From 285baccfea46aa61e4ed4777da23105ccf19218b Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 17 Dec 2020 12:36:38 +0100
Subject: src: disallow burst 0 in ratelimits

The ratelimiter in nftables is similar to the one in iptables, and
iptables disallows a zero burst.

Update the byte rate limiter not to print burst 5 (default value).

Update tests/py payloads to print burst 5 instead of zero when the
burst is unspecified.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y | 25 +++++++++++++++++++++++--
 src/statement.c    |  2 +-
 2 files changed, 24 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 4d4d2038..519e8efe 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3038,6 +3038,11 @@ log_flag_tcp		:	SEQUENCE
 
 limit_stmt		:	LIMIT	RATE	limit_mode	NUM	SLASH	time_unit	limit_burst_pkts
 	    		{
+				if ($7 == 0) {
+					erec_queue(error(&@7, "limit burst must be > 0"),
+						   state->msgs);
+					YYERROR;
+				}
 				$$ = limit_stmt_alloc(&@$);
 				$$->limit.rate	= $4;
 				$$->limit.unit	= $6;
@@ -3050,6 +3055,12 @@ limit_stmt		:	LIMIT	RATE	limit_mode	NUM	SLASH	time_unit	limit_burst_pkts
 				struct error_record *erec;
 				uint64_t rate, unit;
 
+				if ($6 == 0) {
+					erec_queue(error(&@6, "limit burst must be > 0"),
+						   state->msgs);
+					YYERROR;
+				}
+
 				erec = rate_parse(&@$, $5, &rate, &unit);
 				xfree($5);
 				if (erec != NULL) {
@@ -3126,11 +3137,11 @@ limit_mode		:	OVER				{ $$ = NFT_LIMIT_F_INV; }
 			|	/* empty */			{ $$ = 0; }
 			;
 
-limit_burst_pkts	:	/* empty */			{ $$ = 0; }
+limit_burst_pkts	:	/* empty */			{ $$ = 5; }
 			|	BURST	NUM	PACKETS		{ $$ = $2; }
 			;
 
-limit_burst_bytes	:	/* empty */			{ $$ = 0; }
+limit_burst_bytes	:	/* empty */			{ $$ = 5; }
 			|	BURST	NUM	BYTES		{ $$ = $2; }
 			|	BURST	NUM	STRING
 			{
@@ -4122,6 +4133,11 @@ set_elem_stmt		:	COUNTER
 			}
 			|	LIMIT   RATE    limit_mode      NUM     SLASH   time_unit       limit_burst_pkts
 			{
+				if ($7 == 0) {
+					erec_queue(error(&@7, "limit burst must be > 0"),
+						   state->msgs);
+					YYERROR;
+				}
 				$$ = limit_stmt_alloc(&@$);
 				$$->limit.rate  = $4;
 				$$->limit.unit  = $6;
@@ -4134,6 +4150,11 @@ set_elem_stmt		:	COUNTER
 				struct error_record *erec;
 				uint64_t rate, unit;
 
+				if ($6 == 0) {
+					erec_queue(error(&@6, "limit burst must be > 0"),
+						   state->msgs);
+					YYERROR;
+				}
 				erec = rate_parse(&@$, $5, &rate, &unit);
 				xfree($5);
 				if (erec != NULL) {
diff --git a/src/statement.c b/src/statement.c
index 39020857..f7f1c0c4 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -464,7 +464,7 @@ static void limit_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 		nft_print(octx,	"limit rate %s%" PRIu64 " %s/%s",
 			  inv ? "over " : "", rate, data_unit,
 			  get_unit(stmt->limit.unit));
-		if (stmt->limit.burst > 0) {
+		if (stmt->limit.burst != 5) {
 			uint64_t burst;
 
 			data_unit = get_rate(stmt->limit.burst, &burst);
-- 
cgit v1.2.3