[PATCH] extensions: libxt_limit: Add translation to nft

[Shivani Bhardwaj <shivanib134@gmail.com>]

Add translation for module limit to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m limit --limit 5/s
nft add rule ip filter INPUT limit rate 5/second counter

$ sudo iptables-translate -A INPUT -m limit --limit 3/m --limit-burst 3
nft add rule ip filter INPUT limit rate 3/minute  burst 3 packets counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
---
 extensions/libxt_limit.c | 57 +++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 49 insertions(+), 8 deletions(-)

diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
index f75ef2f..e4374a7 100644
--- a/extensions/libxt_limit.c
+++ b/extensions/libxt_limit.c
@@ -25,8 +25,8 @@ static void limit_help(void)
 {
 	printf(
 "limit match options:\n"
-"--limit avg			max average match rate: default "XT_LIMIT_AVG"\n"
-"                                [Packets per second unless followed by \n"
+"--limit avg		max average match rate: default "XT_LIMIT_AVG"\n"
+"                                [Packets per second unless followed by\n"
 "                                /sec /minute /hour /day postfixes]\n"
 "--limit-burst number		number to match in a burst, default %u\n",
 XT_LIMIT_BURST);
@@ -73,7 +73,8 @@ int parse_rate(const char *rate, uint32_t *val)
 		 * The rate maps to infinity. (1/day is the minimum they can
 		 * specify, so we are ok at that end).
 		 */
-		xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate);
+		xtables_error(PARAMETER_PROBLEM,
+			      "Rate too fast \"%s\"\n", rate);
 	return 1;
 }
 
@@ -86,10 +87,11 @@ static void limit_init(struct xt_entry_match *m)
 
 }
 
-/* FIXME: handle overflow:
-	if (r->avg*r->burst/r->burst != r->avg)
-		xtables_error(PARAMETER_PROBLEM,
-			   "Sorry: burst too large for that avg rate.\n");
+/*
+ * FIXME: handle overflow:
+ * if (r->avg*r->burst/r->burst != r->avg)
+ *		xtables_error(PARAMETER_PROBLEM,
+ *			"Sorry: burst too large for that avg rate.\n");
 */
 
 static void limit_parse(struct xt_option_call *cb)
@@ -129,7 +131,7 @@ static void print_rate(uint32_t period)
 
 	for (i = 1; i < ARRAY_SIZE(rates); ++i)
 		if (period > rates[i].mult
-            || rates[i].mult/period < rates[i].mult%period)
+		    || rates[i].mult/period < rates[i].mult%period)
 			break;
 
 	printf(" %u/%s", rates[i-1].mult / period, rates[i-1].name);
@@ -139,6 +141,7 @@ static void
 limit_print(const void *ip, const struct xt_entry_match *match, int numeric)
 {
 	const struct xt_rateinfo *r = (const void *)match->data;
+
 	printf(" limit: avg"); print_rate(r->avg);
 	printf(" burst %u", r->burst);
 }
@@ -152,6 +155,43 @@ static void limit_save(const void *ip, const struct xt_entry_match *match)
 		printf(" --limit-burst %u", r->burst);
 }
 
+static const struct
+rates rates_xlate[] = { { "day", XT_LIMIT_SCALE*24*60*60 },
+			{ "hour", XT_LIMIT_SCALE*60*60 },
+			{ "minute", XT_LIMIT_SCALE*60 },
+			{ "second", XT_LIMIT_SCALE } };
+
+static void print_rate_xlate(uint32_t period, struct xt_buf *buf)
+{
+	unsigned int i;
+
+	if (period == 0) {
+		xt_buf_add(buf, " %f", INFINITY);
+		return;
+	}
+
+	for (i = 1; i < ARRAY_SIZE(rates); ++i)
+		if (period > rates_xlate[i].mult
+		    || rates_xlate[i].mult/period < rates_xlate[i].mult%period)
+			break;
+
+	xt_buf_add(buf, " %u/%s ", rates_xlate[i-1].mult / period,
+		   rates_xlate[i-1].name);
+}
+
+static int limit_xlate(const struct xt_entry_match *match,
+		       struct xt_buf *buf, int numeric)
+{
+	const struct xt_rateinfo *r = (const void *)match->data;
+
+	xt_buf_add(buf, "limit rate");
+	print_rate_xlate(r->avg, buf);
+	if (r->burst != XT_LIMIT_BURST)
+		xt_buf_add(buf, " burst %u packets ", r->burst);
+
+	return 1;
+}
+
 static struct xtables_match limit_match = {
 	.family		= NFPROTO_UNSPEC,
 	.name		= "limit",
@@ -164,6 +204,7 @@ static struct xtables_match limit_match = {
 	.print		= limit_print,
 	.save		= limit_save,
 	.x6_options	= limit_opts,
+	.xlate		= limit_xlate,
 };
 
 void _init(void)
-- 
1.9.1