diff options
author | Shivani Bhardwaj <shivanib134@gmail.com> | 2015-12-23 03:25:21 +0530 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-02-16 19:30:22 +0100 |
commit | a8dfbe3a3acb2181c06aad814f18397b44f312cc (patch) | |
tree | ce723b3043d91117cb27ec017ff74df2df9316a0 /extensions/libxt_limit.c | |
parent | d0125f890698dd84553db3d27eea7e36ebbdbf88 (diff) |
extensions: libxt_limit: Add translation to nft
Add translation for module limit to nftables.
Examples:
$ sudo iptables-translate -A INPUT -m limit --limit 5/s
nft add rule ip filter INPUT limit rate 5/second counter
$ sudo iptables-translate -A INPUT -m limit --limit 3/m --limit-burst 3
nft add rule ip filter INPUT limit rate 3/minute burst 3 packets counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions/libxt_limit.c')
-rw-r--r-- | extensions/libxt_limit.c | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c index f75ef2f8..a018f87b 100644 --- a/extensions/libxt_limit.c +++ b/extensions/libxt_limit.c @@ -152,6 +152,44 @@ static void limit_save(const void *ip, const struct xt_entry_match *match) printf(" --limit-burst %u", r->burst); } +static const struct rates rates_xlate[] = { + { "day", XT_LIMIT_SCALE * 24 * 60 * 60 }, + { "hour", XT_LIMIT_SCALE * 60 * 60 }, + { "minute", XT_LIMIT_SCALE * 60 }, + { "second", XT_LIMIT_SCALE } +}; + +static void print_rate_xlate(uint32_t period, struct xt_buf *buf) +{ + unsigned int i; + + if (period == 0) { + xt_buf_add(buf, " %f ", INFINITY); + return; + } + + for (i = 1; i < ARRAY_SIZE(rates); ++i) + if (period > rates_xlate[i].mult || + rates_xlate[i].mult / period < rates_xlate[i].mult % period) + break; + + xt_buf_add(buf, " %u/%s ", rates_xlate[i - 1].mult / period, + rates_xlate[i - 1].name); +} + +static int limit_xlate(const struct xt_entry_match *match, + struct xt_buf *buf, int numeric) +{ + const struct xt_rateinfo *r = (const void *)match->data; + + xt_buf_add(buf, "limit rate"); + print_rate_xlate(r->avg, buf); + if (r->burst != XT_LIMIT_BURST) + xt_buf_add(buf, "burst %u packets ", r->burst); + + return 1; +} + static struct xtables_match limit_match = { .family = NFPROTO_UNSPEC, .name = "limit", @@ -164,6 +202,7 @@ static struct xtables_match limit_match = { .print = limit_print, .save = limit_save, .x6_options = limit_opts, + .xlate = limit_xlate, }; void _init(void) |