Message ID | 1463825236-33317-1-git-send-email-zlpnobody@163.com |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
On Sat, May 21, 2016 at 06:07:16PM +0800, Liping Zhang wrote: > From: Liping Zhang <liping.zhang@spreadtrum.com> > > The default burst value is 5 in iptables limit extension while it is 0 in > nft limit expression, if the burst value is default, it will not be > displayed when we dump the rules. But when we do translation from iptables > rules to nft rules, we should keep the limit burst value unchanged, even if > it is not displayed in iptables rules. > > And now, if the limit-burst value in the iptables rule is 5 or 0, they are > all translated to nft rule without burst, this is wrong: > > $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5 > nft add rule ip filter INPUT limit rate 10/second counter > $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0 > nft add rule ip filter INPUT limit rate 10/second burst 0 packets counter > > Apply this patch, translation will become: > > $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5 > nft add rule ip filter INPUT limit rate 10/second burst 5 packets counter > $ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0 > nft add rule ip filter INPUT limit rate 10/second counter Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c index c88d26b..6652849 100644 --- a/extensions/libxt_limit.c +++ b/extensions/libxt_limit.c @@ -184,7 +184,7 @@ static int limit_xlate(const void *ip, const struct xt_entry_match *match, xt_xlate_add(xl, "limit rate"); print_rate_xlate(r->avg, xl); - if (r->burst != XT_LIMIT_BURST) + if (r->burst != 0) xt_xlate_add(xl, "burst %u packets ", r->burst); return 1;