diff options
author | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-06-02 12:13:07 -0700 |
---|---|---|
committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-06-02 12:22:29 -0700 |
commit | d6644cfe4ab12b700f025641b3628fab435fd4d2 (patch) | |
tree | c39ed921f55db6ad6a0c90dd54476f6272bf631d | |
parent | d5e2180f224c05f3797dfe347c87c0d4054d74ff (diff) | |
download | vyatta-cfg-firewall-d6644cfe4ab12b700f025641b3628fab435fd4d2.tar.gz vyatta-cfg-firewall-d6644cfe4ab12b700f025641b3628fab435fd4d2.zip |
* add default value of 1 for 'limit burst' in its node.def
* add comp_help for 'limit rate'
* make sure 'limit rate' is not less than 1/time unit
9 files changed, 23 insertions, 7 deletions
diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index be13cf0..8c78613 100644 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -496,15 +496,15 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo } my $limit = undef; - if (defined($self->{_limit}->{_burst})) { - return ("Limit rate not defined", ) if (!defined($self->{_limit}->{_rate})); + if (defined $self->{_limit}->{_rate}) { + my $rate_integer = $self->{_limit}->{_rate}; + $rate_integer =~ s/\/(second|minute|hour|day)//; + if ($rate_integer < 1) { + return ("integer value in rate cannot be less than 1", ); + } $limit = "--limit $self->{_limit}->{_rate} --limit-burst $self->{_limit}->{_burst}"; - } elsif (defined($self->{_limit}->{_rate})) { - $limit = "--limit $self->{_limit}->{_rate} --limit-burst 1"; - } - if (defined($limit)) { - $rule .= " -m limit $limit "; } + $rule .= " -m limit $limit " if defined $limit; my $chain = $self->{_name}; my $rule_num = $self->{_rule_number}; diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def index 2739faa..307e602 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def @@ -1,3 +1,4 @@ type: u32 +default: 1 help: Set maximum number of packets to allow in excess of rate syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def index de22a6f..7a3b7d0 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def @@ -5,3 +5,6 @@ syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ a forward slash '/' and either of these time units - second, minute, hour or day eg. 1/second implies rule to be matched at an average of once per second" +comp_help:Format for rate : integer/time unit +any one of second, minute, hour or day may be used to specify time unit +eg. 1/second implies rule to be matched at an average of once per second diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/burst/node.def index 2739faa..307e602 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/burst/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/burst/node.def @@ -1,3 +1,4 @@ type: u32 +default: 1 help: Set maximum number of packets to allow in excess of rate syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/rate/node.def index de22a6f..7a3b7d0 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/rate/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/rate/node.def @@ -5,3 +5,6 @@ syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ a forward slash '/' and either of these time units - second, minute, hour or day eg. 1/second implies rule to be matched at an average of once per second" +comp_help:Format for rate : integer/time unit +any one of second, minute, hour or day may be used to specify time unit +eg. 1/second implies rule to be matched at an average of once per second diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def index 2739faa..307e602 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def @@ -1,3 +1,4 @@ type: u32 +default: 1 help: Set maximum number of packets to allow in excess of rate syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def index de22a6f..7a3b7d0 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def @@ -5,3 +5,6 @@ syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ a forward slash '/' and either of these time units - second, minute, hour or day eg. 1/second implies rule to be matched at an average of once per second" +comp_help:Format for rate : integer/time unit +any one of second, minute, hour or day may be used to specify time unit +eg. 1/second implies rule to be matched at an average of once per second diff --git a/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def index 2739faa..307e602 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def @@ -1,3 +1,4 @@ type: u32 +default: 1 help: Set maximum number of packets to allow in excess of rate syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def index de22a6f..7a3b7d0 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def @@ -5,3 +5,6 @@ syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ a forward slash '/' and either of these time units - second, minute, hour or day eg. 1/second implies rule to be matched at an average of once per second" +comp_help:Format for rate : integer/time unit +any one of second, minute, hour or day may be used to specify time unit +eg. 1/second implies rule to be matched at an average of once per second |