diff options
author | Phil Oester <kernel@linuxace.com> | 2013-10-22 10:48:22 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-10-22 10:49:02 +0200 |
commit | e91ea14da66759c71d5c2a581b82c2508a02f60a (patch) | |
tree | eaf91c52854f877bf66e130962b90d164fcc4220 /include/linux/netfilter | |
parent | bc7b5e747f70d229ca5d5fb0709548a47e2830fc (diff) |
expr: limit: operational limit match
The nft limit match currently does not work at all. Below patches to
nftables, libnftables, and kernel address the issue. A few notes on
the implementation:
- Removed support for nano/micro/milli second limits. These seem pointless,
given we are using jiffies in the limit match, not a hpet. And who really
needs to limit items down to sub-second level??
- 'depth' member is removed as unnecessary. All we need in the kernel is the
rate and the unit.
- 'stamp' member becomes the time we need to next refresh the token bucket,
instead of being updated on every packet which goes through the match.
This closes netfilter bugzilla #827, reported by Eric Leblond.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/linux/netfilter')
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index b690282..4ec8187 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -537,12 +537,12 @@ enum nft_ct_attributes { * enum nft_limit_attributes - nf_tables limit expression netlink attributes * * @NFTA_LIMIT_RATE: refill rate (NLA_U64) - * @NFTA_LIMIT_DEPTH: bucket depth (NLA_U64) + * @NFTA_LIMIT_UNIT: refill unit (NLA_U64) */ enum nft_limit_attributes { NFTA_LIMIT_UNSPEC, NFTA_LIMIT_RATE, - NFTA_LIMIT_DEPTH, + NFTA_LIMIT_UNIT, __NFTA_LIMIT_MAX }; #define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1) |