From b259d1aca0db1bed5af3e4fe378f8aeb4d3ce645 Mon Sep 17 00:00:00 2001 From: Phil Oester Date: Sat, 5 Oct 2013 09:44:56 -0700 Subject: src: operational limit match The nft limit match currently does not work at all. Below patches to nftables, libnftables, and kernel address the issue. A few notes on the implementation: - Removed support for nano/micro/milli second limits. These seem pointless, given we are using jiffies in the limit match, not a hpet. And who really needs to limit items down to sub-second level?? - 'depth' member is removed as unnecessary. All we need in the kernel is the rate and the unit. - 'stamp' member becomes the time we need to next refresh the token bucket, instead of being updated on every packet which goes through the match. This closes netfilter bugzilla #827, reported by Eric Leblond. Signed-off-by: Phil Oester Signed-off-by: Pablo Neira Ayuso --- src/netlink_delinearize.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/netlink_delinearize.c') diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index d80fc78d..3bb143b8 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -385,8 +385,8 @@ static void netlink_parse_limit(struct netlink_parse_ctx *ctx, struct stmt *stmt; stmt = limit_stmt_alloc(loc); - stmt->limit.rate = nft_rule_expr_get_u32(nle, NFT_EXPR_LIMIT_RATE); - stmt->limit.depth = nft_rule_expr_get_u32(nle, NFT_EXPR_LIMIT_DEPTH); + stmt->limit.rate = nft_rule_expr_get_u64(nle, NFT_EXPR_LIMIT_RATE); + stmt->limit.unit = nft_rule_expr_get_u64(nle, NFT_EXPR_LIMIT_UNIT); list_add_tail(&stmt->list, &ctx->rule->stmts); } -- cgit v1.2.3