* [PATCH nf] parser_bison: disallow burst 0 in ratelimits
@ 2020-12-17 11:43 Pablo Neira Ayuso
0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2020-12-17 11:43 UTC (permalink / raw)
To: netfilter-devel
The ratelimiter in nftables is similar to the one in iptables, and
iptables disallows a zero burst.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
doc/statements.txt | 3 ++-
src/parser_bison.y | 23 ++++++++++++++++++++++-
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/doc/statements.txt b/doc/statements.txt
index beebba1611a8..aac7c7d6b009 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -324,7 +324,8 @@ ____
A limit statement matches at a limited rate using a token bucket filter. A rule
using this statement will match until this limit is reached. It can be used in
combination with the log statement to give limited logging. The optional
-*over* keyword makes it match over the specified rate.
+*over* keyword makes it match over the specified rate. Default *burst* is 5.
+if you specify *burst*, it must be non-zero value.
.limit statement values
[options="header"]
diff --git a/src/parser_bison.y b/src/parser_bison.y
index ba64dc00bee8..2667a5850c07 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3037,6 +3037,11 @@ log_flag_tcp : SEQUENCE
limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
{
+ if ($7 == 0) {
+ erec_queue(error(&@7, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
$$ = limit_stmt_alloc(&@$);
$$->limit.rate = $4;
$$->limit.unit = $6;
@@ -3049,6 +3054,12 @@ limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
struct error_record *erec;
uint64_t rate, unit;
+ if ($6 == 0) {
+ erec_queue(error(&@6, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
+
erec = rate_parse(&@$, $5, &rate, &unit);
xfree($5);
if (erec != NULL) {
@@ -3125,7 +3136,7 @@ limit_mode : OVER { $$ = NFT_LIMIT_F_INV; }
| /* empty */ { $$ = 0; }
;
-limit_burst_pkts : /* empty */ { $$ = 0; }
+limit_burst_pkts : /* empty */ { $$ = 5; }
| BURST NUM PACKETS { $$ = $2; }
;
@@ -4118,6 +4129,11 @@ set_elem_stmt : COUNTER
}
| LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
{
+ if ($7 == 0) {
+ erec_queue(error(&@7, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
$$ = limit_stmt_alloc(&@$);
$$->limit.rate = $4;
$$->limit.unit = $6;
@@ -4130,6 +4146,11 @@ set_elem_stmt : COUNTER
struct error_record *erec;
uint64_t rate, unit;
+ if ($6 == 0) {
+ erec_queue(error(&@6, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
erec = rate_parse(&@$, $5, &rate, &unit);
xfree($5);
if (erec != NULL) {
--
2.20.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-12-17 11:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-17 11:43 [PATCH nf] parser_bison: disallow burst 0 in ratelimits Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).