src: disallow burst 0 in ratelimits

The ratelimiter in nftables is similar to the one in iptables, and
iptables disallows a zero burst.

Update the byte rate limiter not to print burst 5 (default value).

Update tests/py payloads to print burst 5 instead of zero when the
burst is unspecified.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/statements.txt b/doc/statements.txt
index beebba1611a84381742e322501b1f19b8d6d9db5..aac7c7d6b0091d1bcd614f7e51e309f54310fce6 100644 (file)
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -324,7 +324,8 @@ ____
 A limit statement matches at a limited rate using a token bucket filter. A rule
 using this statement will match until this limit is reached. It can be used in
 combination with the log statement to give limited logging. The optional
-*over* keyword makes it match over the specified rate.
+*over* keyword makes it match over the specified rate. Default *burst* is 5.
+if you specify *burst*, it must be non-zero value.
 
 .limit statement values
 [options="header"]

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 4d4d203873a3c248fcabc90edd1698d8b0df1136..519e8efe5ab7e0a8cdb795767cc798d2d108a713 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3038,6 +3038,11 @@ log_flag_tcp             :       SEQUENCE
 
 limit_stmt             :       LIMIT   RATE    limit_mode      NUM     SLASH   time_unit       limit_burst_pkts
                        {
+                               if ($7 == 0) {
+                                       erec_queue(error(&@7, "limit burst must be > 0"),
+                                                  state->msgs);
+                                       YYERROR;
+                               }
                                $$ = limit_stmt_alloc(&@$);
                                $$->limit.rate  = $4;
                                $$->limit.unit  = $6;
@@ -3050,6 +3055,12 @@ limit_stmt               :       LIMIT   RATE    limit_mode      NUM     SLASH   time_unit       limit_burst_pkts
                                struct error_record *erec;
                                uint64_t rate, unit;
 
+                               if ($6 == 0) {
+                                       erec_queue(error(&@6, "limit burst must be > 0"),
+                                                  state->msgs);
+                                       YYERROR;
+                               }
+
                                erec = rate_parse(&@$, $5, &rate, &unit);
                                xfree($5);
                                if (erec != NULL) {
@@ -3126,11 +3137,11 @@ limit_mode              :       OVER                            { $$ = NFT_LIMIT_F_INV; }
                        |       /* empty */                     { $$ = 0; }
                        ;
 
-limit_burst_pkts       :       /* empty */                     { $$ = 0; }
+limit_burst_pkts       :       /* empty */                     { $$ = 5; }
                        |       BURST   NUM     PACKETS         { $$ = $2; }
                        ;
 
-limit_burst_bytes      :       /* empty */                     { $$ = 0; }
+limit_burst_bytes      :       /* empty */                     { $$ = 5; }
                        |       BURST   NUM     BYTES           { $$ = $2; }
                        |       BURST   NUM     STRING
                        {
@@ -4122,6 +4133,11 @@ set_elem_stmt            :       COUNTER
                        }
                        |       LIMIT   RATE    limit_mode      NUM     SLASH   time_unit       limit_burst_pkts
                        {
+                               if ($7 == 0) {
+                                       erec_queue(error(&@7, "limit burst must be > 0"),
+                                                  state->msgs);
+                                       YYERROR;
+                               }
                                $$ = limit_stmt_alloc(&@$);
                                $$->limit.rate  = $4;
                                $$->limit.unit  = $6;
@@ -4134,6 +4150,11 @@ set_elem_stmt            :       COUNTER
                                struct error_record *erec;
                                uint64_t rate, unit;
 
+                               if ($6 == 0) {
+                                       erec_queue(error(&@6, "limit burst must be > 0"),
+                                                  state->msgs);
+                                       YYERROR;
+                               }
                                erec = rate_parse(&@$, $5, &rate, &unit);
                                xfree($5);
                                if (erec != NULL) {

diff --git a/src/statement.c b/src/statement.c
index 39020857ae9c3e8df24e31230653dbc37fe67450..f7f1c0c4d553ebaba3cf200c2eebfa65d8676694 100644 (file)
--- a/src/statement.c
+++ b/src/statement.c
@@ -464,7 +464,7 @@ static void limit_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
                nft_print(octx, "limit rate %s%" PRIu64 " %s/%s",
                          inv ? "over " : "", rate, data_unit,
                          get_unit(stmt->limit.unit));
-               if (stmt->limit.burst > 0) {
+               if (stmt->limit.burst != 5) {
                        uint64_t burst;
 
                        data_unit = get_rate(stmt->limit.burst, &burst);

diff --git a/tests/py/any/limit.t.payload b/tests/py/any/limit.t.payload
index b0cc84b42ff392317d5d8e75ac3c2a02672cacc7..dc6cea9b284609cb6a1f4d957634a9b0a139c461 100644 (file)
--- a/tests/py/any/limit.t.payload
+++ b/tests/py/any/limit.t.payload
@@ -1,22 +1,22 @@
 # limit rate 400/minute
 ip test-ip4 output
-  [ limit rate 400/minute burst 0 type packets flags 0x0 ]
+  [ limit rate 400/minute burst 5 type packets flags 0x0 ]
 
 # limit rate 20/second
 ip test-ip4 output
-  [ limit rate 20/second burst 0 type packets flags 0x0 ]
+  [ limit rate 20/second burst 5 type packets flags 0x0 ]
 
 # limit rate 400/hour
 ip test-ip4 output
-  [ limit rate 400/hour burst 0 type packets flags 0x0 ]
+  [ limit rate 400/hour burst 5 type packets flags 0x0 ]
 
 # limit rate 400/week
 ip test-ip4 output
-  [ limit rate 400/week burst 0 type packets flags 0x0 ]
+  [ limit rate 400/week burst 5 type packets flags 0x0 ]
 
 # limit rate 40/day
 ip test-ip4 output
-  [ limit rate 40/day burst 0 type packets flags 0x0 ]
+  [ limit rate 40/day burst 5 type packets flags 0x0 ]
 
 # limit rate 1023/second burst 10 packets
 ip test-ip4 output
@@ -24,27 +24,27 @@ ip test-ip4 output
 
 # limit rate 1 kbytes/second
 ip test-ip4 output
-  [ limit rate 1024/second burst 0 type bytes flags 0x0 ]
+  [ limit rate 1024/second burst 5 type bytes flags 0x0 ]
 
 # limit rate 2 kbytes/second
 ip test-ip4 output
-  [ limit rate 2048/second burst 0 type bytes flags 0x0 ]
+  [ limit rate 2048/second burst 5 type bytes flags 0x0 ]
 
 # limit rate 1025 kbytes/second
 ip test-ip4 output
-  [ limit rate 1049600/second burst 0 type bytes flags 0x0 ]
+  [ limit rate 1049600/second burst 5 type bytes flags 0x0 ]
 
 # limit rate 1023 mbytes/second
 ip test-ip4 output
-  [ limit rate 1072693248/second burst 0 type bytes flags 0x0 ]
+  [ limit rate 1072693248/second burst 5 type bytes flags 0x0 ]
 
 # limit rate 10230 mbytes/second
 ip test-ip4 output
-  [ limit rate 10726932480/second burst 0 type bytes flags 0x0 ]
+  [ limit rate 10726932480/second burst 5 type bytes flags 0x0 ]
 
 # limit rate 1023000 mbytes/second
 ip test-ip4 output
-  [ limit rate 1072693248000/second burst 0 type bytes flags 0x0 ]
+  [ limit rate 1072693248000/second burst 5 type bytes flags 0x0 ]
 
 # limit rate 1025 bytes/second burst 512 bytes
 ip test-ip4 output
@@ -64,23 +64,23 @@ ip test-ip4 output
 
 # limit rate over 400/minute
 ip test-ip4 output
-  [ limit rate 400/minute burst 0 type packets flags 0x1 ]
+  [ limit rate 400/minute burst 5 type packets flags 0x1 ]
 
 # limit rate over 20/second
 ip test-ip4 output
-  [ limit rate 20/second burst 0 type packets flags 0x1 ]
+  [ limit rate 20/second burst 5 type packets flags 0x1 ]
 
 # limit rate over 400/hour
 ip test-ip4 output
-  [ limit rate 400/hour burst 0 type packets flags 0x1 ]
+  [ limit rate 400/hour burst 5 type packets flags 0x1 ]
 
 # limit rate over 400/week
 ip test-ip4 output
-  [ limit rate 400/week burst 0 type packets flags 0x1 ]
+  [ limit rate 400/week burst 5 type packets flags 0x1 ]
 
 # limit rate over 40/day
 ip test-ip4 output
-  [ limit rate 40/day burst 0 type packets flags 0x1 ]
+  [ limit rate 40/day burst 5 type packets flags 0x1 ]
 
 # limit rate over 1023/second burst 10 packets
 ip test-ip4 output
@@ -88,27 +88,27 @@ ip test-ip4 output
 
 # limit rate over 1 kbytes/second
 ip test-ip4 output
-  [ limit rate 1024/second burst 0 type bytes flags 0x1 ]
+  [ limit rate 1024/second burst 5 type bytes flags 0x1 ]
 
 # limit rate over 2 kbytes/second
 ip test-ip4 output
-  [ limit rate 2048/second burst 0 type bytes flags 0x1 ]
+  [ limit rate 2048/second burst 5 type bytes flags 0x1 ]
 
 # limit rate over 1025 kbytes/second
 ip test-ip4 output
-  [ limit rate 1049600/second burst 0 type bytes flags 0x1 ]
+  [ limit rate 1049600/second burst 5 type bytes flags 0x1 ]
 
 # limit rate over 1023 mbytes/second
 ip test-ip4 output
-  [ limit rate 1072693248/second burst 0 type bytes flags 0x1 ]
+  [ limit rate 1072693248/second burst 5 type bytes flags 0x1 ]
 
 # limit rate over 10230 mbytes/second
 ip test-ip4 output
-  [ limit rate 10726932480/second burst 0 type bytes flags 0x1 ]
+  [ limit rate 10726932480/second burst 5 type bytes flags 0x1 ]
 
 # limit rate over 1023000 mbytes/second
 ip test-ip4 output
-  [ limit rate 1072693248000/second burst 0 type bytes flags 0x1 ]
+  [ limit rate 1072693248000/second burst 5 type bytes flags 0x1 ]
 
 # limit rate over 1025 bytes/second burst 512 bytes
 ip test-ip4 output