Commit a76485ae authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

FilterLimit: non-updating limits

parent 61f712fd
......@@ -223,16 +223,18 @@ classes](#log), the limit is considered absolute by default.
The packet rates contributing to the limit may be summed over multiple
[filters](#filter). This can be achieved by setting the optional
**name** attribute to equal values among the related limits. Named
limits may be specific only to fixed-size blocks of either the source
or the destination address, not both. However, the address to be
considered may vary among the rules using the limit and may be
selected by setting an attribute named **addr** to either **src**
(default) or **dest**. By default, all bits of the selected address
are taken into account, but address family–specific prefix
lengths can be set via the top-level **limit** dictionary, where the
keys correspond to limit names and values follow the syntax of
**src-mask** and **dest-mask**.
**name** attribute to equal values among the related limits. If the
**update** attribute is set to **false** (boolean), the rates measured
at this limit are not included in the sum, but the referred sum is
used to make the limiting decision. Named limits may be specific only
to fixed-size blocks of either the source or the destination address,
not both. However, the address to be considered may vary among the
rules using the limit and may be selected by setting an attribute
named **addr** to either **src** (default) or **dest**. By default,
all bits of the selected address are taken into account, but address
family–specific prefix lengths can be set via the top-level
**limit** dictionary, where the keys correspond to limit names and
values follow the syntax of **src-mask** and **dest-mask**.
### <a name="log"></a>Logging Classes
......
......@@ -34,6 +34,9 @@ function FilterLimit:initmask()
local limits = self.root.limit
self[(self.addr or 'src')..'-mask'] = limits and limits[self.name] or true
elseif self.update ~= nil then
self:error('Attribute allowed only with named limits: update')
end
FilterLimit.super(self):initmask()
......@@ -54,8 +57,9 @@ function FilterLimit:recentofrags(name)
if count > RECENT_MAX_COUNT then return end
local update = self.update ~= false
local cofs = {}
local sofs = {}
local sofs = update and {} or nil
for _, family in ipairs{'inet', 'inet6'} do
local attr, len = self:maskmode(family)
......@@ -95,10 +99,13 @@ function FilterLimit:recentofrags(name)
cofs,
combinations(
rec,
{{match='--update --hitcount '..count..' --seconds '..interval}}
{
{match='--'..(update and 'update' or 'rcheck')..' --hitcount '..
count..' --seconds '..interval}
}
)
)
extend(sofs, combinations(rec, {{match='--set'}}))
if sofs then extend(sofs, combinations(rec, {{match='--set'}})) end
end
return cofs, sofs
......@@ -389,7 +396,7 @@ function Filter:mangleoptfrags(ofrags)
if ct then
extend(ofs, self:actofrags(self.log))
nxt = target
elseif not pl then nxt = false end
elseif sofs and not pl then nxt = false end
extend(ofs, combinations(sofs, self:actofrags(pl, nxt)))
else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment