From 005b6f7b45fc62ab6297e09657bf82b1a81efbe2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 31 Jul 2010 07:19:41 -0700 Subject: [PATCH] Use new hashlimit match syntax if available --- Shorewall/Perl/Shorewall/Chains.pm | 20 +++++++++++++------- Shorewall/Perl/Shorewall/Config.pm | 6 +++++- Shorewall/changelog.txt | 2 ++ 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 1b264ced9..73f2d9b1d 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2207,16 +2207,19 @@ sub do_ratelimit( $$ ) { my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto'; my $units; - if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) { - $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name "; + if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) { + fatal_error "Invalid Rate ($3)" unless $4; + fatal_error "Invalid Burst ($7)" unless $7; + $limit .= "--hashlimit $3 --hashlimit-burst $7 --hashlimit-name "; $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++; $limit .= ' --hashlimit-mode '; - $units = $5; - } elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) { + $units = $6; + } elsif ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?)$/ ) { + fatal_error "Invalid Rate ($3)" unless $4; $limit .= "--$match $3 --hashlimit-name "; $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++; $limit .= ' --hashlimit-mode '; - $units = $5; + $units = $6; } else { fatal_error "Invalid rate ($rate)"; } @@ -2235,9 +2238,12 @@ sub do_ratelimit( $$ ) { } $limit; - } elsif ( $rate =~ /^(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) { - "-m limit --limit $1 --limit-burst $4 "; + } elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) { + fatal_error "Invalid Rate ($1)" unless $2; + fatal_error "Invalid Burst ($5)" unless $5; + "-m limit --limit $1 --limit-burst $5 "; } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ ) { + fatal_error "Invalid Rate (${1}${2})" unless $1; "-m limit --limit $rate "; } else { fatal_error "Invalid rate ($rate)"; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 7fb448a84..470516577 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -2318,7 +2318,11 @@ sub Comments() { } sub Hashlimit_Match() { - have_capability 'OLD_HL_MATCH' || qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ); + if ( qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ) ) { + ! ( $capabilities{OLD_HL_MATCH} = 0 ); + } else { + have_capability 'OLD_HL_MATCH'; + } } sub Old_Hashlimit_Match() { diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 5b6e9cc9b..bb9ee7466 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -10,6 +10,8 @@ Changes in Shorewall 4.4.12 5) Add per-ip log rate limiting. +6) Use new hashlimit match syntax if available. + Changes in Shorewall 4.4.11 1) Apply patch from Gabriel.