path: root/src/netlink_linearize.c
diff options
authorPhil Oester <>2013-10-05 09:44:56 -0700
committerPablo Neira Ayuso <>2013-10-22 10:52:32 +0200
commitb259d1aca0db1bed5af3e4fe378f8aeb4d3ce645 (patch)
tree0dea304c654a8c4d107720b4c73a561f623b1468 /src/netlink_linearize.c
parent2855909e46f4646f137a96892bd5c465fa1193f8 (diff)
src: operational limit match
The nft limit match currently does not work at all. Below patches to nftables, libnftables, and kernel address the issue. A few notes on the implementation: - Removed support for nano/micro/milli second limits. These seem pointless, given we are using jiffies in the limit match, not a hpet. And who really needs to limit items down to sub-second level?? - 'depth' member is removed as unnecessary. All we need in the kernel is the rate and the unit. - 'stamp' member becomes the time we need to next refresh the token bucket, instead of being updated on every packet which goes through the match. This closes netfilter bugzilla #827, reported by Eric Leblond. Signed-off-by: Phil Oester <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'src/netlink_linearize.c')
1 files changed, 2 insertions, 2 deletions
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 72c59e56..fd91155b 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -551,8 +551,8 @@ static void netlink_gen_limit_stmt(struct netlink_linearize_ctx *ctx,
struct nft_rule_expr *nle;
nle = alloc_nft_expr("limit");
- nft_rule_expr_set_u32(nle, NFT_EXPR_LIMIT_RATE, stmt->limit.rate);
- nft_rule_expr_set_u32(nle, NFT_EXPR_LIMIT_DEPTH, stmt->limit.depth);
+ nft_rule_expr_set_u64(nle, NFT_EXPR_LIMIT_RATE, stmt->limit.rate);
+ nft_rule_expr_set_u64(nle, NFT_EXPR_LIMIT_UNIT, stmt->limit.unit);
nft_rule_add_expr(ctx->nlr, nle);