shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-05-31 00:06:41 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
3e0f64b7dd3149f75e8652ff1df56cffeedc8fc1
linux/net/netfilter
History
Pablo Neira Ayuso 3e0f64b7dd netfilter: nft_limit: fix packet ratelimiting 
Credit calculations for the packet ratelimiting are not correct, as per
the applied ratelimit of 25/second and burst 8, a total of 33 packets
should have been accepted.  This is true in iptables(33) but not in
nftables (~65). For packet ratelimiting, use:

	div_u64(limit->nsecs, limit->rate) * limit->burst;

to calculate credit, just like in iptables' xt_limit does.

Moreover, use default burst in iptables, users are expecting similar
behaviour.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-05-23 09:50:28 +02:00
..
ipset
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2018-03-30 11:41:18 -04:00
ipvs
ipvs: fix stats update from local clients
2018-05-08 14:15:21 +02:00
core.c
netfilter: core: add missing __rcu annotation
2018-05-08 14:15:30 +02:00
Kconfig
netfilter: fix CONFIG_NF_REJECT_IPV6=m link error
2018-04-16 17:47:25 +02:00
Makefile
netfilter: nf_tables: build-in filter chain type
2018-03-30 11:29:19 +02:00
nf_conncount.c
netfilter: conncount: Support count only use case
2018-03-20 13:27:18 +01:00
nf_conntrack_acct.c
netfilter: Replace printk() with pr_*() and define pr_fmt()
2018-03-20 13:44:14 +01:00
nf_conntrack_amanda.c
netfilter: use nf_conntrack_helpers_register when possible
2017-06-19 19:13:21 +02:00
nf_conntrack_broadcast.c
netfilter: nf_conntrack_broadcast: remove useless parameter
2018-03-05 23:15:43 +01:00
nf_conntrack_core.c
net: Remove rtnl_lock() in nf_ct_iterate_destroy()
2018-03-29 13:47:54 -04:00
nf_conntrack_ecache.c
netfilter: Replace printk() with pr_*() and define pr_fmt()
2018-03-20 13:44:14 +01:00
nf_conntrack_expect.c
netfilter: nf_conntrack_sip: allow duplicate SDP expectations
2018-04-09 17:05:27 +02:00
nf_conntrack_extend.c
netfilter: conntrack: include kmemleak.h for kmemleak_not_leak()
2018-04-17 10:59:43 +02:00
nf_conntrack_ftp.c
netfilter: helpers: remove data_len usage for inkernel helpers
2017-04-19 17:55:17 +02:00
nf_conntrack_h323_asn1.c
netfilter: nf_conntrack_h323: Remove unwanted comments.
2018-01-08 18:01:05 +01:00
nf_conntrack_h323_main.c
netfilter: move route indirection to struct nf_ipv6_ops
2018-01-08 18:01:26 +01:00
nf_conntrack_h323_types.c
[NETFILTER]: nf_conntrack_h323: constify and annotate H.323 helper
2008-01-31 19:28:07 -08:00
nf_conntrack_helper.c
netfilter: expect: add and use nf_ct_expect_iterate helpers
2017-07-31 19:09:38 +02:00
nf_conntrack_irc.c
netfilter: helpers: remove data_len usage for inkernel helpers
2017-04-19 17:55:17 +02:00
nf_conntrack_l3proto_generic.c
netfilter: conntrack: place print_tuple in procfs part
2017-08-24 18:52:32 +02:00
nf_conntrack_labels.c
netfilter: conntrack: mark extension structs as const
2017-04-26 09:30:22 +02:00
nf_conntrack_netbios_ns.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2018-03-30 11:41:18 -04:00
nf_conntrack_netlink.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2018-03-30 11:41:18 -04:00
nf_conntrack_pptp.c
netfilter: Remove duplicated rcu_read_lock.
