mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-24 23:28:59 +01:00
Move origin handling into log_[i]rule_limit
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
57288086bf
commit
039fd6ddd8
@ -2426,7 +2426,7 @@ sub add_ijump_internal( $$$$$;@ ) {
|
|||||||
my ( $target ) = split ' ', $to;
|
my ( $target ) = split ' ', $to;
|
||||||
$toref = $chain_table{$fromref->{table}}{$target};
|
$toref = $chain_table{$fromref->{table}}{$target};
|
||||||
fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target};
|
fatal_error "Unknown rule target ($to)" unless $toref || $builtin_target{$target};
|
||||||
$origin ||= $fromref->{origin} if $config{TRACK_RULES} eq 'File';
|
$origin ||= $fromref->{origin} if $config{TRACK_RULES};
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -2436,7 +2436,7 @@ sub add_ijump_internal( $$$$$;@ ) {
|
|||||||
$toref->{referenced} = 1;
|
$toref->{referenced} = 1;
|
||||||
add_reference $fromref, $toref;
|
add_reference $fromref, $toref;
|
||||||
$jump = 'j' unless have_capability 'GOTO_TARGET';
|
$jump = 'j' unless have_capability 'GOTO_TARGET';
|
||||||
$origin ||= $toref->{origin} if $config{TRACK_RULES} eq 'File';
|
$origin ||= $toref->{origin} if $config{TRACK_RULES};
|
||||||
$ruleref = create_irule ($fromref, $jump => $to, @matches );
|
$ruleref = create_irule ($fromref, $jump => $to, @matches );
|
||||||
} else {
|
} else {
|
||||||
$ruleref = create_irule( $fromref, 'j' => $to, @matches );
|
$ruleref = create_irule( $fromref, 'j' => $to, @matches );
|
||||||
@ -2752,7 +2752,7 @@ sub ensure_manual_chain($) {
|
|||||||
$chainref;
|
$chainref;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub log_irule_limit( $$$$$$$@ );
|
sub log_irule_limit( $$$$$$$$@ );
|
||||||
|
|
||||||
sub ensure_blacklog_chain( $$$$$ ) {
|
sub ensure_blacklog_chain( $$$$$ ) {
|
||||||
my ( $target, $disposition, $level, $tag, $audit ) = @_;
|
my ( $target, $disposition, $level, $tag, $audit ) = @_;
|
||||||
@ -2763,7 +2763,7 @@ sub ensure_blacklog_chain( $$$$$ ) {
|
|||||||
$target =~ s/A_//;
|
$target =~ s/A_//;
|
||||||
$target = 'reject' if $target eq 'REJECT';
|
$target = 'reject' if $target eq 'REJECT';
|
||||||
|
|
||||||
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add' );
|
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , $tag, 'add', '' );
|
||||||
|
|
||||||
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
||||||
add_ijump( $logchainref, g => $target );
|
add_ijump( $logchainref, g => $target );
|
||||||
@ -2778,7 +2778,7 @@ sub ensure_audit_blacklog_chain( $$$ ) {
|
|||||||
unless ( $filter_table->{A_blacklog} ) {
|
unless ( $filter_table->{A_blacklog} ) {
|
||||||
my $logchainref = new_manual_chain 'A_blacklog';
|
my $logchainref = new_manual_chain 'A_blacklog';
|
||||||
|
|
||||||
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' );
|
log_irule_limit( $level , $logchainref , 'blacklst' , $disposition , $globals{LOGILIMIT} , '', 'add' , '' );
|
||||||
|
|
||||||
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target );
|
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target );
|
||||||
|
|
||||||
@ -4286,7 +4286,8 @@ sub logchain( $$$$$$ ) {
|
|||||||
$disposition ,
|
$disposition ,
|
||||||
[] ,
|
[] ,
|
||||||
$logtag,
|
$logtag,
|
||||||
'add' );
|
'add',
|
||||||
|
'' );
|
||||||
add_jump( $logchainref, $target, 0, $exceptionrule );
|
add_jump( $logchainref, $target, 0, $exceptionrule );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -6245,8 +6246,8 @@ sub do_ipsec($$) {
|
|||||||
#
|
#
|
||||||
# Generate a log message
|
# Generate a log message
|
||||||
#
|
#
|
||||||
sub log_rule_limit( $$$$$$$$ ) {
|
sub log_rule_limit( $$$$$$$$;$ ) {
|
||||||
my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches ) = @_;
|
my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $matches, $origin ) = @_;
|
||||||
|
|
||||||
my $prefix = '';
|
my $prefix = '';
|
||||||
my $chain = get_action_chain_name || $chn;
|
my $chain = get_action_chain_name || $chn;
|
||||||
@ -6339,11 +6340,13 @@ sub log_rule_limit( $$$$$$$$ ) {
|
|||||||
$ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix );
|
