netfilter: connlimit: split xt_connlimit into front and backend

This allows to reuse xt_connlimit infrastructure from nf_tables. The upcoming nf_tables frontend can just pass in an nftables register as input key, this allows limiting by any nft-supported key, including concatenations. For xt_connlimit, pass in the zone and the ip/ipv6 address. With help from Yi-Hung Wei. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2017-12-09 21:01:08 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-01-08 18:01:22 +0100
commit: 625c556118f3c2fd28bb8ef6da18c53bd4037be4 (patch)
tree: e67a0e7ac8ae1e482aa0af0f5363a74a37011228 /net/netfilter/Kconfig
parent: c2f9eafee9aaeedaad9eadbf47913f4681d723df (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 263609a7e010..af3d9f721b3f 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -68,6 +68,8 @@ config NF_LOG_NETDEV
 	select NF_LOG_COMMON
 
 if NF_CONNTRACK
+config NETFILTER_CONNCOUNT
+	tristate
 
 config NF_CONNTRACK_MARK
 	bool  'Connection mark tracking support'
@@ -1126,6 +1128,7 @@ config NETFILTER_XT_MATCH_CONNLIMIT
 	tristate '"connlimit" match support'
 	depends on NF_CONNTRACK
 	depends on NETFILTER_ADVANCED
+	select NETFILTER_CONNCOUNT
 	---help---
 	  This match allows you to match against the number of parallel
 	  connections to a server per client IP address (or address block).
author	Florian Westphal <fw@strlen.de>	2017-12-09 21:01:08 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-01-08 18:01:22 +0100
commit	625c556118f3c2fd28bb8ef6da18c53bd4037be4 (patch)
tree	e67a0e7ac8ae1e482aa0af0f5363a74a37011228 /net/netfilter/Kconfig
parent	c2f9eafee9aaeedaad9eadbf47913f4681d723df (diff)