diff options
| author | Phil Oester <kernel@linuxace.com> | 2013-10-22 10:48:22 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-10-22 10:49:02 +0200 |
| commit | e91ea14da66759c71d5c2a581b82c2508a02f60a (patch) | |
| tree | eaf91c52854f877bf66e130962b90d164fcc4220 /include/libnftables | |
| parent | bc7b5e747f70d229ca5d5fb0709548a47e2830fc (diff) | |
expr: limit: operational limit match
The nft limit match currently does not work at all. Below patches to
nftables, libnftables, and kernel address the issue. A few notes on
the implementation:
- Removed support for nano/micro/milli second limits. These seem pointless,
given we are using jiffies in the limit match, not a hpet. And who really
needs to limit items down to sub-second level??
- 'depth' member is removed as unnecessary. All we need in the kernel is the
rate and the unit.
- 'stamp' member becomes the time we need to next refresh the token bucket,
instead of being updated on every packet which goes through the match.
This closes netfilter bugzilla #827, reported by Eric Leblond.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/libnftables')
| -rw-r--r-- | include/libnftables/expr.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/libnftables/expr.h b/include/libnftables/expr.h index b8f1d1e..232a810 100644 --- a/include/libnftables/expr.h +++ b/include/libnftables/expr.h @@ -134,7 +134,7 @@ enum { enum { NFT_EXPR_LIMIT_RATE = NFT_RULE_EXPR_ATTR_BASE, - NFT_EXPR_LIMIT_DEPTH, + NFT_EXPR_LIMIT_UNIT, }; #ifdef __cplusplus |