• Pablo Neira Ayuso's avatar
    netfilter: nf_tables: add quota expression · 3d2f30a1
    Pablo Neira Ayuso authored
    This patch adds the quota expression. This new stateful expression
    integrate easily into the dynset expression to build 'hashquota' flow
    tables.
    
    Arguably, we could use instead "counter bytes > 1000" instead, but this
    approach has several problems:
    
    1) We only support for one single stateful expression in dynamic set
       definitions, and the expression above is a composite of two
       expressions: get counter + comparison.
    
    2) We would need to restore the packed counter representation (that we
       used to have) based on seqlock to synchronize this, since per-cpu is
       not suitable for this.
    
    So instead of bloating the counter expression back with the seqlock
    representation and extending the existing set infrastructure to make it
    more complex for the composite described above, let's follow the more
    simple approach of adding a quota expression that we can plug into our
    existing infrastructure.
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    3d2f30a1
Kconfig 48.3 KB