2017-07-24 13:24:46 +02:00
nf_conntrack_proto_dccp.c
netfilter: conntrack: l4 protocol trackers can be const
2018-01-08 18:00:54 +01:00
nf_conntrack_proto_generic.c
netfilter: conntrack: timeouts can be const
2018-01-08 18:01:02 +01:00
nf_conntrack_proto_gre.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
nf_conntrack_proto_sctp.c
netfilter: conntrack: timeouts can be const
2018-01-08 18:01:02 +01:00
nf_conntrack_proto_tcp.c
netfilter: Fix handling simultaneous open in TCP conntrack
2018-04-27 00:39:29 +02:00
nf_conntrack_proto_udp.c
netfilter: conntrack: timeouts can be const
2018-01-08 18:01:02 +01:00
nf_conntrack_proto.c
netfilter: conntrack: constify list of builtin trackers
2018-01-08 16:47:14 +01:00
nf_conntrack_sane.c
netfilter: helpers: remove data_len usage for inkernel helpers
2017-04-19 17:55:17 +02:00
nf_conntrack_seqadj.c
netfilter: conntrack: mark extension structs as const
2017-04-26 09:30:22 +02:00
nf_conntrack_sip.c
netfilter: nf_conntrack_sip: allow duplicate SDP expectations
2018-04-09 17:05:27 +02:00
nf_conntrack_snmp.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2018-03-30 11:41:18 -04:00
nf_conntrack_standalone.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
nf_conntrack_tftp.c
netfilter: helpers: remove data_len usage for inkernel helpers
2017-04-19 17:55:17 +02:00
nf_conntrack_timeout.c
netfilter: conntrack: mark extension structs as const
2017-04-26 09:30:22 +02:00
nf_conntrack_timestamp.c
netfilter: Replace printk() with pr_*() and define pr_fmt()
2018-03-20 13:44:14 +01:00
nf_dup_netdev.c
netfilter: dup: resolve warnings about missing prototypes
2017-05-29 11:32:36 +02:00
nf_flow_table_inet.c
netfilter: nf_tables: fix flowtable free
2018-02-07 00:58:57 +01:00
nf_flow_table.c
netfilter: nf_flow_offload: fix use-after-free and a resource leak
2018-02-07 11:55:52 +01:00
nf_internals.h
netfilter: core: remove synchronize_net call if nfqueue is used
2018-01-08 18:01:06 +01:00
nf_log_common.c
netfilter: nf_log: do not assume ethernet header in netdev family
2016-12-04 20:45:33 +01:00
nf_log_netdev.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
nf_log.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
nf_nat_amanda.c
netfilter: nat: nf_nat_mangle_{udp,tcp}_packet returns boolean
2017-04-06 22:01:38 +02:00
nf_nat_core.c
netfilter: Replace printk() with pr_*() and define pr_fmt()
2018-03-20 13:44:14 +01:00
nf_nat_ftp.c
netfilter: Replace printk() with pr_*() and define pr_fmt()
2018-03-20 13:44:14 +01:00
nf_nat_helper.c
netfilter: nat: nf_nat_mangle_{udp,tcp}_packet returns boolean
2017-04-06 22:01:38 +02:00
nf_nat_irc.c
netfilter: Replace printk() with pr_*() and define pr_fmt()
2018-03-20 13:44:14 +01:00
nf_nat_proto_common.c
netfilter: nat: cope with negative port range
2018-02-14 21:05:40 +01:00
nf_nat_proto_dccp.c
netfilter: built-in NAT support for DCCP
2016-12-04 20:45:30 +01:00
nf_nat_proto_sctp.c
sctp: remove the typedef sctp_sctphdr_t
2017-07-01 09:08:41 -07:00
nf_nat_proto_tcp.c
net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool
2015-08-17 21:33:06 -07:00
nf_nat_proto_udp.c
netfilter: nat: merge udp and udplite helpers
2017-01-03 14:33:25 +01:00
nf_nat_proto_unknown.c
netfilter: add protocol independent NAT core
2012-08-30 03:00:14 +02:00
nf_nat_redirect.c
net: Replace NF_CT_ASSERT() with WARN_ON().
