From 702eff5b5b748842d27811dfb22ed0c7e7003a97 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 30 Aug 2022 16:51:35 +0200 Subject: src: allow burst 0 for byte ratelimit and use it as default Packet-based limit burst is set to 5, as in iptables. However, byte-based limit burst adds to the rate to calculate the bucket size, and this is also sets this to 5 (... bytes in this case). Update it to use zero byte burst by default instead. This patch also updates manpage to describe how the burst value influences the kernel module's token bucket in each of the two modes. This documentation update is based on original text by Phil Sutter. Adjust tests/py to silence warnings due to mismatching byte burst. Fixes: 285baccfea46 ("src: disallow burst 0 in ratelimits") Acked-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- src/parser_json.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'src/parser_json.c') diff --git a/src/parser_json.c b/src/parser_json.c index 9e93927a..2437b1ba 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -1826,7 +1826,7 @@ static struct stmt *json_parse_limit_stmt(struct json_ctx *ctx, const char *key, json_t *value) { struct stmt *stmt; - uint64_t rate, burst = 5; + uint64_t rate, burst = 0; const char *rate_unit = "packets", *time, *burst_unit = "bytes"; int inv = 0; @@ -1840,6 +1840,9 @@ static struct stmt *json_parse_limit_stmt(struct json_ctx *ctx, stmt = limit_stmt_alloc(int_loc); if (!strcmp(rate_unit, "packets")) { + if (burst == 0) + burst = 5; + stmt->limit.type = NFT_LIMIT_PKTS; stmt->limit.rate = rate; stmt->limit.burst = burst; -- cgit v1.2.3