summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLiping Zhang <liping.zhang@spreadtrum.com>2016-05-21 18:07:16 +0800
committerPablo Neira Ayuso <pablo@netfilter.org>2016-05-23 19:27:19 +0200
commit99164705ed74333d9e7e3f2e16f510749233fded (patch)
treedbff02adfbb4558667f197dccc5478dd693ae444
parentaa86085188eeb4d92aff531b048e288107d12e73 (diff)
extensions: libxt_limit: fix a wrong translation to nft rule
The default burst value is 5 in iptables limit extension while it is 0 in nft limit expression, if the burst value is default, it will not be displayed when we dump the rules. But when we do translation from iptables rules to nft rules, we should keep the limit burst value unchanged, even if it is not displayed in iptables rules. And now, if the limit-burst value in the iptables rule is 5 or 0, they are all translated to nft rule without burst, this is wrong: $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5 nft add rule ip filter INPUT limit rate 10/second counter $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0 nft add rule ip filter INPUT limit rate 10/second burst 0 packets counter Apply this patch, translation will become: $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5 nft add rule ip filter INPUT limit rate 10/second burst 5 packets counter $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0 nft add rule ip filter INPUT limit rate 10/second counter Fixes: a8dfbe3a3acb ("extensions: libxt_limit: Add translation to nft") Cc: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--extensions/libxt_limit.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
index c88d26b8..6652849a 100644
--- a/extensions/libxt_limit.c
+++ b/extensions/libxt_limit.c
@@ -184,7 +184,7 @@ static int limit_xlate(const void *ip, const struct xt_entry_match *match,
xt_xlate_add(xl, "limit rate");
print_rate_xlate(r->avg, xl);
- if (r->burst != XT_LIMIT_BURST)
+ if (r->burst != 0)
xt_xlate_add(xl, "burst %u packets ", r->burst);
return 1;