]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
projects / thirdparty / nftables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ba13acf)
parser_bison: allow 0 burst in limit rate byte mode
authorPablo Neira Ayuso <pablo@netfilter.org>
Thu, 15 Aug 2024 11:56:21 +0000 (13:56 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 19 Aug 2024 15:30:23 +0000 (17:30 +0200)
Unbreak restoring elements in set with rate limit that fail with:

> /dev/stdin:3618:61-61: Error: limit burst must be > 0
>                  elements = { 1.2.3.4 limit rate over 1000 kbytes/second timeout 1s,

no need for burst != 0 for limit rate byte mode.

Add tests/shell too.

Fixes: 702eff5b5b74 ("src: allow burst 0 for byte ratelimit and use it as default")
Fixes: 285baccfea46 ("src: disallow burst 0 in ratelimits")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/parser_bison.y patch | blob | blame | history
tests/shell/testcases/sets/dumps/elem_limit_0.nft [new file with mode: 0644] patch | blob
tests/shell/testcases/sets/elem_limit_0 [new file with mode: 0755] patch | blob

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 10105f153aa07438005a3ef1a6399b14d92d7d8d..f3368dd3e922762c8690b5ccc53684509927dcf1 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4609,11 +4609,6 @@ set_elem_stmt            :       COUNTER close_scope_counter
                        }
                        |       LIMIT   RATE    limit_mode      limit_rate_bytes  limit_burst_bytes     close_scope_limit
                        {
-                               if ($5 == 0) {
-                                       erec_queue(error(&@6, "limit burst must be > 0"),
-                                                  state->msgs);
-                                       YYERROR;
-                               }
                                $$ = limit_stmt_alloc(&@$);
                                $$->limit.rate  = $4.rate;
                                $$->limit.unit  = $4.unit;
diff --git a/tests/shell/testcases/sets/dumps/elem_limit_0.nft b/tests/shell/testcases/sets/dumps/elem_limit_0.nft
new file mode 100644 (file)
index 0000000..ca5b2b5
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/elem_limit_0.nft
@@ -0,0 +1,7 @@
+table netdev filter {
+       set test123 {
+               typeof ip saddr
+               limit rate over 1 mbytes/second
+               elements = { 1.2.3.4 limit rate over 1 mbytes/second }
+       }
+}
diff --git a/tests/shell/testcases/sets/elem_limit_0 b/tests/shell/testcases/sets/elem_limit_0
new file mode 100755 (executable)
index 0000000..b57f927
--- /dev/null
+++ b/tests/shell/testcases/sets/elem_limit_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+## requires EXPR
+
+set -e
+
+RULESET="table netdev filter {
+       set test123 {
+               typeof ip saddr
+               limit rate over 1024 kbytes/second
+               elements = { 1.2.3.4 limit rate over 1024 kbytes/second }
+       }
+}"
+
+$NFT -f - <<< $RULESET
+
+(echo "flush ruleset netdev"; $NFT --stateless list ruleset netdev) | $NFT -f -
Mirror of git://git.netfilter.org/nftables