From patchwork Thu Jan 4 09:55:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 855527 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zC38Y3xCkz9s74 for ; Thu, 4 Jan 2018 20:55:57 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751872AbeADJz4 (ORCPT ); Thu, 4 Jan 2018 04:55:56 -0500 Received: from mail.us.es ([193.147.175.20]:51474 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751829AbeADJz4 (ORCPT ); Thu, 4 Jan 2018 04:55:56 -0500 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id AA44DB6C88 for ; Thu, 4 Jan 2018 10:55:54 +0100 (CET) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 99E3134D8 for ; Thu, 4 Jan 2018 10:55:54 +0100 (CET) Received: by antivirus1-rhel7.int (Postfix, from userid 99) id 8F834358C; Thu, 4 Jan 2018 10:55:54 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on antivirus1-rhel7.int X-Spam-Level: X-Spam-Status: No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50, SMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1 Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 59BAB53CDC for ; Thu, 4 Jan 2018 10:55:51 +0100 (CET) Received: from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int (F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); Thu, 04 Jan 2018 10:55:51 +0100 (CET) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int) Received: from salvia.here (129.166.216.87.static.jazztel.es [87.216.166.129]) (Authenticated sender: pneira@us.es) by entrada.int (Postfix) with ESMTPA id 28E8D41FEA09 for ; Thu, 4 Jan 2018 10:55:51 +0100 (CET) X-SMTPAUTHUS: auth mail.us.es From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Subject: [PATCH iptables] extensions: hashlimit: always print timeout on translations Date: Thu, 4 Jan 2018 10:55:47 +0100 Message-Id: <20180104095547.5284-1-pablo@netfilter.org> X-Mailer: git-send-email 2.11.0 X-Virus-Scanned: ClamAV using ClamSMTP Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Meters need an explicit timeout that we cannot skip, otherwise entries remain in the set forever. This fixes the following translation: $ iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 1000 -j DROP that was skipping the timeout option: nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip saddr limit rate over 200 kbytes/second burst 1 mbytes} counter drop Reported-by: Duncan Roe Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_hashlimit.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c index 3fa5719127db..f85f2d3a179a 100644 --- a/extensions/libxt_hashlimit.c +++ b/extensions/libxt_hashlimit.c @@ -1341,8 +1341,7 @@ static int hashlimit_mt_xlate(struct xt_xlate *xl, const char *name, xt_xlate_add(xl, "flow table %s {", name); ret = hashlimit_mode_xlate(xl, cfg->mode, family, cfg->srcmask, cfg->dstmask); - if (cfg->expire != 1000) - xt_xlate_add(xl, " timeout %us", cfg->expire / 1000); + xt_xlate_add(xl, " timeout %us", cfg->expire / 1000); xt_xlate_add(xl, " limit rate"); if (cfg->mode & XT_HASHLIMIT_INVERT)