diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-08-30 16:51:35 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-08-31 13:57:26 +0200 |
| commit | 702eff5b5b748842d27811dfb22ed0c7e7003a97 (patch) | |
| tree | 8a3afdcf81ad3ec05e0819d9682deb7a895a10a3 /src/statement.c | |
| parent | 7284e79fcafe76ada4c73761bde125e836a5e3fa (diff) | |
src: allow burst 0 for byte ratelimit and use it as default
Packet-based limit burst is set to 5, as in iptables. However,
byte-based limit burst adds to the rate to calculate the bucket size,
and this is also sets this to 5 (... bytes in this case). Update it to
use zero byte burst by default instead.
This patch also updates manpage to describe how the burst value
influences the kernel module's token bucket in each of the two modes.
This documentation update is based on original text by Phil Sutter.
Adjust tests/py to silence warnings due to mismatching byte burst.
Fixes: 285baccfea46 ("src: disallow burst 0 in ratelimits")
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/statement.c')
| -rw-r--r-- | src/statement.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/statement.c b/src/statement.c index 30caf9c7..327d00f9 100644 --- a/src/statement.c +++ b/src/statement.c @@ -465,7 +465,7 @@ static void limit_stmt_print(const struct stmt *stmt, struct output_ctx *octx) nft_print(octx, "limit rate %s%" PRIu64 " %s/%s", inv ? "over " : "", rate, data_unit, get_unit(stmt->limit.unit)); - if (stmt->limit.burst != 5) { + if (stmt->limit.burst != 0) { uint64_t burst; data_unit = get_rate(stmt->limit.burst, &burst); |