Commit a76485ae authored by Kaarle Ritvanen's avatar Kaarle Ritvanen
Browse files

FilterLimit: non-updating limits

parent 61f712fd
...@@ -223,16 +223,18 @@ classes](#log), the limit is considered absolute by default. ...@@ -223,16 +223,18 @@ classes](#log), the limit is considered absolute by default.
The packet rates contributing to the limit may be summed over multiple The packet rates contributing to the limit may be summed over multiple
[filters](#filter). This can be achieved by setting the optional [filters](#filter). This can be achieved by setting the optional
**name** attribute to equal values among the related limits. Named **name** attribute to equal values among the related limits. If the
limits may be specific only to fixed-size blocks of either the source **update** attribute is set to **false** (boolean), the rates measured
or the destination address, not both. However, the address to be at this limit are not included in the sum, but the referred sum is
considered may vary among the rules using the limit and may be used to make the limiting decision. Named limits may be specific only
selected by setting an attribute named **addr** to either **src** to fixed-size blocks of either the source or the destination address,
(default) or **dest**. By default, all bits of the selected address not both. However, the address to be considered may vary among the
are taken into account, but address family–specific prefix rules using the limit and may be selected by setting an attribute
lengths can be set via the top-level **limit** dictionary, where the named **addr** to either **src** (default) or **dest**. By default,
keys correspond to limit names and values follow the syntax of all bits of the selected address are taken into account, but address
**src-mask** and **dest-mask**. family–specific prefix lengths can be set via the top-level
**limit** dictionary, where the keys correspond to limit names and
values follow the syntax of **src-mask** and **dest-mask**.
### <a name="log"></a>Logging Classes ### <a name="log"></a>Logging Classes
......
...@@ -34,6 +34,9 @@ function FilterLimit:initmask() ...@@ -34,6 +34,9 @@ function FilterLimit:initmask()
local limits = self.root.limit local limits = self.root.limit
self[(self.addr or 'src')..'-mask'] = limits and limits[self.name] or true self[(self.addr or 'src')..'-mask'] = limits and limits[self.name] or true
elseif self.update ~= nil then
self:error('Attribute allowed only with named limits: update')
end end
FilterLimit.super(self):initmask() FilterLimit.super(self):initmask()
...@@ -54,8 +57,9 @@ function FilterLimit:recentofrags(name) ...@@ -54,8 +57,9 @@ function FilterLimit:recentofrags(name)
if count > RECENT_MAX_COUNT then return end if count > RECENT_MAX_COUNT then return end
local update = self.update ~= false
local cofs = {} local cofs = {}
local sofs = {} local sofs = update and {} or nil
for _, family in ipairs{'inet', 'inet6'} do for _, family in ipairs{'inet', 'inet6'} do
local attr, len = self:maskmode(family) local attr, len = self:maskmode(family)
...@@ -95,10 +99,13 @@ function FilterLimit:recentofrags(name) ...@@ -95,10 +99,13 @@ function FilterLimit:recentofrags(name)
cofs, cofs,
combinations( combinations(
rec, rec,
{{match='--update --hitcount '..count..' --seconds '..interval}} {
{match='--'..(update and 'update' or 'rcheck')..' --hitcount '..
count..' --seconds '..interval}
}
) )
) )
extend(sofs, combinations(rec, {{match='--set'}})) if sofs then extend(sofs, combinations(rec, {{match='--set'}})) end
end end
return cofs, sofs return cofs, sofs
...@@ -389,7 +396,7 @@ function Filter:mangleoptfrags(ofrags) ...@@ -389,7 +396,7 @@ function Filter:mangleoptfrags(ofrags)
if ct then if ct then
extend(ofs, self:actofrags(self.log)) extend(ofs, self:actofrags(self.log))
nxt = target nxt = target
elseif not pl then nxt = false end elseif sofs and not pl then nxt = false end
extend(ofs, combinations(sofs, self:actofrags(pl, nxt))) extend(ofs, combinations(sofs, self:actofrags(pl, nxt)))
else else
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment