* [PATCH v2] extensions: libxt_limit: Add translation to nft
@ 2015-12-22 21:55 Shivani Bhardwaj
2015-12-25 12:06 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Shivani Bhardwaj @ 2015-12-22 21:55 UTC (permalink / raw)
To: netfilter-devel
Add translation for module limit to nftables.
Examples:
$ sudo iptables-translate -A INPUT -m limit --limit 5/s
nft add rule ip filter INPUT limit rate 5/second counter
$ sudo iptables-translate -A INPUT -m limit --limit 3/m --limit-burst 3
nft add rule ip filter INPUT limit rate 3/minute burst 3 packets counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
---
Changes in v2:
Fix coding style problems
extensions/libxt_limit.c | 59 ++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 50 insertions(+), 9 deletions(-)
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
index f75ef2f..1874686 100644
--- a/extensions/libxt_limit.c
+++ b/extensions/libxt_limit.c
@@ -25,8 +25,8 @@ static void limit_help(void)
{
printf(
"limit match options:\n"
-"--limit avg max average match rate: default "XT_LIMIT_AVG"\n"
-" [Packets per second unless followed by \n"
+"--limit avg max average match rate: default "XT_LIMIT_AVG"\n"
+" [Packets per second unless followed by\n"
" /sec /minute /hour /day postfixes]\n"
"--limit-burst number number to match in a burst, default %u\n",
XT_LIMIT_BURST);
@@ -73,7 +73,8 @@ int parse_rate(const char *rate, uint32_t *val)
* The rate maps to infinity. (1/day is the minimum they can
* specify, so we are ok at that end).
*/
- xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate);
+ xtables_error(PARAMETER_PROBLEM,
+ "Rate too fast \"%s\"\n", rate);
return 1;
}
@@ -86,10 +87,11 @@ static void limit_init(struct xt_entry_match *m)
}
-/* FIXME: handle overflow:
- if (r->avg*r->burst/r->burst != r->avg)
- xtables_error(PARAMETER_PROBLEM,
- "Sorry: burst too large for that avg rate.\n");
+/*
+ * FIXME: handle overflow:
+ * if (r->avg*r->burst/r->burst != r->avg)
+ * xtables_error(PARAMETER_PROBLEM,
+ * "Sorry: burst too large for that avg rate.\n");
*/
static void limit_parse(struct xt_option_call *cb)
@@ -128,8 +130,8 @@ static void print_rate(uint32_t period)
}
for (i = 1; i < ARRAY_SIZE(rates); ++i)
- if (period > rates[i].mult
- || rates[i].mult/period < rates[i].mult%period)
+ if (period > rates[i].mult ||
+ rates[i].mult / period < rates[i].mult % period)
break;
printf(" %u/%s", rates[i-1].mult / period, rates[i-1].name);
@@ -139,6 +141,7 @@ static void
limit_print(const void *ip, const struct xt_entry_match *match, int numeric)
{
const struct xt_rateinfo *r = (const void *)match->data;
+
printf(" limit: avg"); print_rate(r->avg);
printf(" burst %u", r->burst);
}
@@ -152,6 +155,43 @@ static void limit_save(const void *ip, const struct xt_entry_match *match)
printf(" --limit-burst %u", r->burst);
}
+static const struct rates rates_xlate[] = {
+ { "day", XT_LIMIT_SCALE*24*60*60 },
+ { "hour", XT_LIMIT_SCALE*60*60 },
+ { "minute", XT_LIMIT_SCALE*60 },
+ { "second", XT_LIMIT_SCALE } };
+
+static void print_rate_xlate(uint32_t period, struct xt_buf *buf)
+{
+ unsigned int i;
+
+ if (period == 0) {
+ xt_buf_add(buf, " %f ", INFINITY);
+ return;
+ }
+
+ for (i = 1; i < ARRAY_SIZE(rates); ++i)
+ if (period > rates_xlate[i].mult ||
+ rates_xlate[i].mult / period < rates_xlate[i].mult % period)
+ break;
+
+ xt_buf_add(buf, " %u/%s ", rates_xlate[i-1].mult / period,
+ rates_xlate[i-1].name);
+}
+
+static int limit_xlate(const struct xt_entry_match *match,
+ struct xt_buf *buf, int numeric)
+{
+ const struct xt_rateinfo *r = (const void *)match->data;
+
+ xt_buf_add(buf, "limit rate");
+ print_rate_xlate(r->avg, buf);
+ if (r->burst != XT_LIMIT_BURST)
+ xt_buf_add(buf, "burst %u packets ", r->burst);
+
+ return 1;
+}
+
static struct xtables_match limit_match = {
.family = NFPROTO_UNSPEC,
.name = "limit",
@@ -164,6 +204,7 @@ static struct xtables_match limit_match = {
.print = limit_print,
.save = limit_save,
.x6_options = limit_opts,
+ .xlate = limit_xlate,
};
void _init(void)
--
1.9.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH v2] extensions: libxt_limit: Add translation to nft
2015-12-22 21:55 [PATCH v2] extensions: libxt_limit: Add translation to nft Shivani Bhardwaj
@ 2015-12-25 12:06 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-25 12:06 UTC (permalink / raw)
To: Shivani Bhardwaj; +Cc: netfilter-devel
On Wed, Dec 23, 2015 at 03:25:21AM +0530, Shivani Bhardwaj wrote:
> Add translation for module limit to nftables.
