From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nf] parser_bison: disallow burst 0 in ratelimits
Date: Thu, 17 Dec 2020 12:43:30 +0100 [thread overview]
Message-ID: <20201217114330.25719-1-pablo@netfilter.org> (raw)
The ratelimiter in nftables is similar to the one in iptables, and
iptables disallows a zero burst.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
doc/statements.txt | 3 ++-
src/parser_bison.y | 23 ++++++++++++++++++++++-
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/doc/statements.txt b/doc/statements.txt
index beebba1611a8..aac7c7d6b009 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -324,7 +324,8 @@ ____
A limit statement matches at a limited rate using a token bucket filter. A rule
using this statement will match until this limit is reached. It can be used in
combination with the log statement to give limited logging. The optional
-*over* keyword makes it match over the specified rate.
+*over* keyword makes it match over the specified rate. Default *burst* is 5.
+if you specify *burst*, it must be non-zero value.
.limit statement values
[options="header"]
diff --git a/src/parser_bison.y b/src/parser_bison.y
index ba64dc00bee8..2667a5850c07 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3037,6 +3037,11 @@ log_flag_tcp : SEQUENCE
limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
{
+ if ($7 == 0) {
+ erec_queue(error(&@7, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
$$ = limit_stmt_alloc(&@$);
$$->limit.rate = $4;
$$->limit.unit = $6;
@@ -3049,6 +3054,12 @@ limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
struct error_record *erec;
uint64_t rate, unit;
+ if ($6 == 0) {
+ erec_queue(error(&@6, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
+
erec = rate_parse(&@$, $5, &rate, &unit);
xfree($5);
if (erec != NULL) {
@@ -3125,7 +3136,7 @@ limit_mode : OVER { $$ = NFT_LIMIT_F_INV; }
| /* empty */ { $$ = 0; }
;
-limit_burst_pkts : /* empty */ { $$ = 0; }
+limit_burst_pkts : /* empty */ { $$ = 5; }
| BURST NUM PACKETS { $$ = $2; }
;
@@ -4118,6 +4129,11 @@ set_elem_stmt : COUNTER
}
| LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
{
+ if ($7 == 0) {
+ erec_queue(error(&@7, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
$$ = limit_stmt_alloc(&@$);
$$->limit.rate = $4;
$$->limit.unit = $6;
@@ -4130,6 +4146,11 @@ set_elem_stmt : COUNTER
struct error_record *erec;
uint64_t rate, unit;
+ if ($6 == 0) {
+ erec_queue(error(&@6, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
erec = rate_parse(&@$, $5, &rate, &unit);
xfree($5);
if (erec != NULL) {
--
2.20.1
reply other threads:[~2020-12-17 11:44 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201217114330.25719-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).