From d0b74aa8e154d065cde51bdefb8524b9ee8a29c3 Mon Sep 17 00:00:00 2001
From: Apollon Oikonomopoulos <apoikos@debian.org>
Date: Thu, 3 Dec 2015 17:17:12 +0200
Subject: [PATCH] hashlimit: add support for xt_hashlimit options

Add more options supported by the current hashlimit module
(xt_hashlimit): hashlimit-upto, hashlimit-above, hashlimit-srcmask and
hashlimit-dstmask.

Note that in xt_hashlimit, hashlimit is an alias for hashlimit-upto.
However, we will not define it as such in ferm to maintain compatibility
with the old hashlimit module (ipt_hashlimit).
---
 src/ferm                      | 2 ++
 test/modules/hashlimit.ferm   | 8 ++++++++
 test/modules/hashlimit.result | 2 ++
 3 files changed, 12 insertions(+)

diff --git a/src/ferm b/src/ferm
index c13f24c..7e88eeb 100755
--- a/src/ferm
+++ b/src/ferm
@@ -260,6 +260,8 @@ add_match_def 'hbh', qw(hbh-len! hbh-opts=c);
 add_match_def 'helper', qw(helper);
 add_match_def 'hl', qw(hl-eq! hl-lt=s hl-gt=s);
 add_match_def 'hashlimit', qw(hashlimit=s hashlimit-burst=s hashlimit-mode=c hashlimit-name=s),
+  qw(hashlimit-upto=s hashlimit-above=s),
+  qw(hashlimit-srcmask=s hashlimit-dstmask=s),
   qw(hashlimit-htable-size=s hashlimit-htable-max=s),
   qw(hashlimit-htable-expire=s hashlimit-htable-gcinterval=s);
 add_match_def 'iprange', qw(!src-range !dst-range);
diff --git a/test/modules/hashlimit.ferm b/test/modules/hashlimit.ferm
index 24c7216..1dff176 100644
--- a/test/modules/hashlimit.ferm
+++ b/test/modules/hashlimit.ferm
@@ -6,4 +6,12 @@ table filter chain INPUT mod hashlimit {
     hashlimit-htable-expire 600  hashlimit-htable-gcinterval 180
     ACCEPT;
     hashlimit-mode (dstip srcip) DROP;
+    hashlimit-upto 10/minute
+    hashlimit-mode dstip
+    hashlimit-dstmask 24
+    ACCEPT;
+    hashlimit-above 10/minute
+    hashlimit-mode srcip
+    hashlimit-srcmask 24
+    ACCEPT;
 }
diff --git a/test/modules/hashlimit.result b/test/modules/hashlimit.result
index ee7ec4c..d19ac25 100644
--- a/test/modules/hashlimit.result
+++ b/test/modules/hashlimit.result
@@ -1,3 +1,5 @@
 iptables -t filter -A INPUT -m hashlimit --hashlimit 10/minute --hashlimit-burst 30/minute --hashlimit-mode dstip --hashlimit-name foobar -j DROP
 iptables -t filter -A INPUT -m hashlimit --hashlimit-htable-size 1024 --hashlimit-htable-max 4096 --hashlimit-htable-expire 600 --hashlimit-htable-gcinterval 180 -j ACCEPT
 iptables -t filter -A INPUT -m hashlimit --hashlimit-mode dstip,srcip -j DROP
+iptables -t filter -A INPUT -m hashlimit --hashlimit-upto 10/minute --hashlimit-mode dstip --hashlimit-dstmask 24 -j ACCEPT
+iptables -t filter -A INPUT -m hashlimit --hashlimit-above 10/minute --hashlimit-mode srcip --hashlimit-srcmask 24 -j ACCEPT
-- 
2.11.4.GIT