2017-09-04 13:25:19 +02:00
nf_nat_sip.c
netfilter: replace strnicmp with strncasecmp
2014-10-14 02:18:24 +02:00
nf_nat_tftp.c
netfilter: nf_ct_helper: better logging for dropped packets
2013-02-19 02:48:05 +01:00
nf_queue.c
netfilter: remove duplicated include
2018-01-10 15:32:15 +01:00
nf_sockopt.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
nf_synproxy_core.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
nf_tables_api.c
netfilter: nf_tables: fix memory leak on error exit return
2018-05-14 00:21:59 +02:00
nf_tables_core.c
netfilter: nf_tables: don't assume chain stats are set when jumplabel is set
2018-05-08 14:15:33 +02:00
nf_tables_trace.c
netfilter: nf_tables: Allow chain name of up to 255 chars
2017-07-31 20:41:57 +02:00
nfnetlink_acct.c
netfilter: prefer nla_strlcpy for dealing with NLA_STRING attributes
2018-05-08 14:15:31 +02:00
nfnetlink_cthelper.c
netfilter: prefer nla_strlcpy for dealing with NLA_STRING attributes
2018-05-08 14:15:31 +02:00
nfnetlink_cttimeout.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
nfnetlink_log.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
nfnetlink_queue.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
nfnetlink.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
nft_bitwise.c
netfilter: nf_tables: revisit chain/object refcounting from elements
2017-05-15 12:51:41 +02:00
nft_byteorder.c
netfilter: nf_tables: simplify the basic expressions' init routine
2016-11-09 23:42:23 +01:00
nft_chain_filter.c
netfilter: nf_tables: build-in filter chain type
2018-03-30 11:29:19 +02:00
nft_cmp.c
netfilter: mark expected switch fall-throughs
2018-01-08 18:01:01 +01:00
nft_compat.c
netfilter: nft_compat: fix handling of large matchinfo size
2018-05-09 10:09:27 +02:00
nft_counter.c
netfilter: nf_tables: add select_ops for stateful objects
2017-09-04 13:25:09 +02:00
nft_ct.c
netfilter: nf_tables: fix NULL pointer dereference on nft_ct_helper_obj_dump()
2018-05-17 13:03:46 +02:00
nft_dup_netdev.c
netfilter: nf_tables: add packet duplication to the netdev family
2016-01-03 21:04:23 +01:00
nft_dynset.c
netfilter: nf_tables: rename to nft_set_lookup_global()
2018-03-30 11:29:20 +02:00
nft_exthdr.c
netfilter: exthdr: add missign attributes to policy
2017-12-11 13:46:04 +01:00
nft_fib_inet.c
netfilter: nf_tables: use hook state from xt_action_param structure
2016-11-03 11:52:34 +01:00
nft_fib_netdev.c
netfilter: nf_tables: add fib expression to the netdev family
2017-07-31 19:01:40 +02:00
nft_fib.c
netfilter: nft_fib: Support existence check
2017-03-13 13:45:36 +01:00
nft_flow_offload.c
netfilter: nft_flow_offload: move flowtable cleanup routines to nf_flow_table
2018-02-07 00:58:57 +01:00
nft_fwd_netdev.c
netfilter: add and use nf_fwd_netdev_egress
2016-12-06 21:48:22 +01:00
nft_hash.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2017-05-01 10:47:53 -04:00
nft_immediate.c
netfilter: nf_tables: bogus EBUSY in chain deletions
2018-05-09 10:09:30 +02:00
nft_limit.c
netfilter: nft_limit: fix packet ratelimiting
2018-05-23 09:50:28 +02:00
nft_log.c
netfilter: nf_tables: add single table list for all families
2018-01-10 15:32:08 +01:00
nft_lookup.c
netfilter: nf_tables: rename to nft_set_lookup_global()
2018-03-30 11:29:20 +02:00
nft_masq.c
netfilter: nf_tables: add single table list for all families
2018-01-10 15:32:08 +01:00
nft_meta.c
netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval
2018-05-23 09:29:05 +02:00
nft_nat.c
netfilter: nf_tables: add single table list for all families
2018-01-10 15:32:08 +01:00
nft_numgen.c
netfilter: Remove exceptional & on function name
2017-04-07 18:24:47 +02:00
nft_objref.c
netfilter: nf_tables: rename to nft_set_lookup_global()
2018-03-30 11:29:20 +02:00
nft_payload.c
netfilter: fix a few (harmless) sparse warnings
2017-08-28 17:42:56 +02:00
nft_queue.c
netfilter: Remove exceptional & on function name
2017-04-07 18:24:47 +02:00
nft_quota.c
netfilter: nf_tables: add select_ops for stateful objects
2017-09-04 13:25:09 +02:00
nft_range.c
netfilter: nf_tables: revisit chain/object refcounting from elements
2017-05-15 12:51:41 +02:00
nft_redir.c
netfilter: nf_tables: add single table list for all families
