diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-12-09 22:55:30 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-01-14 18:54:39 +0100 |
| commit | 3f5ef7d63f9ef70855dedd9b5aa7eba2f63a1ec7 (patch) | |
| tree | f4defb46c5fd28345ebb21c0c3828e1eb0cd23b4 /src/parser_bison.y | |
| parent | 510e800e72e177a9070129b63fa232f065f54c02 (diff) | |
src: support limit rate over value
So far it was only possible to match packet under a rate limit, this
patch allows you to explicitly indicate if you want to match packets
that goes over or until the rate limit, eg.
... limit rate over 3/second counter log prefix "OVERLIMIT: " drop
... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop
... ct state invalid limit rate until 1/second counter log prefix "INVALID: "
When listing rate limit until, this shows:
... ct state invalid limit rate 1/second counter log prefix "INVALID: "
thus, the existing syntax is still valid (i.e. default to rate limit until).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser_bison.y')
| -rw-r--r-- | src/parser_bison.y | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index 833e7f5d..514dd7eb 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -367,6 +367,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token LIMIT "limit" %token RATE "rate" %token BURST "burst" +%token OVER "over" +%token UNTIL "until" %token NANOSECOND "nanosecond" %token MICROSECOND "microsecond" @@ -458,7 +460,7 @@ static void location_update(struct location *loc, struct location *rhs, int n) %type <val> level_type %type <stmt> limit_stmt %destructor { stmt_free($$); } limit_stmt -%type <val> limit_burst time_unit +%type <val> limit_burst limit_mode time_unit %type <stmt> reject_stmt reject_stmt_alloc %destructor { stmt_free($$); } reject_stmt reject_stmt_alloc %type <stmt> nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc @@ -1467,33 +1469,40 @@ level_type : LEVEL_EMERG { $$ = LOG_EMERG; } | LEVEL_DEBUG { $$ = LOG_DEBUG; } ; -limit_stmt : LIMIT RATE NUM SLASH time_unit limit_burst +limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst { $$ = limit_stmt_alloc(&@$); - $$->limit.rate = $3; - $$->limit.unit = $5; - $$->limit.burst = $6; + $$->limit.rate = $4; + $$->limit.unit = $6; + $$->limit.burst = $7; $$->limit.type = NFT_LIMIT_PKTS; + $$->limit.flags = $3; } - | LIMIT RATE NUM STRING limit_burst + | LIMIT RATE limit_mode NUM STRING limit_burst { struct error_record *erec; uint64_t rate, unit; - erec = rate_parse(&@$, $4, &rate, &unit); + erec = rate_parse(&@$, $5, &rate, &unit); if (erec != NULL) { erec_queue(erec, state->msgs); YYERROR; } $$ = limit_stmt_alloc(&@$); - $$->limit.rate = rate * $3; + $$->limit.rate = rate * $4; $$->limit.unit = unit; - $$->limit.burst = $5; + $$->limit.burst = $6; $$->limit.type = NFT_LIMIT_PKT_BYTES; + $$->limit.flags = $3; } ; +limit_mode : OVER { $$ = NFT_LIMIT_F_INV; } + | UNTIL { $$ = 0; } + | /* empty */ { $$ = 0; } + ; + limit_burst : /* empty */ { $$ = 0; } | BURST NUM PACKETS { $$ = $2; } | BURST NUM BYTES { $$ = $2; } |