>
> Examples:
>
> $ sudo iptables-translate -A INPUT -m limit --limit 5/s
> nft add rule ip filter INPUT limit rate 5/second counter
>
> $ sudo iptables-translate -A INPUT -m limit --limit 3/m --limit-burst 3
> nft add rule ip filter INPUT limit rate 3/minute burst 3 packets counter
Applied with minor glitch.
> diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
> index f75ef2f..1874686 100644
> --- a/extensions/libxt_limit.c
> +++ b/extensions/libxt_limit.c
> @@ -25,8 +25,8 @@ static void limit_help(void)
> {
> printf(
> "limit match options:\n"
> -"--limit avg max average match rate: default "XT_LIMIT_AVG"\n"
> -" [Packets per second unless followed by \n"
> +"--limit avg max average match rate: default "XT_LIMIT_AVG"\n"
> +" [Packets per second unless followed by\n"
> " /sec /minute /hour /day postfixes]\n"
> "--limit-burst number number to match in a burst, default %u\n",
> XT_LIMIT_BURST);
> @@ -73,7 +73,8 @@ int parse_rate(const char *rate, uint32_t *val)
> * The rate maps to infinity. (1/day is the minimum they can
> * specify, so we are ok at that end).
> */
> - xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate);
> + xtables_error(PARAMETER_PROBLEM,
> + "Rate too fast \"%s\"\n", rate);
> return 1;
> }
>
> @@ -86,10 +87,11 @@ static void limit_init(struct xt_entry_match *m)
>
> }
>
> -/* FIXME: handle overflow:
> - if (r->avg*r->burst/r->burst != r->avg)
> - xtables_error(PARAMETER_PROBLEM,
> - "Sorry: burst too large for that avg rate.\n");
> +/*
> + * FIXME: handle overflow:
> + * if (r->avg*r->burst/r->burst != r->avg)
> + * xtables_error(PARAMETER_PROBLEM,
> + * "Sorry: burst too large for that avg rate.\n");
> */
>
> static void limit_parse(struct xt_option_call *cb)
> @@ -128,8 +130,8 @@ static void print_rate(uint32_t period)
> }
>
> for (i = 1; i < ARRAY_SIZE(rates); ++i)
> - if (period > rates[i].mult
> - || rates[i].mult/period < rates[i].mult%period)
> + if (period > rates[i].mult ||
> + rates[i].mult / period < rates[i].mult % period)
> break;
>
> printf(" %u/%s", rates[i-1].mult / period, rates[i-1].name);
> @@ -139,6 +141,7 @@ static void
> limit_print(const void *ip, const struct xt_entry_match *match, int numeric)
> {
> const struct xt_rateinfo *r = (const void *)match->data;
> +
> printf(" limit: avg"); print_rate(r->avg);
> printf(" burst %u", r->burst);
> }
These cleanup above, you better place them next time in a separated
initial patch. I have keep them back.
> @@ -152,6 +155,43 @@ static void limit_save(const void *ip, const struct xt_entry_match *match)
> printf(" --limit-burst %u", r->burst);
> }
>
> +static const struct rates rates_xlate[] = {
> + { "day", XT_LIMIT_SCALE*24*60*60 },
> + { "hour", XT_LIMIT_SCALE*60*60 },
> + { "minute", XT_LIMIT_SCALE*60 },
> + { "second", XT_LIMIT_SCALE } };
I have reorganized this array definition, see what I applied so you
follow the same pattern next time.
Thanks.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-12-25 12:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-22 21:55 [PATCH v2] extensions: libxt_limit: Add translation to nft Shivani Bhardwaj
2015-12-25 12:06 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).