rpms/nftables
7
0
Fork 0
Code Issues Pull Requests Releases Activity
ac5538bc72
nftables/SOURCES/0041-parser-bail-out-on-incorrect-burst-unit.patch
CentOS Sources ac5538bc72 import nftables-0.9.0-14.el8_1.1
2021-09-09 22:49:01 +00:00

107 lines
3.8 KiB
Diff
Raw Blame History

From bd7a8291c1e00c3625dd348dbb7246b4a7aa357d Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 3 Dec 2018 17:06:21 +0100
Subject: [PATCH] parser: bail out on incorrect burst unit
Burst can be either bytes or packets, depending on the rate limit unit.
# nft add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets
Error: syntax error, unexpected packets, expecting string or bytes
add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets
^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1306
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 1018eae77176cffd39bad0e499010923642c2cba)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/parser_bison.y | 15 +++++++++------
tests/py/any/limit.t | 2 ++
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index a6b6fc1745a72..aabf16316ff8b 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -562,7 +562,7 @@ int nft_lex(void *, void *, void *);
%type <val> level_type log_flags log_flags_tcp log_flag_tcp
%type <stmt> limit_stmt quota_stmt connlimit_stmt
%destructor { stmt_free($$); } limit_stmt quota_stmt connlimit_stmt
-%type <val> limit_burst limit_mode time_unit quota_mode
+%type <val> limit_burst_pkts limit_burst_bytes limit_mode time_unit quota_mode
%type <stmt> reject_stmt reject_stmt_alloc
%destructor { stmt_free($$); } reject_stmt reject_stmt_alloc
%type <stmt> nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc
@@ -2298,7 +2298,7 @@ log_flag_tcp : SEQUENCE
}
;
-limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst
+limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts
{
$$ = limit_stmt_alloc(&@$);
$$->limit.rate = $4;
@@ -2307,7 +2307,7 @@ limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst
$$->limit.type = NFT_LIMIT_PKTS;
$$->limit.flags = $3;
}
- | LIMIT RATE limit_mode NUM STRING limit_burst
+ | LIMIT RATE limit_mode NUM STRING limit_burst_bytes
{
struct error_record *erec;
uint64_t rate, unit;
@@ -2388,8 +2388,11 @@ limit_mode : OVER { $$ = NFT_LIMIT_F_INV; }
| /* empty */ { $$ = 0; }
;
-limit_burst : /* empty */ { $$ = 0; }
+limit_burst_pkts : /* empty */ { $$ = 0; }
| BURST NUM PACKETS { $$ = $2; }
+ ;
+
+limit_burst_bytes : /* empty */ { $$ = 0; }
| BURST NUM BYTES { $$ = $2; }
| BURST NUM STRING
{
@@ -3199,7 +3202,7 @@ ct_obj_alloc :
}
;
-limit_config : RATE limit_mode NUM SLASH time_unit limit_burst
+limit_config : RATE limit_mode NUM SLASH time_unit limit_burst_pkts
{
struct limit *limit;
limit = xzalloc(sizeof(*limit));
@@ -3210,7 +3213,7 @@ limit_config : RATE limit_mode NUM SLASH time_unit limit_burst
limit->flags = $2;
$$ = limit;
}
- | RATE limit_mode NUM STRING limit_burst
+ | RATE limit_mode NUM STRING limit_burst_bytes
{
struct limit *limit;
struct error_record *erec;
diff --git a/tests/py/any/limit.t b/tests/py/any/limit.t
index 8180bea3ddae6..ef7f93133297f 100644
--- a/tests/py/any/limit.t
+++ b/tests/py/any/limit.t
@@ -14,6 +14,7 @@ limit rate 400/hour;ok
limit rate 40/day;ok
limit rate 400/week;ok
limit rate 1023/second burst 10 packets;ok
+limit rate 1023/second burst 10 bytes;fail
limit rate 1 kbytes/second;ok
limit rate 2 kbytes/second;ok
@@ -21,6 +22,7 @@ limit rate 1025 kbytes/second;ok
limit rate 1023 mbytes/second;ok
limit rate 10230 mbytes/second;ok
limit rate 1023000 mbytes/second;ok
+limit rate 512 kbytes/second burst 5 packets;fail
limit rate 1025 bytes/second burst 512 bytes;ok
limit rate 1025 kbytes/second burst 1023 kbytes;ok
--
2.21.0
Reference in New Issue View Git Blame Copy Permalink