summaryrefslogtreecommitdiffstats
path: root/tests/py/any/limit.t.payload
Commit message (Collapse)AuthorAgeFilesLines
* tests: py: remove huge-limit test casesFlorian Westphal2024-01-191-17/+0
| | | | | | | These tests will fail once the kernel checks for overflow in the internal token bucken counter, so drop them. Signed-off-by: Florian Westphal <fw@strlen.de>
* src: allow burst 0 for byte ratelimit and use it as defaultPablo Neira Ayuso2022-08-311-15/+15
| | | | | | | | | | | | | | | | | Packet-based limit burst is set to 5, as in iptables. However, byte-based limit burst adds to the rate to calculate the bucket size, and this is also sets this to 5 (... bytes in this case). Update it to use zero byte burst by default instead. This patch also updates manpage to describe how the burst value influences the kernel module's token bucket in each of the two modes. This documentation update is based on original text by Phil Sutter. Adjust tests/py to silence warnings due to mismatching byte burst. Fixes: 285baccfea46 ("src: disallow burst 0 in ratelimits") Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* parser: extend limit syntaxJeremy Sowden2021-11-031-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The documentation describes the syntax of limit statements thus: limit rate [over] packet_number / TIME_UNIT [burst packet_number packets] limit rate [over] byte_number BYTE_UNIT / TIME_UNIT [burst byte_number BYTE_UNIT] TIME_UNIT := second | minute | hour | day BYTE_UNIT := bytes | kbytes | mbytes From this one might infer that a limit may be specified by any of the following: limit rate 1048576/second limit rate 1048576 mbytes/second limit rate 1048576 / second limit rate 1048576 mbytes / second However, the last does not currently parse: $ sudo /usr/sbin/nft add filter input limit rate 1048576 mbytes / second Error: wrong rate format add filter input limit rate 1048576 mbytes / second ^^^^^^^^^^^^^^^^^^^^^^^^^ Extend the `limit_rate_bytes` parser rule to support it, and add some new Python test-cases. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: disallow burst 0 in ratelimitsPablo Neira Ayuso2020-12-181-22/+22
| | | | | | | | | | | | The ratelimiter in nftables is similar to the one in iptables, and iptables disallows a zero burst. Update the byte rate limiter not to print burst 5 (default value). Update tests/py payloads to print burst 5 instead of zero when the burst is unspecified. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support limit rate over valuePablo Neira Ayuso2016-01-141-16/+80
| | | | | | | | | | | | | | | | | | So far it was only possible to match packet under a rate limit, this patch allows you to explicitly indicate if you want to match packets that goes over or until the rate limit, eg. ... limit rate over 3/second counter log prefix "OVERLIMIT: " drop ... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop ... ct state invalid limit rate until 1/second counter log prefix "INVALID: " When listing rate limit until, this shows: ... ct state invalid limit rate 1/second counter log prefix "INVALID: " thus, the existing syntax is still valid (i.e. default to rate limit until). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/: rearrange tests directoryArturo Borrero2015-12-151-0/+64
Rearrange the directory to obtain a better organization of files and tests-suites. We end with a tree like this: tests | .--- py .--- shell .--- files This was suggested by Pablo. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>