Update parser to allow to restore limit per set element in dynamic set. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1477 Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- src/parser_bison.y | 32 +++++++++++++++++++ .../shell/testcases/sets/0056dynamic_limit_0 | 19 +++++++++++ 2 files changed, 51 insertions(+) create mode 100755 tests/shell/testcases/sets/0056dynamic_limit_0 diff --git a/src/parser_bison.y b/src/parser_bison.y index a88844661af5..fb329919ea95 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -4097,6 +4097,38 @@ set_elem_expr_option : TIMEOUT time_spec stmt->counter.bytes = $5; $<expr>0->stmt = stmt; } + | LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts + { + struct stmt *stmt; + + stmt = limit_stmt_alloc(&@$); + stmt->limit.rate = $4; + stmt->limit.unit = $6; + stmt->limit.burst = $7; + stmt->limit.type = NFT_LIMIT_PKTS; + stmt->limit.flags = $3; + $<expr>0->stmt = stmt; + } + | LIMIT RATE limit_mode NUM STRING limit_burst_bytes + { + struct error_record *erec; + uint64_t rate, unit; + struct stmt *stmt; + + erec = rate_parse(&@$, $5, &rate, &unit); + xfree($5); + if (erec != NULL) { + erec_queue(erec, state->msgs); + YYERROR; + } + + stmt = limit_stmt_alloc(&@$); + stmt->limit.rate = rate * $4; + stmt->limit.unit = unit; + stmt->limit.burst = $6; + stmt->limit.type = NFT_LIMIT_PKT_BYTES; + stmt->limit.flags = $3; + } | comment_spec { if (already_set($<expr>0->comment, &@1, state)) { diff --git a/tests/shell/testcases/sets/0056dynamic_limit_0 b/tests/shell/testcases/sets/0056dynamic_limit_0 new file mode 100755 index 000000000000..21fa0bff5a61 --- /dev/null +++ b/tests/shell/testcases/sets/0056dynamic_limit_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +RULESET="table inet filter { + set ssh_meter { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 1m + elements = { 127.0.0.1 expires 52s44ms limit rate over 1/minute } + } + + chain output { + type filter hook output priority filter; policy accept; + ip protocol icmp add @ssh_meter { ip saddr timeout 1m limit rate over 1/minute } + } +}" + +set -e +$NFT -f - <<< $EXPECTED -- 2.20.1