From b259d1aca0db1bed5af3e4fe378f8aeb4d3ce645 Mon Sep 17 00:00:00 2001 From: Phil Oester Date: Sat, 5 Oct 2013 09:44:56 -0700 Subject: src: operational limit match The nft limit match currently does not work at all. Below patches to nftables, libnftables, and kernel address the issue. A few notes on the implementation: - Removed support for nano/micro/milli second limits. These seem pointless, given we are using jiffies in the limit match, not a hpet. And who really needs to limit items down to sub-second level?? - 'depth' member is removed as unnecessary. All we need in the kernel is the rate and the unit. - 'stamp' member becomes the time we need to next refresh the token bucket, instead of being updated on every packet which goes through the match. This closes netfilter bugzilla #827, reported by Eric Leblond. Signed-off-by: Phil Oester Signed-off-by: Pablo Neira Ayuso --- src/statement.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'src/statement.c') diff --git a/src/statement.c b/src/statement.c index 69db48f6..658dc5ff 100644 --- a/src/statement.c +++ b/src/statement.c @@ -144,8 +144,16 @@ struct stmt *log_stmt_alloc(const struct location *loc) static void limit_stmt_print(const struct stmt *stmt) { - printf("limit rate %" PRIu64 " depth %" PRIu64, - stmt->limit.rate, stmt->limit.depth); + static const char *units[] = { + [1] = "second", + [1 * 60] = "minute", + [1 * 60 * 60] = "hour", + [1 * 60 * 60 * 24] = "day", + [1 * 60 * 60 * 24 * 7] = "week", + }; + + printf("limit rate %" PRIu64 "/%s", + stmt->limit.rate, units[stmt->limit.unit]); } static const struct stmt_ops limit_stmt_ops = { -- cgit v1.2.3