On Thu, Jan 04, 2018 at 09:26:40AM +1100, Duncan Roe wrote:
> On Wed, Jan 03, 2018 at 03:41:08PM +0100, Pablo Neira Ayuso wrote:
> > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
> >
> > shows:
> >
> > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop
> >
> > which prints burst twice, this is not correct.
> >
> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> > ---
Not actually related to the patch, but I happened to notice:
> 769 if (info->cfg.mode & XT_HASHLIMIT_BYTES) {
> 770 uint32_t burst = 0;
> 771 if (cb->xflags & F_BURST) {
> 772 if (info->cfg.burst < cost_to_bytes(info->cfg.avg))
> 773 xtables_error(PARAMETER_PROBLEM,
> 774 "burst cannot be smaller than %lub", cost_to_bytes(info->cfg.avg));
> 775
> 776 burst = info->cfg.burst;
> 777 burst /= cost_to_bytes(info->cfg.avg);
> 778 if (info->cfg.burst % cost_to_bytes(info->cfg.avg))
> 779 burst++;
> 780 if (!(cb->xflags & F_HTABLE_EXPIRE))
> 781 info->cfg.expire = XT_HASHLIMIT_BYTE_EXPIRE_BURST * 1000;
> 782 }
> 783 info->cfg.burst = burst;
> 784 } else if (info->cfg.burst > XT_HASHLIMIT_BURST_MAX)
> 785 burst_error();
What is that final "else" claues there for? No hashlimit was specified so why
check its value?
Cheers ... Duncan.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
