summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2020-12-17 12:36:38 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2020-12-18 12:38:38 +0100
commit285baccfea46aa61e4ed4777da23105ccf19218b (patch)
treeaf722b8abe89bfa02e9c7561623183c741ffdb70
parente6d1d0d6119585a5cd63fcc02c0eb98e30b095cb (diff)
src: disallow burst 0 in ratelimits
The ratelimiter in nftables is similar to the one in iptables, and iptables disallows a zero burst. Update the byte rate limiter not to print burst 5 (default value). Update tests/py payloads to print burst 5 instead of zero when the burst is unspecified. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--doc/statements.txt3
-rw-r--r--src/parser_bison.y25
-rw-r--r--src/statement.c2
-rw-r--r--tests/py/any/limit.t.payload44
4 files changed, 48 insertions, 26 deletions
diff --git a/doc/statements.txt b/doc/statements.txt
index beebba16..aac7c7d6 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -324,7 +324,8 @@ ____
A limit statement matches at a limited rate using a token bucket filter. A rule
using this statement will match until this limit is reached. It can be used in
combination with the log statement to give limited logging. The optional
-*over* keyword makes it match over the specified rate.
+*over* keyword makes it match over the specified rate. Default *burst* is 5.
+if you specify *burst*, it must be non-zero value.
.limit statement values
[options="header"]
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 4d4d2038..519e8efe 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3038,6 +3038,11 @@ log_flag_tcp : SEQUENCE
limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
{
+ if ($7 == 0) {
+ erec_queue(error(&@7, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
$$ = limit_stmt_alloc(&@$);
$$->limit.rate = $4;
$$->limit.unit = $6;
@@ -3050,6 +3055,12 @@ limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
struct error_record *erec;
uint64_t rate, unit;
+ if ($6 == 0) {
+ erec_queue(error(&@6, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
+
erec = rate_parse(&@$, $5, &rate, &unit);
xfree($5);
if (erec != NULL) {
@@ -3126,11 +3137,11 @@ limit_mode : OVER { $$ = NFT_LIMIT_F_INV; }
| /* empty */ { $$ = 0; }
;
-limit_burst_pkts : /* empty */ { $$ = 0; }
+limit_burst_pkts : /* empty */ { $$ = 5; }
| BURST NUM PACKETS { $$ = $2; }
;
-limit_burst_bytes : /* empty */ { $$ = 0; }
+limit_burst_bytes : /* empty */ { $$ = 5; }
| BURST NUM BYTES { $$ = $2; }
| BURST NUM STRING
{
@@ -4122,6 +4133,11 @@ set_elem_stmt : COUNTER
}
| LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
{
+ if ($7 == 0) {
+ erec_queue(error(&@7, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
$$ = limit_stmt_alloc(&@$);
$$->limit.rate = $4;
$$->limit.unit = $6;
@@ -4134,6 +4150,11 @@ set_elem_stmt : COUNTER
struct error_record *erec;
uint64_t rate, unit;
+ if ($6 == 0) {
+ erec_queue(error(&@6, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
erec = rate_parse(&@$, $5, &rate, &unit);
xfree($5);
if (erec != NULL) {
diff --git a/src/statement.c b/src/statement.c
index 39020857..f7f1c0c4 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -464,7 +464,7 @@ static void limit_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
nft_print(octx, "limit rate %s%" PRIu64 " %s/%s",
inv ? "over " : "", rate, data_unit,
get_unit(stmt->limit.unit));
- if (stmt->limit.burst > 0) {
+ if (stmt->limit.burst != 5) {
uint64_t burst;
data_unit = get_rate(stmt->limit.burst, &burst);
diff --git a/tests/py/any/limit.t.payload b/tests/py/any/limit.t.payload
index b0cc84b4..dc6cea9b 100644
--- a/tests/py/any/limit.t.payload
+++ b/tests/py/any/limit.t.payload
@@ -1,22 +1,22 @@
# limit rate 400/minute
ip test-ip4 output
- [ limit rate 400/minute burst 0 type packets flags 0x0 ]
+ [ limit rate 400/minute burst 5 type packets flags 0x0 ]
# limit rate 20/second
ip test-ip4 output