2018-01-10 15:32:08 +01:00
nft_reject_inet.c
netfilter: nf_tables: validate the expr explicitly after init successfully
2017-03-06 18:22:12 +01:00
nft_reject.c
netfilter: nf_tables: validate the expr explicitly after init successfully
2017-03-06 18:22:12 +01:00
nft_rt.c
netfilter: move route indirection to struct nf_ipv6_ops
2018-01-08 18:01:26 +01:00
nft_set_bitmap.c
netfilter: nf_tables: get set elements via netlink
2017-11-07 01:00:31 +01:00
nft_set_hash.c
netfilter: nf_tables: meter: pick a set backend that supports updates
2018-03-20 13:52:10 +01:00
nft_set_rbtree.c
netfilter: nf_tables: get set elements via netlink
2017-11-07 01:00:31 +01:00
utils.c
netfilter: move reroute indirection to struct nf_ipv6_ops
2018-01-08 18:10:53 +01:00
x_tables.c
netfilter: x_tables: check name length in find_match/target, too
2018-04-27 00:40:11 +02:00
xt_addrtype.c
netfilter: x_tables: use pr ratelimiting in matches/targets
2018-02-14 21:05:37 +01:00
xt_AUDIT.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_bpf.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_cgroup.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_CHECKSUM.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_CLASSIFY.c
netfilter: xt_CLASSIFY: add ARP support, allow CLASSIFY target on any table
2010-11-15 13:57:56 +01:00
xt_cluster.c
netfilter: xt_cluster: get rid of xt_cluster_ipv6_is_multicast
2018-03-05 23:15:43 +01:00
xt_comment.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_connbytes.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_connlabel.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_connlimit.c
netfilter: Refactor nf_conncount
2018-03-20 13:27:17 +01:00
xt_connmark.c
netfilter: xt_connmark: do not cast xt_connmark_tginfo1 to xt_connmark_tginfo2
2018-04-19 16:19:28 +02:00
xt_CONNSECMARK.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_conntrack.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_cpu.c
netfilter: xtables: add missing aliases for autoloading via iptables
2011-01-18 06:33:54 +01:00
xt_CT.c
netfilter: xt_CT: use pr ratelimiting
2018-02-14 21:05:34 +01:00
xt_dccp.c
netfilter: xtables: change hotdrop pointer to direct modification
2010-05-11 18:35:27 +02:00
xt_devgroup.c
netfilter: x_tables: move hook state into xt_action_param structure
2016-11-03 10:56:21 +01:00
xt_dscp.c
netfilter: x_tables: remove pr_info where possible
2018-02-14 21:05:33 +01:00
xt_DSCP.c
netfilter: x_tables: remove pr_info where possible
2018-02-14 21:05:33 +01:00
xt_ecn.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_esp.c
netfilter: xtables: change hotdrop pointer to direct modification
2010-05-11 18:35:27 +02:00
xt_hashlimit.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2018-03-30 11:41:18 -04:00
xt_helper.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_hl.c
netfilter: Reduce switch/case indent
2011-07-01 16:11:15 -07:00
xt_HL.c
netfilter: x_tables: remove pr_info where possible
2018-02-14 21:05:33 +01:00
xt_HMARK.c
netfilter: x_tables: use pr ratelimiting in matches/targets
2018-02-14 21:05:37 +01:00
xt_IDLETIMER.c
net: Use octal not symbolic permissions
2018-03-26 12:07:48 -04:00
xt_ipcomp.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_iprange.c
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
2011-02-04 14:28:58 -08:00
xt_ipvs.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_l2tp.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_LED.c
netfilter: x_tables: fix missing timer initialization in xt_LED
2018-02-14 21:05:39 +01:00
xt_length.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_limit.c
netfilter: xt_limit: Spelling s/maxmum/maximum/
2018-03-05 23:15:50 +01:00
xt_LOG.c
netfilter: x_tables: move hook state into xt_action_param structure
2016-11-03 10:56:21 +01:00
xt_mac.c
netfilter: Convert compare_ether_addr to ether_addr_equal
2012-05-09 20:49:18 -04:00
xt_mark.c
netfilter: xt_MARK: Add ARP support
2015-05-14 13:00:27 +02:00
xt_multiport.c
netfilter: xt_multiport: Fix wrong unmatch result with multiple ports
2016-12-06 21:48:20 +01:00
xt_nat.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_NETMAP.c
net: Replace NF_CT_ASSERT() with WARN_ON().
