[PATCH iptables] extensions: hashlimit: always print timeout on translations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Meters need an explicit timeout that we cannot skip, otherwise entries
remain in the set forever.

This fixes the following translation:

$ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit
--hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode
srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 1000 -j
DROP

that was skipping the timeout option:

nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport .
ip saddr limit rate over 200 kbytes/second burst 1 mbytes}
counter drop

Reported-by: Duncan Roe <duncan_roe@xxxxxxxxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 extensions/libxt_hashlimit.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index 3fa5719127db..f85f2d3a179a 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -1341,8 +1341,7 @@ static int hashlimit_mt_xlate(struct xt_xlate *xl, const char *name,
 	xt_xlate_add(xl, "flow table %s {", name);
 	ret = hashlimit_mode_xlate(xl, cfg->mode, family,
 				   cfg->srcmask, cfg->dstmask);
-	if (cfg->expire != 1000)
-		xt_xlate_add(xl, " timeout %us", cfg->expire / 1000);
+	xt_xlate_add(xl, " timeout %us", cfg->expire / 1000);
 	xt_xlate_add(xl, " limit rate");
 
 	if (cfg->mode & XT_HASHLIMIT_INVERT)
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux