The ratelimiter in nftables is similar to the one in iptables, and
iptables disallows a zero burst.
Update the byte rate limiter not to print burst 5 (default value).
Update tests/py to use burst 5 instead of zero.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
v2: update tests/py
do not print default burst when listing
doc/statements.txt | 3 ++-
src/parser_bison.y | 25 ++++++++++++++++++--
src/statement.c | 2 +-
tests/py/any/limit.t.payload | 44 ++++++++++++++++++------------------
4 files changed, 48 insertions(+), 26 deletions(-)
diff --git a/doc/statements.txt b/doc/statements.txt
index beebba1611a8..aac7c7d6b009 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -324,7 +324,8 @@ ____
A limit statement matches at a limited rate using a token bucket filter. A rule
using this statement will match until this limit is reached. It can be used in
combination with the log statement to give limited logging. The optional
-*over* keyword makes it match over the specified rate.
+*over* keyword makes it match over the specified rate. Default *burst* is 5.
+if you specify *burst*, it must be non-zero value.
.limit statement values
[options="header"]
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 58a5a4752002..15df215e8aa0 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3038,6 +3038,11 @@ log_flag_tcp : SEQUENCE
limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
{
+ if ($7 == 0) {
+ erec_queue(error(&@7, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
$$ = limit_stmt_alloc(&@$);
$$->limit.rate = $4;
$$->limit.unit = $6;
@@ -3050,6 +3055,12 @@ limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
struct error_record *erec;
uint64_t rate, unit;
+ if ($6 == 0) {
+ erec_queue(error(&@6, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
+
erec = rate_parse(&@$, $5, &rate, &unit);
xfree($5);
if (erec != NULL) {
@@ -3126,11 +3137,11 @@ limit_mode : OVER { $$ = NFT_LIMIT_F_INV; }
| /* empty */ { $$ = 0; }
;
-limit_burst_pkts : /* empty */ { $$ = 0; }
+limit_burst_pkts : /* empty */ { $$ = 5; }
| BURST NUM PACKETS { $$ = $2; }
;
-limit_burst_bytes : /* empty */ { $$ = 0; }
+limit_burst_bytes : /* empty */ { $$ = 5; }
| BURST NUM BYTES { $$ = $2; }
| BURST NUM STRING
{
@@ -4121,6 +4132,11 @@ set_elem_stmt : COUNTER
}
| LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
{
+ if ($7 == 0) {
+ erec_queue(error(&@7, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
$$ = limit_stmt_alloc(&@$);
$$->limit.rate = $4;
$$->limit.unit = $6;
@@ -4133,6 +4149,11 @@ set_elem_stmt : COUNTER
struct error_record *erec;
uint64_t rate, unit;
+ if ($6 == 0) {
+ erec_queue(error(&@6, "limit burst must be > 0"),
+ state->msgs);
+ YYERROR;
+ }
erec = rate_parse(&@$, $5, &rate, &unit);
xfree($5);
if (erec != NULL) {
diff --git a/src/statement.c b/src/statement.c
index 39020857ae9c..f7f1c0c4d553 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -464,7 +464,7 @@ static void limit_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
nft_print(octx, "limit rate %s%" PRIu64 " %s/%s",
inv ? "over " : "", rate, data_unit,
get_unit(stmt->limit.unit));
- if (stmt->limit.burst > 0) {
+ if (stmt->limit.burst != 5) {
uint64_t burst;
data_unit = get_rate(stmt->limit.burst, &burst);
diff --git a/tests/py/any/limit.t.payload b/tests/py/any/limit.t.payload
index b0cc84b42ff3..dc6cea9b2846 100644
--- a/tests/py/any/limit.t.payload
+++ b/tests/py/any/limit.t.payload
@@ -1,22 +1,22 @@
# limit rate 400/minute
ip test-ip4 output
- [ limit rate 400/minute burst 0 type packets flags 0x0 ]
+ [ limit rate 400/minute burst 5 type packets flags 0x0 ]
# limit rate 20/second
ip test-ip4 output
- [ limit rate 20/second burst 0 type packets flags 0x0 ]
+ [ limit rate 20/second burst 5 type packets flags 0x0 ]
# limit rate 400/hour
ip test-ip4 output
- [ limit rate 400/hour burst 0 type packets flags 0x0 ]
+ [ limit rate 400/hour burst 5 type packets flags 0x0 ]
# limit rate 400/week
ip test-ip4 output
- [ limit rate 400/week burst 0 type packets flags 0x0 ]
+ [ limit rate 400/week burst 5 type packets flags 0x0 ]
# limit rate 40/day
ip test-ip4 output
- [ limit rate 40/day burst 0 type packets flags 0x0 ]
+ [ limit rate 40/day burst 5 type packets flags 0x0 ]
# limit rate 1023/second burst 10 packets
ip test-ip4 output
@@ -24,27 +24,27 @@ ip test-ip4 output
# limit rate 1 kbytes/second
ip test-ip4 output
- [ limit rate 1024/second burst 0 type bytes flags 0x0 ]
+ [ limit rate 1024/second burst 5 type bytes flags 0x0 ]
# limit rate 2 kbytes/second
ip test-ip4 output
- [ limit rate 2048/second burst 0 type bytes flags 0x0 ]
+ [ limit rate 2048/second burst 5 type bytes flags 0x0 ]
# limit rate 1025 kbytes/second
ip test-ip4 output
- [ limit rate 1049600/second burst 0 type bytes flags 0x0 ]
+ [ limit rate 1049600/second burst 5 type bytes flags 0x0 ]
# limit rate 1023 mbytes/second
ip test-ip4 output
- [ limit rate 1072693248/second burst 0 type bytes flags 0x0 ]
+ [ limit rate 1072693248/second burst 5 type bytes flags 0x0 ]
# limit rate 10230 mbytes/second
ip test-ip4 output
- [ limit rate 10726932480/second burst 0 type bytes flags 0x0 ]
+ [ limit rate 10726932480/second burst 5 type bytes flags 0x0 ]
# limit rate 1023000 mbytes/second
ip test-ip4 output
- [ limit rate 1072693248000/second burst 0 type bytes flags 0x0 ]
+ [ limit rate 1072693248000/second burst 5 type bytes flags 0x0 ]
# limit rate 1025 bytes/second burst 512 bytes
ip test-ip4 output
@@ -64,23 +64,23 @@ ip test-ip4 output
# limit rate over 400/minute
ip test-ip4 output
- [ limit rate 400/minute burst 0 type packets flags 0x1 ]
+ [ limit rate 400/minute burst 5 type packets flags 0x1 ]
# limit rate over 20/second
ip test-ip4 output
- [ limit rate 20/second burst 0 type packets flags 0x1 ]
+ [ limit rate 20/second burst 5 type packets flags 0x1 ]
# limit rate over 400/hour
ip test-ip4 output
- [ limit rate 400/hour burst 0 type packets flags 0x1 ]
+ [ limit rate 400/hour burst 5 type packets flags 0x1 ]
# limit rate over 400/week
ip test-ip4 output
- [ limit rate 400/week burst 0 type packets flags 0x1 ]
+ [ limit rate 400/week burst 5 type packets flags 0x1 ]
# limit rate over 40/day
ip test-ip4 output
- [ limit rate 40/day burst 0 type packets flags 0x1 ]
+ [ limit rate 40/day burst 5 type packets flags 0x1 ]
# limit rate over 1023/second burst 10 packets
ip test-ip4 output
@@ -88,27 +88,27 @@ ip test-ip4 output
# limit rate over 1 kbytes/second
ip test-ip4 output
- [ limit rate 1024/second burst 0 type bytes flags 0x1 ]
+ [ limit rate 1024/second burst 5 type bytes flags 0x1 ]
# limit rate over 2 kbytes/second
ip test-ip4 output
- [ limit rate 2048/second burst 0 type bytes flags 0x1 ]
+ [ limit rate 2048/second burst 5 type bytes flags 0x1 ]
# limit rate over 1025 kbytes/second
ip test-ip4 output
- [ limit rate 1049600/second burst 0 type bytes flags 0x1 ]
+ [ limit rate 1049600/second burst 5 type bytes flags 0x1 ]
# limit rate over 1023 mbytes/second
ip test-ip4 output
- [ limit rate 1072693248/second burst 0 type bytes flags 0x1 ]
+ [ limit rate 1072693248/second burst 5 type bytes flags 0x1 ]
# limit rate over 10230 mbytes/second
ip test-ip4 output
- [ limit rate 10726932480/second burst 0 type bytes flags 0x1 ]
+ [ limit rate 10726932480/second burst 5 type bytes flags 0x1 ]
# limit rate over 1023000 mbytes/second
ip test-ip4 output
- [ limit rate 1072693248000/second burst 0 type bytes flags 0x1 ]
+ [ limit rate 1072693248000/second burst 5 type bytes flags 0x1 ]
# limit rate over 1025 bytes/second burst 512 bytes
ip test-ip4 output
--
2.20.1
