summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMohit Mehta <mohit.mehta@vyatta.com>2009-06-02 12:13:07 -0700
committerMohit Mehta <mohit.mehta@vyatta.com>2009-06-02 12:22:29 -0700
commitd6644cfe4ab12b700f025641b3628fab435fd4d2 (patch)
treec39ed921f55db6ad6a0c90dd54476f6272bf631d
parentd5e2180f224c05f3797dfe347c87c0d4054d74ff (diff)
downloadvyatta-cfg-firewall-d6644cfe4ab12b700f025641b3628fab435fd4d2.tar.gz
vyatta-cfg-firewall-d6644cfe4ab12b700f025641b3628fab435fd4d2.zip
* add default value of 1 for 'limit burst' in its node.def
* add comp_help for 'limit rate' * make sure 'limit rate' is not less than 1/time unit
-rw-r--r--lib/Vyatta/IpTables/Rule.pm14
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def1
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def3
-rw-r--r--templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/burst/node.def1
-rw-r--r--templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/rate/node.def3
-rw-r--r--templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def1
-rw-r--r--templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def3
-rw-r--r--templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def1
-rw-r--r--templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def3
9 files changed, 23 insertions, 7 deletions
diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm
index be13cf0..8c78613 100644
--- a/lib/Vyatta/IpTables/Rule.pm
+++ b/lib/Vyatta/IpTables/Rule.pm
@@ -496,15 +496,15 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo
}
my $limit = undef;
- if (defined($self->{_limit}->{_burst})) {
- return ("Limit rate not defined", ) if (!defined($self->{_limit}->{_rate}));
+ if (defined $self->{_limit}->{_rate}) {
+ my $rate_integer = $self->{_limit}->{_rate};
+ $rate_integer =~ s/\/(second|minute|hour|day)//;
+ if ($rate_integer < 1) {
+ return ("integer value in rate cannot be less than 1", );
+ }
$limit = "--limit $self->{_limit}->{_rate} --limit-burst $self->{_limit}->{_burst}";
- } elsif (defined($self->{_limit}->{_rate})) {
- $limit = "--limit $self->{_limit}->{_rate} --limit-burst 1";
- }
- if (defined($limit)) {
- $rule .= " -m limit $limit ";
}
+ $rule .= " -m limit $limit " if defined $limit;
my $chain = $self->{_name};
my $rule_num = $self->{_rule_number};
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def
index 2739faa..307e602 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def
@@ -1,3 +1,4 @@
type: u32
+default: 1
help: Set maximum number of packets to allow in excess of rate
syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero"
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def
index de22a6f..7a3b7d0 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def
@@ -5,3 +5,6 @@ syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \
a forward slash '/' and either of these time units - second, minute, hour or day
eg. 1/second implies rule to be matched at an average of once per second"
+comp_help:Format for rate : integer/time unit
+any one of second, minute, hour or day may be used to specify time unit
+eg. 1/second implies rule to be matched at an average of once per second
diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/burst/node.def
index 2739faa..307e602 100644
--- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/burst/node.def
+++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/burst/node.def
@@ -1,3 +1,4 @@
type: u32
+default: 1
help: Set maximum number of packets to allow in excess of rate
syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero"
diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/rate/node.def
index de22a6f..7a3b7d0 100644
--- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/rate/node.def
+++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/rate/node.def
@@ -5,3 +5,6 @@ syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \
a forward slash '/' and either of these time units - second, minute, hour or day
eg. 1/second implies rule to be matched at an average of once per second"
+comp_help:Format for rate : integer/time unit
+any one of second, minute, hour or day may be used to specify time unit
+eg. 1/second implies rule to be matched at an average of once per second
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def
index 2739faa..307e602 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def
+++ b/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def
@@ -1,3 +1,4 @@
type: u32
+default: 1
help: Set maximum number of packets to allow in excess of rate
syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero"
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def
index de22a6f..7a3b7d0 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def
+++ b/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def
@@ -5,3 +5,6 @@ syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \
a forward slash '/' and either of these time units - second, minute, hour or day
eg. 1/second implies rule to be matched at an average of once per second"
+comp_help:Format for rate : integer/time unit
+any one of second, minute, hour or day may be used to specify time unit
+eg. 1/second implies rule to be matched at an average of once per second
diff --git a/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def
index 2739faa..307e602 100644
--- a/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def
+++ b/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def
@@ -1,3 +1,4 @@
type: u32
+default: 1
help: Set maximum number of packets to allow in excess of rate
syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def
index de22a6f..7a3b7d0 100644
--- a/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def
+++ b/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def
@@ -5,3 +5,6 @@ syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \
a forward slash '/' and either of these time units - second, minute, hour or day
eg. 1/second implies rule to be matched at an average of once per second"
+comp_help:Format for rate : integer/time unit
+any one of second, minute, hour or day may be used to specify time unit
+eg. 1/second implies rule to be matched at an average of once per second