NFT_LIMIT_PKT_BYTES
};
+enum nft_limit_flags {
+ NFT_LIMIT_F_INV = (1 << 0),
+};
+
/**
* enum nft_limit_attributes - nf_tables limit expression netlink attributes
*
* @NFTA_LIMIT_UNIT: refill unit (NLA_U64)
* @NFTA_LIMIT_BURST: burst (NLA_U32)
* @NFTA_LIMIT_TYPE: type of limit (NLA_U32: enum nft_limit_type)
+ * @NFTA_LIMIT_FLAGS: flags (NLA_U32: enum nft_limit_flags)
*/
enum nft_limit_attributes {
NFTA_LIMIT_UNSPEC,
NFTA_LIMIT_UNIT,
NFTA_LIMIT_BURST,
NFTA_LIMIT_TYPE,
+ NFTA_LIMIT_FLAGS,
__NFTA_LIMIT_MAX
};
#define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1)
uint64_t unit;
enum nft_limit_type type;
uint32_t burst;
+ uint32_t flags;
};
extern struct stmt *limit_stmt_alloc(const struct location *loc);
stmt->limit.unit = nftnl_expr_get_u64(nle, NFTNL_EXPR_LIMIT_UNIT);
stmt->limit.type = nftnl_expr_get_u32(nle, NFTNL_EXPR_LIMIT_TYPE);
stmt->limit.burst = nftnl_expr_get_u32(nle, NFTNL_EXPR_LIMIT_BURST);
+ stmt->limit.flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_LIMIT_FLAGS);
list_add_tail(&stmt->list, &ctx->rule->stmts);
}
if (stmt->limit.burst > 0)
nftnl_expr_set_u32(nle, NFTNL_EXPR_LIMIT_BURST,
stmt->limit.burst);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_LIMIT_FLAGS, stmt->limit.flags);
nftnl_rule_add_expr(ctx->nlr, nle);
}
%token LIMIT "limit"
%token RATE "rate"
%token BURST "burst"
+%token OVER "over"
+%token UNTIL "until"
%token NANOSECOND "nanosecond"
%token MICROSECOND "microsecond"
%type <val> level_type
%type <stmt> limit_stmt
%destructor { stmt_free($$); } limit_stmt
-%type <val> limit_burst time_unit
+%type <val> limit_burst limit_mode time_unit
%type <stmt> reject_stmt reject_stmt_alloc
%destructor { stmt_free($$); } reject_stmt reject_stmt_alloc
%type <stmt> nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc
| LEVEL_DEBUG { $$ = LOG_DEBUG; }
;
-limit_stmt : LIMIT RATE NUM SLASH time_unit limit_burst
+limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst
{
$$ = limit_stmt_alloc(&@$);
- $$->limit.rate = $3;
- $$->limit.unit = $5;
- $$->limit.burst = $6;
+ $$->limit.rate = $4;
+ $$->limit.unit = $6;
+ $$->limit.burst = $7;
$$->limit.type = NFT_LIMIT_PKTS;
+ $$->limit.flags = $3;
}
- | LIMIT RATE NUM STRING limit_burst
+ | LIMIT RATE limit_mode NUM STRING limit_burst
{
struct error_record *erec;
uint64_t rate, unit;
- erec = rate_parse(&@$, $4, &rate, &unit);
+ erec = rate_parse(&@$, $5, &rate, &unit);
if (erec != NULL) {
erec_queue(erec, state->msgs);
YYERROR;
}
$$ = limit_stmt_alloc(&@$);
- $$->limit.rate = rate * $3;
+ $$->limit.rate = rate * $4;
$$->limit.unit = unit;
- $$->limit.burst = $5;
+ $$->limit.burst = $6;
$$->limit.type = NFT_LIMIT_PKT_BYTES;
+ $$->limit.flags = $3;
}
;
+limit_mode : OVER { $$ = NFT_LIMIT_F_INV; }
+ | UNTIL { $$ = 0; }
+ | /* empty */ { $$ = 0; }
+ ;
+
limit_burst : /* empty */ { $$ = 0; }
| BURST NUM PACKETS { $$ = $2; }
| BURST NUM BYTES { $$ = $2; }
"limit" { return LIMIT; }
"rate" { return RATE; }
"burst" { return BURST; }
+"until" { return UNTIL; }
+"over" { return OVER; }
"nanosecond" { return NANOSECOND; }
"microsecond" { return MICROSECOND; }
static void limit_stmt_print(const struct stmt *stmt)
