ALIGN since our objects are
* quite small ? */
- dstlimit_cachep = kmem_cache_create("ipt_dstlimit",
+ hashlimit_cachep = kmem_cache_create("ipt_hashlimit",
sizeof(struct dsthash_ent), 0,
SLAB_HWCACHE_ALIGN, NULL, NULL);
- if (!dstlimit_cachep) {
- printk(KERN_ERR "Unable to create ipt_dstlimit slab cache\n");
+ if (!hashlimit_cachep) {
+ printk(KERN_ERR "Unable to create ipt_hashlimit slab cache\n");
ret = -ENOMEM;
goto cleanup_unreg_match;
}
- dstlimit_procdir = proc_mkdir("ipt_dstlimit", proc_net);
- if (!dstlimit_procdir) {
+ hashlimit_procdir = proc_mkdir("ipt_hashlimit", proc_net);
+ if (!hashlimit_procdir) {
printk(KERN_ERR "Unable to create proc dir entry\n");
ret = -ENOMEM;
goto cleanup_free_slab;
@@ -666,11 +704,11 @@
return ret;
cleanup:
- remove_proc_entry("ipt_dstlimit", proc_net);
+ remove_proc_entry("ipt_hashlimit", proc_net);
cleanup_free_slab:
- kmem_cache_destroy(dstlimit_cachep);
+ kmem_cache_destroy(hashlimit_cachep);
cleanup_unreg_match:
- ipt_unregister_match(&ipt_dstlimit);
+ ipt_unregister_match(&ipt_hashlimit);
cleanup_nothing:
return ret;
More information about the netfilter-cvslog
mailing list