From b259d1aca0db1bed5af3e4fe378f8aeb4d3ce645 Mon Sep 17 00:00:00 2001 From: Phil Oester Date: Sat, 5 Oct 2013 09:44:56 -0700 Subject: src: operational limit match The nft limit match currently does not work at all. Below patches to nftables, libnftables, and kernel address the issue. A few notes on the implementation: - Removed support for nano/micro/milli second limits. These seem pointless, given we are using jiffies in the limit match, not a hpet. And who really needs to limit items down to sub-second level?? - 'depth' member is removed as unnecessary. All we need in the kernel is the rate and the unit. - 'stamp' member becomes the time we need to next refresh the token bucket, instead of being updated on every packet which goes through the match. This closes netfilter bugzilla #827, reported by Eric Leblond. Signed-off-by: Phil Oester Signed-off-by: Pablo Neira Ayuso --- src/parser.y | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) (limited to 'src/parser.y') diff --git a/src/parser.y b/src/parser.y index 074f0758..cfe1e863 100644 --- a/src/parser.y +++ b/src/parser.y @@ -1003,14 +1003,11 @@ limit_stmt : LIMIT RATE NUM SLASH time_unit } ; -time_unit : NANOSECOND { $$ = 1ULL; } - | MICROSECOND { $$ = 1ULL * 1000; } - | MILLISECOND { $$ = 1ULL * 1000 * 1000; } - | SECOND { $$ = 1ULL * 1000 * 1000 * 1000; } - | MINUTE { $$ = 1ULL * 1000 * 1000 * 1000 * 60; } - | HOUR { $$ = 1ULL * 1000 * 1000 * 1000 * 60 * 60; } - | DAY { $$ = 1ULL * 1000 * 1000 * 1000 * 60 * 60 * 24; } - | WEEK { $$ = 1ULL * 1000 * 1000 * 1000 * 60 * 60 * 24 * 7; } +time_unit : SECOND { $$ = 1ULL; } + | MINUTE { $$ = 1ULL * 60; } + | HOUR { $$ = 1ULL * 60 * 60; } + | DAY { $$ = 1ULL * 60 * 60 * 24; } + | WEEK { $$ = 1ULL * 60 * 60 * 24 * 7; } ; reject_stmt : _REJECT -- cgit v1.2.3