{
+ bool inv = stmt->limit.flags & NFT_LIMIT_F_INV;
const char *data_unit;
uint64_t rate;
switch (stmt->limit.type) {
case NFT_LIMIT_PKTS:
- printf("limit rate %" PRIu64 "/%s",
- stmt->limit.rate, get_unit(stmt->limit.unit));
+ printf("limit rate %s%" PRIu64 "/%s",
+ inv ? "over " : "", stmt->limit.rate,
+ get_unit(stmt->limit.unit));
if (stmt->limit.burst > 0)
printf(" burst %u packets", stmt->limit.burst);
break;
case NFT_LIMIT_PKT_BYTES:
data_unit = get_rate(stmt->limit.rate, &rate);
- printf("limit rate %" PRIu64 " %s/%s",
- rate, data_unit, get_unit(stmt->limit.unit));
+ printf("limit rate %s%" PRIu64 " %s/%s",
+ inv ? "over " : "", rate, data_unit,
+ get_unit(stmt->limit.unit));
if (stmt->limit.burst > 0) {
uint64_t burst;
limit rate 1025 kbytes/second burst 1023 kbytes;ok
limit rate 1025 mbytes/second burst 1025 kbytes;ok
limit rate 1025000 mbytes/second burst 1023 mbytes;ok
+
+limit rate over 400/minute;ok
+limit rate over 20/second;ok
+limit rate over 400/hour;ok
+limit rate over 40/day;ok
+limit rate over 400/week;ok
+limit rate over 1023/second burst 10 packets;ok
+
+limit rate over 1 kbytes/second;ok
+limit rate over 2 kbytes/second;ok
+limit rate over 1025 kbytes/second;ok
+limit rate over 1023 mbytes/second;ok
+limit rate over 10230 mbytes/second;ok
+limit rate over 1023000 mbytes/second;ok
+
+limit rate over 1025 bytes/second burst 512 bytes;ok
+limit rate over 1025 kbytes/second burst 1023 kbytes;ok
+limit rate over 1025 mbytes/second burst 1025 kbytes;ok
+limit rate over 1025000 mbytes/second burst 1023 mbytes;ok
# limit rate 400/minute
ip test-ip4 output
- [ limit rate 400/minute burst 0 type packets ]
+ [ limit rate 400/minute burst 0 type packets flags 0x0 ]
# limit rate 20/second
ip test-ip4 output
- [ limit rate 20/second burst 0 type packets ]
+ [ limit rate 20/second burst 0 type packets flags 0x0 ]
# limit rate 400/hour
ip test-ip4 output
- [ limit rate 400/hour burst 0 type packets ]
+ [ limit rate 400/hour burst 0 type packets flags 0x0 ]
# limit rate 400/week
ip test-ip4 output
- [ limit rate 400/week burst 0 type packets ]
+ [ limit rate 400/week burst 0 type packets flags 0x0 ]
# limit rate 40/day
ip test-ip4 output
- [ limit rate 40/day burst 0 type packets ]
+ [ limit rate 40/day burst 0 type packets flags 0x0 ]
# limit rate 1023/second burst 10 packets
ip test-ip4 output
- [ limit rate 1023/second burst 10 type packets ]
+ [ limit rate 1023/second burst 10 type packets flags 0x0 ]
# limit rate 1 kbytes/second
ip test-ip4 output
- [ limit rate 1024/second burst 0 type bytes ]
+ [ limit rate 1024/second burst 0 type bytes flags 0x0 ]
# limit rate 2 kbytes/second
ip test-ip4 output
- [ limit rate 2048/second burst 0 type bytes ]
+ [ limit rate 2048/second burst 0 type bytes flags 0x0 ]
# limit rate 1025 kbytes/second
ip test-ip4 output
- [ limit rate 1049600/second burst 0 type bytes ]
+ [ limit rate 1049600/second burst 0 type bytes flags 0x0 ]
# limit rate 1023 mbytes/second
ip test-ip4 output
- [ limit rate 1072693248/second burst 0 type bytes ]
+ [ limit rate 1072693248/second burst 0 type bytes flags 0x0 ]
