From bd7a8291c1e00c3625dd348dbb7246b4a7aa357d Mon Sep 17 00:00:00 2001

From: Pablo Neira Ayuso <pablo@netfilter.org>

Date: Mon, 3 Dec 2018 17:06:21 +0100

Subject: [PATCH] parser: bail out on incorrect burst unit

Burst can be either bytes or packets, depending on the rate limit unit.

 # nft add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets

 Error: syntax error, unexpected packets, expecting string or bytes

 add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets

                                                            ^^^^^^^

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1306

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

(cherry picked from commit 1018eae77176cffd39bad0e499010923642c2cba)

Signed-off-by: Phil Sutter <psutter@redhat.com>

---

 src/parser_bison.y   | 15 +++++++++------

 tests/py/any/limit.t |  2 ++

 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y

index a6b6fc1745a72..aabf16316ff8b 100644

--- a/src/parser_bison.y

+++ b/src/parser_bison.y

@@ -562,7 +562,7 @@ int nft_lex(void *, void *, void *);

 %type <val>			level_type log_flags log_flags_tcp log_flag_tcp

 %type <stmt>			limit_stmt quota_stmt connlimit_stmt

 %destructor { stmt_free($$); }	limit_stmt quota_stmt connlimit_stmt

-%type <val>			limit_burst limit_mode time_unit quota_mode

+%type <val>			limit_burst_pkts limit_burst_bytes limit_mode time_unit quota_mode

 %type <stmt>			reject_stmt reject_stmt_alloc

 %destructor { stmt_free($$); }	reject_stmt reject_stmt_alloc

 %type <stmt>			nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc

@@ -2298,7 +2298,7 @@ log_flag_tcp		:	SEQUENCE

 			}

 			;

-limit_stmt		:	LIMIT	RATE	limit_mode	NUM	SLASH	time_unit	limit_burst

+limit_stmt		:	LIMIT	RATE	limit_mode	NUM	SLASH	time_unit	limit_burst_pkts

 	    		{

 				$$ = limit_stmt_alloc(&@$);

 				$$->limit.rate	= $4;

@@ -2307,7 +2307,7 @@ limit_stmt		:	LIMIT	RATE	limit_mode	NUM	SLASH	time_unit	limit_burst

 				$$->limit.type	= NFT_LIMIT_PKTS;

 				$$->limit.flags = $3;

 			}

-			|	LIMIT	RATE	limit_mode	NUM	STRING	limit_burst

+			|	LIMIT	RATE	limit_mode	NUM	STRING	limit_burst_bytes

 			{

 				struct error_record *erec;

 				uint64_t rate, unit;

@@ -2388,8 +2388,11 @@ limit_mode		:	OVER				{ $$ = NFT_LIMIT_F_INV; }

 			|	/* empty */			{ $$ = 0; }

 			;

-limit_burst		:	/* empty */			{ $$ = 0; }

+limit_burst_pkts	:	/* empty */			{ $$ = 0; }

 			|	BURST	NUM	PACKETS		{ $$ = $2; }

+			;

+

+limit_burst_bytes	:	/* empty */			{ $$ = 0; }

 			|	BURST	NUM	BYTES		{ $$ = $2; }

 			|	BURST	NUM	STRING

 			{

@@ -3199,7 +3202,7 @@ ct_obj_alloc		:

 			}

 			;

-limit_config		:	RATE	limit_mode	NUM	SLASH	time_unit	limit_burst

+limit_config		:	RATE	limit_mode	NUM	SLASH	time_unit	limit_burst_pkts

 			{

 				struct limit *limit;

 				limit = xzalloc(sizeof(*limit));

@@ -3210,7 +3213,7 @@ limit_config		:	RATE	limit_mode	NUM	SLASH	time_unit	limit_burst

 				limit->flags	= $2;

 				$$ = limit;

 			}

-			|	RATE	limit_mode	NUM	STRING	limit_burst

+			|	RATE	limit_mode	NUM	STRING	limit_burst_bytes

 			{

 				struct limit *limit;

 				struct error_record *erec;

diff --git a/tests/py/any/limit.t b/tests/py/any/limit.t

index 8180bea3ddae6..ef7f93133297f 100644

--- a/tests/py/any/limit.t

+++ b/tests/py/any/limit.t

@@ -14,6 +14,7 @@ limit rate 400/hour;ok

 limit rate 40/day;ok

 limit rate 400/week;ok

 limit rate 1023/second burst 10 packets;ok

+limit rate 1023/second burst 10 bytes;fail

 limit rate 1 kbytes/second;ok

 limit rate 2 kbytes/second;ok

@@ -21,6 +22,7 @@ limit rate 1025 kbytes/second;ok

 limit rate 1023 mbytes/second;ok

 limit rate 10230 mbytes/second;ok

 limit rate 1023000 mbytes/second;ok

+limit rate 512 kbytes/second burst 5 packets;fail

 limit rate 1025 bytes/second burst 512 bytes;ok

 limit rate 1025 kbytes/second burst 1023 kbytes;ok

-- 

2.21.0