Skip to content

Commit 3e87baa

Browse files
ummakynesummakynes
committed
netfilter: nft_limit: add burst parameter
This patch adds the burst parameter. This burst indicates the number of packets that can exceed the limit. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent f8d3a6b commit 3e87baa

File tree

2 files changed

+20
-2
lines changed

2 files changed

+20
-2
lines changed

include/uapi/linux/netfilter/nf_tables.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -761,11 +761,13 @@ enum nft_ct_attributes {
761761
*
762762
* @NFTA_LIMIT_RATE: refill rate (NLA_U64)
763763
* @NFTA_LIMIT_UNIT: refill unit (NLA_U64)
764+
* @NFTA_LIMIT_BURST: burst (NLA_U32)
764765
*/
765766
enum nft_limit_attributes {
766767
NFTA_LIMIT_UNSPEC,
767768
NFTA_LIMIT_RATE,
768769
NFTA_LIMIT_UNIT,
770+
NFTA_LIMIT_BURST,
769771
__NFTA_LIMIT_MAX
770772
};
771773
#define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1)

net/netfilter/nft_limit.c

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ struct nft_limit {
2525
u64 tokens_max;
2626
u64 rate;
2727
u64 nsecs;
28+
u32 burst;
2829
};
2930

3031
static inline bool nft_limit_eval(struct nft_limit *limit, u64 cost)
@@ -65,6 +66,18 @@ static int nft_limit_init(struct nft_limit *limit,
6566
if (limit->rate == 0 || limit->nsecs < unit)
6667
return -EOVERFLOW;
6768
limit->tokens = limit->tokens_max = limit->nsecs;
69+
70+
if (tb[NFTA_LIMIT_BURST]) {
71+
u64 rate;
72+
73+
limit->burst = ntohl(nla_get_be32(tb[NFTA_LIMIT_BURST]));
74+
75+
rate = limit->rate + limit->burst;
76+
if (rate < limit->rate)
77+
return -EOVERFLOW;
78+
79+
limit->rate = rate;
80+
}
6881
limit->last = ktime_get_ns();
6982

7083
return 0;
@@ -73,9 +86,11 @@ static int nft_limit_init(struct nft_limit *limit,
7386
static int nft_limit_dump(struct sk_buff *skb, const struct nft_limit *limit)
7487
{
7588
u64 secs = div_u64(limit->nsecs, NSEC_PER_SEC);
89+
u64 rate = limit->rate - limit->burst;
7690

77-
if (nla_put_be64(skb, NFTA_LIMIT_RATE, cpu_to_be64(limit->rate)) ||
78-
nla_put_be64(skb, NFTA_LIMIT_UNIT, cpu_to_be64(secs)))
91+
if (nla_put_be64(skb, NFTA_LIMIT_RATE, cpu_to_be64(rate)) ||
92+
nla_put_be64(skb, NFTA_LIMIT_UNIT, cpu_to_be64(secs)) ||
93+
nla_put_be32(skb, NFTA_LIMIT_BURST, htonl(limit->burst)))
7994
goto nla_put_failure;
8095
return 0;
8196

@@ -96,6 +111,7 @@ static void nft_limit_pkts_eval(const struct nft_expr *expr,
96111
static const struct nla_policy nft_limit_policy[NFTA_LIMIT_MAX + 1] = {
97112
[NFTA_LIMIT_RATE] = { .type = NLA_U64 },
98113
[NFTA_LIMIT_UNIT] = { .type = NLA_U64 },
114+
[NFTA_LIMIT_BURST] = { .type = NLA_U32 },
99115
};
100116

101117
static int nft_limit_pkts_init(const struct nft_ctx *ctx,

0 commit comments

Comments
 (0)