* [PATCH nft] parser_bison: allow to restore limit from dynamic set
@ 2020-12-02 17:33 Pablo Neira Ayuso
0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2020-12-02 17:33 UTC (permalink / raw)
To: netfilter-devel
Update parser to allow to restore limit per set element in dynamic set.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1477
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/parser_bison.y | 32 +++++++++++++++++++
.../shell/testcases/sets/0056dynamic_limit_0 | 19 +++++++++++
2 files changed, 51 insertions(+)
create mode 100755 tests/shell/testcases/sets/0056dynamic_limit_0
diff --git a/src/parser_bison.y b/src/parser_bison.y
index a88844661af5..fb329919ea95 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4097,6 +4097,38 @@ set_elem_expr_option : TIMEOUT time_spec
stmt->counter.bytes = $5;
$<expr>0->stmt = stmt;
}
+ | LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
+ {
+ struct stmt *stmt;
+
+ stmt = limit_stmt_alloc(&@$);
+ stmt->limit.rate = $4;
+ stmt->limit.unit = $6;
+ stmt->limit.burst = $7;
+ stmt->limit.type = NFT_LIMIT_PKTS;
+ stmt->limit.flags = $3;
+ $<expr>0->stmt = stmt;
+ }
+ | LIMIT RATE limit_mode NUM STRING limit_burst_bytes
+ {
+ struct error_record *erec;
+ uint64_t rate, unit;
+ struct stmt *stmt;
+
+ erec = rate_parse(&@$, $5, &rate, &unit);
+ xfree($5);
+ if (erec != NULL) {
+ erec_queue(erec, state->msgs);
+ YYERROR;
+ }
+
+ stmt = limit_stmt_alloc(&@$);
+ stmt->limit.rate = rate * $4;
+ stmt->limit.unit = unit;
+ stmt->limit.burst = $6;
+ stmt->limit.type = NFT_LIMIT_PKT_BYTES;
+ stmt->limit.flags = $3;
+ }
| comment_spec
{
if (already_set($<expr>0->comment, &@1, state)) {
diff --git a/tests/shell/testcases/sets/0056dynamic_limit_0 b/tests/shell/testcases/sets/0056dynamic_limit_0
new file mode 100755
index 000000000000..21fa0bff5a61
--- /dev/null
+++ b/tests/shell/testcases/sets/0056dynamic_limit_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+RULESET="table inet filter {
+ set ssh_meter {
+ type ipv4_addr
+ size 65535
+ flags dynamic,timeout
+ timeout 1m
+ elements = { 127.0.0.1 expires 52s44ms limit rate over 1/minute }
+ }
+
+ chain output {
+ type filter hook output priority filter; policy accept;
+ ip protocol icmp add @ssh_meter { ip saddr timeout 1m limit rate over 1/minute }
+ }
+}"
+
+set -e
+$NFT -f - <<< $EXPECTED
--
2.20.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-12-02 17:34 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-02 17:33 [PATCH nft] parser_bison: allow to restore limit from dynamic set Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).