path: root/src/netlink_linearize.c
diff options
authorPablo Neira Ayuso <>2015-12-09 22:55:30 +0100
committerPablo Neira Ayuso <>2016-01-14 18:54:39 +0100
commit3f5ef7d63f9ef70855dedd9b5aa7eba2f63a1ec7 (patch)
treef4defb46c5fd28345ebb21c0c3828e1eb0cd23b4 /src/netlink_linearize.c
parent510e800e72e177a9070129b63fa232f065f54c02 (diff)
src: support limit rate over value
So far it was only possible to match packet under a rate limit, this patch allows you to explicitly indicate if you want to match packets that goes over or until the rate limit, eg. ... limit rate over 3/second counter log prefix "OVERLIMIT: " drop ... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop ... ct state invalid limit rate until 1/second counter log prefix "INVALID: " When listing rate limit until, this shows: ... ct state invalid limit rate 1/second counter log prefix "INVALID: " thus, the existing syntax is still valid (i.e. default to rate limit until). Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'src/netlink_linearize.c')
1 files changed, 1 insertions, 0 deletions
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index c77c462b..0dc7f97e 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -793,6 +793,7 @@ static void netlink_gen_limit_stmt(struct netlink_linearize_ctx *ctx,
if (stmt->limit.burst > 0)
nftnl_expr_set_u32(nle, NFTNL_EXPR_LIMIT_BURST,
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_LIMIT_FLAGS, stmt->limit.flags);
nftnl_rule_add_expr(ctx->nlr, nle);