netfilter: nft_limit: fix packet ratelimiting - openslx/kernel-qcow2-linux.git

diff options

author	Pablo Neira Ayuso	2018-05-16 22:58:33 +0200
committer	Pablo Neira Ayuso	2018-05-23 09:50:28 +0200
commit	3e0f64b7dd3149f75e8652ff1df56cffeedc8fc1 (patch)
tree	f5ed936c6660e06ceda2ccace703f2b3993c0df3 /net/netfilter/ipvs/ip_vs_ctl.c
parent	netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval (diff)
download	kernel-qcow2-linux-3e0f64b7dd3149f75e8652ff1df56cffeedc8fc1.tar.gz kernel-qcow2-linux-3e0f64b7dd3149f75e8652ff1df56cffeedc8fc1.tar.xz kernel-qcow2-linux-3e0f64b7dd3149f75e8652ff1df56cffeedc8fc1.zip

netfilter: nft_limit: fix packet ratelimiting

Credit calculations for the packet ratelimiting are not correct, as per the applied ratelimit of 25/second and burst 8, a total of 33 packets should have been accepted. This is true in iptables(33) but not in nftables (~65). For packet ratelimiting, use: div_u64(limit->nsecs, limit->rate) * limit->burst; to calculate credit, just like in iptables' xt_limit does. Moreover, use default burst in iptables, users are expecting similar behaviour. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'net/netfilter/ipvs/ip_vs_ctl.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: