This wasn't covered so far. Signed-off-by: Florian Westphal --- Warning: Requires the scanner.l fix to make 'drop' (verdicts) parseable even in rate scan state. tests/shell/testcases/packetpath/rate_limit | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tests/shell/testcases/packetpath/rate_limit b/tests/shell/testcases/packetpath/rate_limit index e0a8abc96ae3..c431c11a4c24 100755 --- a/tests/shell/testcases/packetpath/rate_limit +++ b/tests/shell/testcases/packetpath/rate_limit @@ -134,3 +134,20 @@ assert_fail result "tcp connection limit rate 1/sec burst 1 reject" sleep 1 ip netns exec $C socat -u - TCP:${ip_sc}:80,reuseport,connect-timeout=1 <<< 'AAA' assert_pass result "tcp connection limit rate 1/sec burst 1 accept" + +ip netns exec $S $NFT flush chain filter in_tcp +assert_pass "flush chain" + +ip netns exec $S $NFT add rule filter in_tcp iifname s_c tcp dport 80 limit rate over 1 mbytes/second drop +assert_pass "limit rate" + +s=$(date +%s) +dd if=/dev/zero bs=1M count=10 | ip netns exec $C socat -u - TCP:${ip_sc}:80,reuseport,connect-timeout=1 +e=$(date +%s) +d=$((e-s)) +if [ $d -ge 5 ] && [ $d -le 11 ];then + echo "limit effective (took $d s)" +else + echo "limit not effective (took $d s)"; exit 1 + exit 1 +fi -- 2.53.0