2017-09-04 13:25:19 +02:00
xt_nfacct.c
netfilter: nfnetlink_acct: remove useless parameter
2018-03-05 23:15:43 +01:00
xt_NFLOG.c
netfilter: x_tables: move hook state into xt_action_param structure
2016-11-03 10:56:21 +01:00
xt_NFQUEUE.c
netfilter: xt_NFQUEUE: use pr ratelimiting
2018-02-14 21:05:35 +01:00
xt_osf.c
netfilter: xt_osf: Add missing permission checks
2017-12-06 09:01:18 +01:00
xt_owner.c
sched/headers: Prepare to remove <linux/cred.h> inclusion from <linux/sched.h>
2017-03-02 08:42:31 +01:00
xt_physdev.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_pkttype.c
netfilter: pkttype: unnecessary to check ipv6 multicast address
2017-01-18 20:32:43 +01:00
xt_policy.c
netfilter: x_tables: use pr ratelimiting in matches/targets
2018-02-14 21:05:37 +01:00
xt_quota.c
xtables: extend matches and targets with .usersize
2017-01-09 17:24:55 +01:00
xt_rateest.c
netfilter: make xt_rateest hash table per net
2018-03-05 23:15:44 +01:00
xt_RATEEST.c
netfilter: make xt_rateest hash table per net
2018-03-05 23:15:44 +01:00
xt_realm.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00
xt_recent.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
xt_REDIRECT.c
netfilter: nat: add dependencies on conntrack module
2016-12-04 21:16:51 +01:00
xt_repldata.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
xt_sctp.c
sctp: remove the typedef sctp_chunkhdr_t
2017-07-01 09:08:41 -07:00
xt_SECMARK.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_set.c
netfilter: xt_set: use pr ratelimiting
2018-02-14 21:05:35 +01:00
xt_socket.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_state.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_statistic.c
netfilter: x_tables: fix pointer leaks to userspace
2018-01-31 14:59:24 +01:00
xt_string.c
netfilter: ebtables: Add string filter
2018-03-30 11:04:12 +02:00
xt_tcpmss.c
netfilter: xtables: change hotdrop pointer to direct modification
2010-05-11 18:35:27 +02:00
xt_TCPMSS.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_TCPOPTSTRIP.c
net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool
2015-08-17 21:33:06 -07:00
xt_tcpudp.c
netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF
2016-07-03 10:55:07 +02:00
xt_TEE.c
netfilter: Rework xt_TEE netdevice notifier
2018-03-30 10:59:23 -04:00
xt_time.c
netfilter: Replace printk() with pr_*() and define pr_fmt()
2018-03-20 13:44:14 +01:00
xt_TPROXY.c
netfilter: x_tables: use pr ratelimiting in all remaining spots
2018-02-14 21:05:38 +01:00
xt_TRACE.c
netfilter: xt_TRACE: add explicitly nf_logger_find_get call
2016-06-23 13:26:49 +02:00
xt_u32.c
netfilter: xtables: deconstify struct xt_action_param for matches
2010-05-11 18:33:37 +02:00