diff options
| author | Phil Oester <kernel@linuxace.com> | 2013-10-05 09:44:56 -0700 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-10-22 10:52:32 +0200 |
| commit | b259d1aca0db1bed5af3e4fe378f8aeb4d3ce645 (patch) | |
| tree | 0dea304c654a8c4d107720b4c73a561f623b1468 /src/netlink_linearize.c | |
| parent | 2855909e46f4646f137a96892bd5c465fa1193f8 (diff) | |
src: operational limit match
The nft limit match currently does not work at all. Below patches to nftables,
libnftables, and kernel address the issue. A few notes on the implementation:
- Removed support for nano/micro/milli second limits. These seem pointless,
given we are using jiffies in the limit match, not a hpet. And who really
needs to limit items down to sub-second level??
- 'depth' member is removed as unnecessary. All we need in the kernel is the
rate and the unit.
- 'stamp' member becomes the time we need to next refresh the token bucket,
instead of being updated on every packet which goes through the match.
This closes netfilter bugzilla #827, reported by Eric Leblond.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink_linearize.c')
| -rw-r--r-- | src/netlink_linearize.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 72c59e56..fd91155b 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -551,8 +551,8 @@ static void netlink_gen_limit_stmt(struct netlink_linearize_ctx *ctx, struct nft_rule_expr *nle; nle = alloc_nft_expr("limit"); - nft_rule_expr_set_u32(nle, NFT_EXPR_LIMIT_RATE, stmt->limit.rate); - nft_rule_expr_set_u32(nle, NFT_EXPR_LIMIT_DEPTH, stmt->limit.depth); + nft_rule_expr_set_u64(nle, NFT_EXPR_LIMIT_RATE, stmt->limit.rate); + nft_rule_expr_set_u64(nle, NFT_EXPR_LIMIT_UNIT, stmt->limit.unit); nft_rule_add_expr(ctx->nlr, nle); } |