From bd7a8291c1e00c3625dd348dbb7246b4a7aa357d Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 3 Dec 2018 17:06:21 +0100 Subject: [PATCH] parser: bail out on incorrect burst unit Burst can be either bytes or packets, depending on the rate limit unit. # nft add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets Error: syntax error, unexpected packets, expecting string or bytes add rule x y iif eth0 limit rate 512 kbytes/second burst 5 packets ^^^^^^^ Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1306 Signed-off-by: Pablo Neira Ayuso (cherry picked from commit 1018eae77176cffd39bad0e499010923642c2cba) Signed-off-by: Phil Sutter --- src/parser_bison.y | 15 +++++++++------ tests/py/any/limit.t | 2 ++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/parser_bison.y b/src/parser_bison.y index a6b6fc1745a72..aabf16316ff8b 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -562,7 +562,7 @@ int nft_lex(void *, void *, void *); %type level_type log_flags log_flags_tcp log_flag_tcp %type limit_stmt quota_stmt connlimit_stmt %destructor { stmt_free($$); } limit_stmt quota_stmt connlimit_stmt -%type limit_burst limit_mode time_unit quota_mode +%type limit_burst_pkts limit_burst_bytes limit_mode time_unit quota_mode %type reject_stmt reject_stmt_alloc %destructor { stmt_free($$); } reject_stmt reject_stmt_alloc %type nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc @@ -2298,7 +2298,7 @@ log_flag_tcp : SEQUENCE } ; -limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst +limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst_pkts { $$ = limit_stmt_alloc(&@$); $$->limit.rate = $4; @@ -2307,7 +2307,7 @@ limit_stmt : LIMIT RATE limit_mode NUM SLASH time_unit limit_burst $$->limit.type = NFT_LIMIT_PKTS; $$->limit.flags = $3; } - | LIMIT RATE limit_mode NUM STRING limit_burst + | LIMIT RATE limit_mode NUM STRING limit_burst_bytes { struct error_record *erec; uint64_t rate, unit; @@ -2388,8 +2388,11 @@ limit_mode : OVER { $$ = NFT_LIMIT_F_INV; } | /* empty */ { $$ = 0; } ; -limit_burst : /* empty */ { $$ = 0; } +limit_burst_pkts : /* empty */ { $$ = 0; } | BURST NUM PACKETS { $$ = $2; } + ; + +limit_burst_bytes : /* empty */ { $$ = 0; } | BURST NUM BYTES { $$ = $2; } | BURST NUM STRING { @@ -3199,7 +3202,7 @@ ct_obj_alloc : } ; -limit_config : RATE limit_mode NUM SLASH time_unit limit_burst +limit_config : RATE limit_mode NUM SLASH time_unit limit_burst_pkts { struct limit *limit; limit = xzalloc(sizeof(*limit)); @@ -3210,7 +3213,7 @@ limit_config : RATE limit_mode NUM SLASH time_unit limit_burst limit->flags = $2; $$ = limit; } - | RATE limit_mode NUM STRING limit_burst + | RATE limit_mode NUM STRING limit_burst_bytes { struct limit *limit; struct error_record *erec; diff --git a/tests/py/any/limit.t b/tests/py/any/limit.t index 8180bea3ddae6..ef7f93133297f 100644 --- a/tests/py/any/limit.t +++ b/tests/py/any/limit.t @@ -14,6 +14,7 @@ limit rate 400/hour;ok limit rate 40/day;ok limit rate 400/week;ok limit rate 1023/second burst 10 packets;ok +limit rate 1023/second burst 10 bytes;fail limit rate 1 kbytes/second;ok limit rate 2 kbytes/second;ok @@ -21,6 +22,7 @@ limit rate 1025 kbytes/second;ok limit rate 1023 mbytes/second;ok limit rate 10230 mbytes/second;ok limit rate 1023000 mbytes/second;ok +limit rate 512 kbytes/second burst 5 packets;fail limit rate 1025 bytes/second burst 512 bytes;ok limit rate 1025 kbytes/second burst 1023 kbytes;ok -- 2.21.0