- [ limit rate 20/second burst 0 type packets flags 0x0 ]
+ [ limit rate 20/second burst 5 type packets flags 0x0 ]
# limit rate 400/hour
ip test-ip4 output
- [ limit rate 400/hour burst 0 type packets flags 0x0 ]
+ [ limit rate 400/hour burst 5 type packets flags 0x0 ]
# limit rate 400/week
ip test-ip4 output
- [ limit rate 400/week burst 0 type packets flags 0x0 ]
+ [ limit rate 400/week burst 5 type packets flags 0x0 ]
# limit rate 40/day
ip test-ip4 output
- [ limit rate 40/day burst 0 type packets flags 0x0 ]
+ [ limit rate 40/day burst 5 type packets flags 0x0 ]
# limit rate 1023/second burst 10 packets
ip test-ip4 output
@@ -24,27 +24,27 @@ ip test-ip4 output
# limit rate 1 kbytes/second
ip test-ip4 output
- [ limit rate 1024/second burst 0 type bytes flags 0x0 ]
+ [ limit rate 1024/second burst 5 type bytes flags 0x0 ]
# limit rate 2 kbytes/second
ip test-ip4 output
- [ limit rate 2048/second burst 0 type bytes flags 0x0 ]
+ [ limit rate 2048/second burst 5 type bytes flags 0x0 ]
# limit rate 1025 kbytes/second
ip test-ip4 output
- [ limit rate 1049600/second burst 0 type bytes flags 0x0 ]
+ [ limit rate 1049600/second burst 5 type bytes flags 0x0 ]
# limit rate 1023 mbytes/second
ip test-ip4 output
- [ limit rate 1072693248/second burst 0 type bytes flags 0x0 ]
+ [ limit rate 1072693248/second burst 5 type bytes flags 0x0 ]
# limit rate 10230 mbytes/second
ip test-ip4 output
- [ limit rate 10726932480/second burst 0 type bytes flags 0x0 ]
+ [ limit rate 10726932480/second burst 5 type bytes flags 0x0 ]
# limit rate 1023000 mbytes/second
ip test-ip4 output
- [ limit rate 1072693248000/second burst 0 type bytes flags 0x0 ]
+ [ limit rate 1072693248000/second burst 5 type bytes flags 0x0 ]
# limit rate 1025 bytes/second burst 512 bytes
ip test-ip4 output
@@ -64,23 +64,23 @@ ip test-ip4 output
# limit rate over 400/minute
ip test-ip4 output
- [ limit rate 400/minute burst 0 type packets flags 0x1 ]
+ [ limit rate 400/minute burst 5 type packets flags 0x1 ]
# limit rate over 20/second
ip test-ip4 output
- [ limit rate 20/second burst 0 type packets flags 0x1 ]
+ [ limit rate 20/second burst 5 type packets flags 0x1 ]
# limit rate over 400/hour
ip test-ip4 output
- [ limit rate 400/hour burst 0 type packets flags 0x1 ]
+ [ limit rate 400/hour burst 5 type packets flags 0x1 ]
# limit rate over 400/week
ip test-ip4 output
- [ limit rate 400/week burst 0 type packets flags 0x1 ]
+ [ limit rate 400/week burst 5 type packets flags 0x1 ]
# limit rate over 40/day
ip test-ip4 output
- [ limit rate 40/day burst 0 type packets flags 0x1 ]
+ [ limit rate 40/day burst 5 type packets flags 0x1 ]
# limit rate over 1023/second burst 10 packets
ip test-ip4 output
@@ -88,27 +88,27 @@ ip test-ip4 output
# limit rate over 1 kbytes/second
ip test-ip4 output
- [ limit rate 1024/second burst 0 type bytes flags 0x1 ]
+ [ limit rate 1024/second burst 5 type bytes flags 0x1 ]
# limit rate over 2 kbytes/second
ip test-ip4 output
- [ limit rate 2048/second burst 0 type bytes flags 0x1 ]
+ [ limit rate 2048/second burst 5 type bytes flags 0x1 ]
# limit rate over 1025 kbytes/second
ip test-ip4 output
- [ limit rate 1049600/second burst 0 type bytes flags 0x1 ]
+ [ limit rate 1049600/second burst 5 type bytes flags 0x1 ]
# limit rate over 1023 mbytes/second
ip test-ip4 output
- [ limit rate 1072693248/second burst 0 type bytes flags 0x1 ]
+ [ limit rate 1072693248/second burst 5 type bytes flags 0x1 ]
# limit rate over 10230 mbytes/second
ip test-ip4 output
- [ limit rate 10726932480/second burst 0 type bytes flags 0x1 ]
+ [ limit rate 10726932480/second burst 5 type bytes flags 0x1 ]
# limit rate over 1023000 mbytes/second
ip test-ip4 output
- [ limit rate 1072693248000/second burst 0 type bytes flags 0x1 ]
+ [ limit rate 1072693248000/second burst 5 type bytes flags 0x1 ]
# limit rate over 1025 bytes/second burst 512 bytes
ip test-ip4 output