On Thu, Jan 04, 2018 at 09:26:40AM +1100, Duncan Roe wrote:
> On Wed, Jan 03, 2018 at 03:41:08PM +0100, Pablo Neira Ayuso wrote:
> > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP
> >
> > shows:
> >
> > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 3s limit rate over 200 kbytes/second burst 1 mbytes burst 6 packets} counter drop
> >
> > which prints burst twice, this is not correct.
> >
> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> > ---
> > extensions/libxt_hashlimit.c | 8 +++++---
> > 1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
> > index 472d8e7f6cc2..3fa5719127db 100644
> > --- a/extensions/libxt_hashlimit.c
> > +++ b/extensions/libxt_hashlimit.c
> > @@ -1350,10 +1350,12 @@ static int hashlimit_mt_xlate(struct xt_xlate *xl, const char *name,
> >
> > if (cfg->mode & XT_HASHLIMIT_BYTES)
> > print_bytes_rate_xlate(xl, cfg);
> > - else
> > + else {
> > print_packets_rate_xlate(xl, cfg->avg, revision);
> > - if (cfg->burst != 5)
> > - xt_xlate_add(xl, " burst %lu packets", cfg->burst);
> > + if (cfg->burst != XT_HASHLIMIT_BURST)
> > + xt_xlate_add(xl, " burst %lu packets", cfg->burst);
> > +
> > + }
> > xt_xlate_add(xl, "}");
> >
> > return ret;
> > --
> > 2.11.0
> >
> This still discards a timeout of 1s (1000ms):
>
> > $ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 1000 -j DROP
> > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr limit rate over 200 kbytes/second burst 1 mbytes} counter drop
>
> This is especially incorrect, since the code deliberately inserts a default
> timeout of 1m if no timeout was specified with a burst:
>
> > $ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 -j DROP
> > nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr timeout 60s limit rate over 200 kbytes/second burst 1 mbytes} counter drop
>
> The patch I suggested doesn't have that problem, because of forcing defaults to
> zero. Can doing that have any adverse side-effects?
Yes. Problem is that we cannot assume that hashlimit_mt_check() is
called. If you compile nftables with --with-xtables, listing of rules
that are added via iptables-compat will be translated to nftables.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