# limit rate 10230 mbytes/second
ip test-ip4 output
- [ limit rate 10726932480/second burst 0 type bytes ]
+ [ limit rate 10726932480/second burst 0 type bytes flags 0x0 ]
# limit rate 1023000 mbytes/second
ip test-ip4 output
- [ limit rate 1072693248000/second burst 0 type bytes ]
+ [ limit rate 1072693248000/second burst 0 type bytes flags 0x0 ]
# limit rate 1025 bytes/second burst 512 bytes
ip test-ip4 output
- [ limit rate 1025/second burst 512 type bytes ]
+ [ limit rate 1025/second burst 512 type bytes flags 0x0 ]
# limit rate 1025 kbytes/second burst 1023 kbytes
ip test-ip4 output
- [ limit rate 1049600/second burst 1047552 type bytes ]
+ [ limit rate 1049600/second burst 1047552 type bytes flags 0x0 ]
# limit rate 1025 mbytes/second burst 1025 kbytes
ip test-ip4 output
- [ limit rate 1074790400/second burst 1049600 type bytes ]
+ [ limit rate 1074790400/second burst 1049600 type bytes flags 0x0 ]
# limit rate 1025000 mbytes/second burst 1023 mbytes
ip test-ip4 output
- [ limit rate 1074790400000/second burst 1072693248 type bytes ]
+ [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x0 ]
+
+# limit rate over 400/minute
+ip test-ip4 output
+ [ limit rate 400/minute burst 0 type packets flags 0x1 ]
+
+# limit rate over 20/second
+ip test-ip4 output
+ [ limit rate 20/second burst 0 type packets flags 0x1 ]
+
+# limit rate over 400/hour
+ip test-ip4 output
+ [ limit rate 400/hour burst 0 type packets flags 0x1 ]
+
+# limit rate over 400/week
+ip test-ip4 output
+ [ limit rate 400/week burst 0 type packets flags 0x1 ]
+
+# limit rate over 40/day
+ip test-ip4 output
+ [ limit rate 40/day burst 0 type packets flags 0x1 ]
+
+# limit rate over 1023/second burst 10 packets
+ip test-ip4 output
+ [ limit rate 1023/second burst 10 type packets flags 0x1 ]
+
+# limit rate over 1 kbytes/second
+ip test-ip4 output
+ [ limit rate 1024/second burst 0 type bytes flags 0x1 ]
+
+# limit rate over 2 kbytes/second
+ip test-ip4 output
+ [ limit rate 2048/second burst 0 type bytes flags 0x1 ]
+
+# limit rate over 1025 kbytes/second
+ip test-ip4 output
+ [ limit rate 1049600/second burst 0 type bytes flags 0x1 ]
+
+# limit rate over 1023 mbytes/second
+ip test-ip4 output
+ [ limit rate 1072693248/second burst 0 type bytes flags 0x1 ]
+
+# limit rate over 10230 mbytes/second
+ip test-ip4 output
+ [ limit rate 10726932480/second burst 0 type bytes flags 0x1 ]
+
+# limit rate over 1023000 mbytes/second
+ip test-ip4 output
+ [ limit rate 1072693248000/second burst 0 type bytes flags 0x1 ]
+
+# limit rate over 1025 bytes/second burst 512 bytes
+ip test-ip4 output
+ [ limit rate 1025/second burst 512 type bytes flags 0x1 ]
+
+# limit rate over 1025 kbytes/second burst 1023 kbytes
+ip test-ip4 output
+ [ limit rate 1049600/second burst 1047552 type bytes flags 0x1 ]
+
+# limit rate over 1025 mbytes/second burst 1025 kbytes
+ip test-ip4 output
+ [ limit rate 1074790400/second burst 1049600 type bytes flags 0x1 ]
+
+# limit rate over 1025000 mbytes/second burst 1023 mbytes
+ip test-ip4 output
+ [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x1 ]
projects / thirdparty / nftables.git / commitdiff
