[PATCH nf] parser_bison: disallow burst 0 in ratelimits

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 17 Dec 2020 12:43:30 +0100

The ratelimiter in nftables is similar to the one in iptables, and
iptables disallows a zero burst.

Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 doc/statements.txt |  3 ++-
 src/parser_bison.y | 23 ++++++++++++++++++++++-
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/doc/statements.txt b/doc/statements.txt
index beebba1611a8..aac7c7d6b009 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -324,7 +324,8 @@ ____
 A limit statement matches at a limited rate using a token bucket filter. A rule
 using this statement will match until this limit is reached. It can be used in
 combination with the log statement to give limited logging. The optional
-*over* keyword makes it match over the specified rate.
+*over* keyword makes it match over the specified rate. Default *burst* is 5.
+if you specify *burst*, it must be non-zero value.
 
 .limit statement values
 [options="header"]
diff --git a/src/parser_bison.y b/src/parser_bison.y
index ba64dc00bee8..2667a5850c07 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3037,6 +3037,11 @@ log_flag_tcp		:	SEQUENCE
 
 limit_stmt		:	LIMIT	RATE	limit_mode	NUM	SLASH	time_unit	limit_burst_pkts
 	    		{
+				if ($7 == 0) {
+					erec_queue(error(&@7, "limit burst must be > 0"),
+						   state->msgs);
+					YYERROR;
+				}
 				$$ = limit_stmt_alloc(&@$);
 				$$->limit.rate	= $4;
 				$$->limit.unit	= $6;
@@ -3049,6 +3054,12 @@ limit_stmt		:	LIMIT	RATE	limit_mode	NUM	SLASH	time_unit	limit_burst_pkts
 				struct error_record *erec;
 				uint64_t rate, unit;
 
+				if ($6 == 0) {
+					erec_queue(error(&@6, "limit burst must be > 0"),
+						   state->msgs);
+					YYERROR;
+				}
+
 				erec = rate_parse(&@$, $5, &rate, &unit);
 				xfree($5);
 				if (erec != NULL) {
@@ -3125,7 +3136,7 @@ limit_mode		:	OVER				{ $$ = NFT_LIMIT_F_INV; }
 			|	/* empty */			{ $$ = 0; }
 			;
 
-limit_burst_pkts	:	/* empty */			{ $$ = 0; }
+limit_burst_pkts	:	/* empty */			{ $$ = 5; }
 			|	BURST	NUM	PACKETS		{ $$ = $2; }
 			;
 
@@ -4118,6 +4129,11 @@ set_elem_stmt		:	COUNTER
 			}
 			|	LIMIT   RATE    limit_mode      NUM     SLASH   time_unit       limit_burst_pkts
 			{
+				if ($7 == 0) {
+					erec_queue(error(&@7, "limit burst must be > 0"),
+						   state->msgs);
+					YYERROR;
+				}
 				$$ = limit_stmt_alloc(&@$);
 				$$->limit.rate  = $4;
 				$$->limit.unit  = $6;
@@ -4130,6 +4146,11 @@ set_elem_stmt		:	COUNTER
 				struct error_record *erec;
 				uint64_t rate, unit;
 
+				if ($6 == 0) {
+					erec_queue(error(&@6, "limit burst must be > 0"),
+						   state->msgs);
+					YYERROR;
+				}
 				erec = rate_parse(&@$, $5, &rate, &unit);
 				xfree($5);
 				if (erec != NULL) {
-- 
2.20.1







