On Sat, May 21, 2016 at 06:07:16PM +0800, Liping Zhang wrote: > From: Liping Zhang <liping.zhang@xxxxxxxxxxxxxx> > > The default burst value is 5 in iptables limit extension while it is 0 in > nft limit expression, if the burst value is default, it will not be > displayed when we dump the rules. But when we do translation from iptables > rules to nft rules, we should keep the limit burst value unchanged, even if > it is not displayed in iptables rules. > > And now, if the limit-burst value in the iptables rule is 5 or 0, they are > all translated to nft rule without burst, this is wrong: > > $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5 > nft add rule ip filter INPUT limit rate 10/second counter > $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0 > nft add rule ip filter INPUT limit rate 10/second burst 0 packets counter > > Apply this patch, translation will become: > > $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5 > nft add rule ip filter INPUT limit rate 10/second burst 5 packets counter > $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0 > nft add rule ip filter INPUT limit rate 10/second counter Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
