git.ipfire.org Git - thirdparty/nftables.git/commit

author	Phil Oester <kernel@linuxace.com>
	Sat, 5 Oct 2013 16:44:56 +0000 (09:44 -0700)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 22 Oct 2013 08:52:32 +0000 (10:52 +0200)
commit	b259d1aca0db1bed5af3e4fe378f8aeb4d3ce645
tree	0dea304c654a8c4d107720b4c73a561f623b1468	tree
parent	2855909e46f4646f137a96892bd5c465fa1193f8	commit \| diff

src: operational limit match

The nft limit match currently does not work at all.  Below patches to nftables,
libnftables, and kernel address the issue.  A few notes on the implementation:

- Removed support for nano/micro/milli second limits.  These seem pointless,
  given we are using jiffies in the limit match, not a hpet.  And who really
  needs to limit items down to sub-second level??

- 'depth' member is removed as unnecessary.  All we need in the kernel is the
  rate and the unit.

- 'stamp' member becomes the time we need to next refresh the token bucket,
  instead of being updated on every packet which goes through the match.

This closes netfilter bugzilla #827, reported by Eric Leblond.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/statement.h		diff \| blob \| blame \| history
src/netlink_delinearize.c		diff \| blob \| blame \| history
src/netlink_linearize.c		diff \| blob \| blame \| history
src/parser.y		diff \| blob \| blame \| history
src/statement.c		diff \| blob \| blame \| history