[Bug 1214] New: Allow limit to use any value for time unit
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Jan 10 18:46:33 CET 2018
https://bugzilla.netfilter.org/show_bug.cgi?id=1214
Bug ID: 1214
Summary: Allow limit to use any value for time unit
Product: nftables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: boite.pour.spam at gmail.com
Currently, it's not possible to set a limit for, let's say, fifteen minutes.
This is completely arbitrary, and counter productive because there is a huge
gap between "mn" and "hour".
The underlying interface use seconds anyway since the specified unit is
converted to seconds in
http://git.netfilter.org/nftables/tree/src/datatype.c#n1074 , so it should be
possible to change:
"limit 10/mn" to "limit 10/300" (or "limit 10/300s")
This would require an additional line in the code from:
static struct error_record *time_unit_parse(const struct location *loc,
const char *str, uint64_t *unit)
{
if (strcmp(str, "second") == 0)
*unit = 1ULL;
else if (strcmp(str, "minute") == 0)
*unit = 1ULL * 60;
else if (strcmp(str, "hour") == 0)
*unit = 1ULL * 60 * 60;
else if (strcmp(str, "day") == 0)
*unit = 1ULL * 60 * 60 * 24;
else if (strcmp(str, "week") == 0)
*unit = 1ULL * 60 * 60 * 24 * 7;
else
return error(loc, "Wrong rate format");
return NULL;
}
to this:
static struct error_record *time_unit_parse(const struct location *loc,
const char *str, uint64_t *unit)
{
if (strcmp(str, "second") == 0)
*unit = 1ULL;
else if (strcmp(str, "minute") == 0)
*unit = 1ULL * 60;
else if (strcmp(str, "hour") == 0)
*unit = 1ULL * 60 * 60;
else if (strcmp(str, "day") == 0)
*unit = 1ULL * 60 * 60 * 24;
else if (strcmp(str, "week") == 0)
*unit = 1ULL * 60 * 60 * 24 * 7;
else if (strchr("123456789", *str)) /* Starts with a non zero number */
*unit = (unsigned long long)strtol(str, NULL, 10);
else
return error(loc, "Wrong rate format");
return NULL;
}
The bison code should also be modified to allow number here:
limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit
limit_burst
{
$$ = limit_stmt_alloc(&@$);
$$->limit.rate = $4;
$$->limit.unit = $6;
$$->limit.burst = $7;
$$->limit.type = NFT_LIMIT_PKTS;
$$->limit.flags = $3;
}
should read (kind of, untested):
limit_stmt : LIMIT RATE limit_mode NUM SLASH STRING
limit_burst
{
struct error_record *erec;
uint64_t unit;
erec = time_unit_parse(&@$, $5, &unit);
xfree($5);
if (erec != NULL) {
erec_queue(erec, state->msgs);
YYERROR;
}
$$ = limit_stmt_alloc(&@$);
$$->limit.rate = $4;
$$->limit.unit = unit;
$$->limit.burst = $7;
$$->limit.type = NFT_LIMIT_PKTS;
$$->limit.flags = $3;
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180110/bf6acdd1/attachment.html>
More information about the netfilter-buglog
mailing list