diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-12-03 17:06:21 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-12-03 17:09:28 +0100 |
| commit | 1018eae77176cffd39bad0e499010923642c2cba (patch) | |
| tree | 72e181533c2607a896c7ed92c038797539637737 | |
| parent | fe573574fcb2605bc9011c621f44654707180765 (diff) | |
parser: bail out on incorrect burst unit
Burst can be either bytes or packets, depending on the rate limit unit.
# nft add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets
Error: syntax error, unexpected packets, expecting string or bytes
add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets
^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1306
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/parser_bison.y | 15 | ||||
| -rw-r--r-- | tests/py/any/limit.t | 2 |
2 files changed, 11 insertions, 6 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index e73e1ecd..34202b04 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -590,7 +590,7 @@ int nft_lex(void *, void *, void *); %type <val> level_type log_flags log_flags_tcp log_flag_tcp %type <stmt> limit_stmt quota_stmt connlimit_stmt %destructor { stmt_free($$); } limit_stmt quota_stmt connlimit_stmt -%type <val> limit_burst limit_mode time_unit quota_mode +%type <val> limit_burst_pkts limit_burst_bytes limit_mode time_unit quota_mode %type <stmt> reject_stmt reject_stmt_alloc %destructor { stmt_free($$); } reject_stmt reject_stmt_alloc %type <stmt> nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc @@ -2475,7 +2475,7 @@ log_flag_tcp : SEQUENCE } ; -limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst +limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts { $$ = limit_stmt_alloc(&@$); $$->limit.rate = $4; @@ -2484,7 +2484,7 @@ limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst $$->limit.type = NFT_LIMIT_PKTS; $$->limit.flags = $3; } - | LIMIT RATE limit_mode NUM STRING limit_burst + | LIMIT RATE limit_mode NUM STRING limit_burst_bytes { struct error_record *erec; uint64_t rate, unit; @@ -2565,8 +2565,11 @@ limit_mode : OVER { $$ = NFT_LIMIT_F_INV; } | /* empty */ { $$ = 0; } ; -limit_burst : /* empty */ { $$ = 0; } +limit_burst_pkts : /* empty */ { $$ = 0; } | BURST NUM PACKETS { $$ = $2; } + ; + +limit_burst_bytes : /* empty */ { $$ = 0; } | BURST NUM BYTES { $$ = $2; } | BURST NUM STRING { @@ -3532,7 +3535,7 @@ ct_obj_alloc : } ; -limit_config : RATE limit_mode NUM SLASH time_unit limit_burst +limit_config : RATE limit_mode NUM SLASH time_unit limit_burst_pkts { struct limit *limit; limit = xzalloc(sizeof(*limit)); @@ -3543,7 +3546,7 @@ limit_config : RATE limit_mode NUM SLASH time_unit limit_burst limit->flags = $2; $$ = limit; } - | RATE limit_mode NUM STRING limit_burst + | RATE limit_mode NUM STRING limit_burst_bytes { struct limit *limit; struct error_record *erec; diff --git a/tests/py/any/limit.t b/tests/py/any/limit.t index 8180bea3..ef7f9313 100644 --- a/tests/py/any/limit.t +++ b/tests/py/any/limit.t @@ -14,6 +14,7 @@ limit rate 400/hour;ok limit rate 40/day;ok limit rate 400/week;ok limit rate 1023/second burst 10 packets;ok +limit rate 1023/second burst 10 bytes;fail limit rate 1 kbytes/second;ok limit rate 2 kbytes/second;ok @@ -21,6 +22,7 @@ limit rate 1025 kbytes/second;ok limit rate 1023 mbytes/second;ok limit rate 10230 mbytes/second;ok limit rate 1023000 mbytes/second;ok +limit rate 512 kbytes/second burst 5 packets;fail limit rate 1025 bytes/second burst 512 bytes;ok limit rate 1025 kbytes/second burst 1023 kbytes;ok |