git.ipfire.org Git - thirdparty/libnftnl.git/commit

author	Phil Oester <kernel@linuxace.com>
	Tue, 22 Oct 2013 08:48:22 +0000 (10:48 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 22 Oct 2013 08:49:02 +0000 (10:49 +0200)
commit	e91ea14da66759c71d5c2a581b82c2508a02f60a
tree	eaf91c52854f877bf66e130962b90d164fcc4220	tree \| snapshot
parent	bc7b5e747f70d229ca5d5fb0709548a47e2830fc	commit \| diff

expr: limit: operational limit match

The nft limit match currently does not work at all.  Below patches to
nftables, libnftables, and kernel address the issue.  A few notes on
the implementation:

- Removed support for nano/micro/milli second limits.  These seem pointless,
  given we are using jiffies in the limit match, not a hpet.  And who really
  needs to limit items down to sub-second level??

- 'depth' member is removed as unnecessary.  All we need in the kernel is the
  rate and the unit.

- 'stamp' member becomes the time we need to next refresh the token bucket,
  instead of being updated on every packet which goes through the match.

This closes netfilter bugzilla #827, reported by Eric Leblond.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/libnftables/expr.h		diff \| blob \| blame \| history
include/linux/netfilter/nf_tables.h		diff \| blob \| blame \| history
src/expr/limit.c		diff \| blob \| blame \| history