From 3f5ef7d63f9ef70855dedd9b5aa7eba2f63a1ec7 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 9 Dec 2015 22:55:30 +0100 Subject: src: support limit rate over value So far it was only possible to match packet under a rate limit, this patch allows you to explicitly indicate if you want to match packets that goes over or until the rate limit, eg. ... limit rate over 3/second counter log prefix "OVERLIMIT: " drop ... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop ... ct state invalid limit rate until 1/second counter log prefix "INVALID: " When listing rate limit until, this shows: ... ct state invalid limit rate 1/second counter log prefix "INVALID: " thus, the existing syntax is still valid (i.e. default to rate limit until). Signed-off-by: Pablo Neira Ayuso --- src/parser_bison.y | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) (limited to 'src/parser_bison.y') diff --git a/src/parser_bison.y b/src/parser_bison.y index 833e7f5d..514dd7eb 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -367,6 +367,8 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token LIMIT "limit" %token RATE "rate" %token BURST "burst" +%token OVER "over" +%token UNTIL "until" %token NANOSECOND "nanosecond" %token MICROSECOND "microsecond" @@ -458,7 +460,7 @@ static void location_update(struct location *loc, struct location *rhs, int n) %type level_type %type limit_stmt %destructor { stmt_free($$); } limit_stmt -%type limit_burst time_unit +%type limit_burst limit_mode time_unit %type reject_stmt reject_stmt_alloc %destructor { stmt_free($$); } reject_stmt reject_stmt_alloc %type nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc @@ -1467,33 +1469,40 @@ level_type : LEVEL_EMERG { $$ = LOG_EMERG; } | LEVEL_DEBUG { $$ = LOG_DEBUG; } ; -limit_stmt : LIMIT RATE NUM SLASH time_unit limit_burst +limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst { $$ = limit_stmt_alloc(&@$); - $$->limit.rate = $3; - $$->limit.unit = $5; - $$->limit.burst = $6; + $$->limit.rate = $4; + $$->limit.unit = $6; + $$->limit.burst = $7; $$->limit.type = NFT_LIMIT_PKTS; + $$->limit.flags = $3; } - | LIMIT RATE NUM STRING limit_burst + | LIMIT RATE limit_mode NUM STRING limit_burst { struct error_record *erec; uint64_t rate, unit; - erec = rate_parse(&@$, $4, &rate, &unit); + erec = rate_parse(&@$, $5, &rate, &unit); if (erec != NULL) { erec_queue(erec, state->msgs); YYERROR; } $$ = limit_stmt_alloc(&@$); - $$->limit.rate = rate * $3; + $$->limit.rate = rate * $4; $$->limit.unit = unit; - $$->limit.burst = $5; + $$->limit.burst = $6; $$->limit.type = NFT_LIMIT_PKT_BYTES; + $$->limit.flags = $3; } ; +limit_mode : OVER { $$ = NFT_LIMIT_F_INV; } + | UNTIL { $$ = 0; } + | /* empty */ { $$ = 0; } + ; + limit_burst : /* empty */ { $$ = 0; } | BURST NUM PACKETS { $$ = $2; } | BURST NUM BYTES { $$ = $2; } -- cgit v1.2.3