$ruleref = insert_rule1 ( $chainref , 0 , $matches . $prefix );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$ruleref->{origin} = $origin if $origin;
|
||||||
|
|
||||||
$ruleref;
|
$ruleref;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub log_irule_limit( $$$$$$$@ ) {
|
sub log_irule_limit( $$$$$$$$@ ) {
|
||||||
my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, @matches ) = @_;
|
my ($level, $chainref, $chn, $dispo, $limit, $tag, $command, $origin, @matches ) = @_;
|
||||||
|
|
||||||
my $prefix = '';
|
my $prefix = '';
|
||||||
my %matches;
|
my %matches;
|
||||||
@ -6431,7 +6434,7 @@ sub log_irule_limit( $$$$$$$@ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( $command eq 'add' ) {
|
if ( $command eq 'add' ) {
|
||||||
add_ijump_internal ( $chainref, j => $prefix , $original_matches, '', @matches );
|
add_ijump_internal ( $chainref, j => $prefix , $original_matches, $origin, @matches );
|
||||||
} else {
|
} else {
|
||||||
insert_ijump ( $chainref, j => $prefix, 0 , @matches );
|
insert_ijump ( $chainref, j => $prefix, 0 , @matches );
|
||||||
}
|
}
|
||||||
@ -6446,7 +6449,7 @@ sub log_rule( $$$$ ) {
|
|||||||
sub log_irule( $$$;@ ) {
|
sub log_irule( $$$;@ ) {
|
||||||
my ( $level, $chainref, $disposition, @matches ) = @_;
|
my ( $level, $chainref, $disposition, @matches ) = @_;
|
||||||
|
|
||||||
log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', @matches;
|
log_irule_limit $level, $chainref, $chainref->{name} , $disposition, $globals{LOGILIMIT} , '', 'add', '', @matches;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -7456,7 +7459,8 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
|
||||||
[] ,
|
[] ,
|
||||||
$logtag ,
|
$logtag ,
|
||||||
'add' )
|
'add' ,
|
||||||
|
'' )
|
||||||
if $loglevel;
|
if $loglevel;
|
||||||
#
|
#
|
||||||
# Generate Final Rule
|
# Generate Final Rule
|
||||||
|
@ -673,17 +673,15 @@ sub add_common_rules ( $ ) {
|
|||||||
#
|
#
|
||||||
$chainref = new_standard_chain 'sfilter';
|
$chainref = new_standard_chain 'sfilter';
|
||||||
|
|
||||||
if ( $level ne '' ) {
|
log_rule_limit( $level,
|
||||||
my $ruleref = log_rule_limit( $level,
|
$chainref,
|
||||||
$chainref,
|
$chainref->{name},
|
||||||
$chainref->{name},
|
$policy,
|
||||||
$policy,
|
$globals{LOGLIMIT},
|
||||||
$globals{LOGLIMIT},
|
$tag,
|
||||||
$tag,
|
'add',
|
||||||
'add',
|
'',
|
||||||
'' );
|
$origin{SFILTER_LOG_LEVEL} ) if $level ne '';
|
||||||
$ruleref->{origin} = $origin{SFILTER_LOG_LEVEL};
|
|
||||||
}
|
|
||||||
|
|
||||||
add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
|
add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
|
||||||
|
|
||||||
@ -704,17 +702,15 @@ sub add_common_rules ( $ ) {
|
|||||||
|
|
||||||
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
|
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
|
||||||
|
|
||||||
if ( $level ne '' ) {
|
log_rule_limit( $level,
|
||||||
my $ruleref = log_rule_limit( $level,
|
$chainref,
|
||||||
$chainref,
|
$chainref->{name},
|
||||||
$chainref->{name},
|
$policy,
|
||||||
$policy,
|
$globals{LOGLIMIT},
|
||||||
$globals{LOGLIMIT},
|
$tag,
|
||||||
$tag,
|
'add',
|
||||||
'add',
|
'' ,
|
||||||
'' );
|
$origin ) if $level ne '';
|
||||||
$ruleref->{origin} = $origin;
|
|
||||||
}
|
|
||||||
|
|
||||||
add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit;
|
add_ijump_extended( $chainref, j => 'AUDIT', $origin{SFILTER_DISPOSITION}, targetopts => '--type ' . lc $policy ) if $audit;
|
||||||
|
|
||||||
@ -791,17 +787,15 @@ sub add_common_rules ( $ ) {
|
|||||||
#
|
#
|
||||||
$chainref = ensure_mangle_chain 'rplog';
|
$chainref = ensure_mangle_chain 'rplog';
|
||||||
|
|
||||||
if ( $level ne '' ) {
|
log_rule_limit( $level,
|
||||||
my $ruleref = log_rule_limit( $level,
|
$chainref,
|
||||||
$chainref,
|
$chainref->{name},
|
||||||
$chainref->{name},
|
$policy,
|
||||||
$policy,
|
$globals{LOGLIMIT},
|
||||||
$globals{LOGLIMIT},
|
$tag,
|
||||||
$tag,
|
'add',
|
||||||
'add',
|
'',
|
||||||
'' );
|
$origin{RPFILTER_LOG_LEVEL} );
|
||||||
$ruleref->{origin} = $origin{RPFILTER_LOG_LEVEL};
|
|
||||||
}
|
|
||||||
|
|
||||||
add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
|
add_ijump_extended( $chainref, j => 'AUDIT', $origin, targetopts => '--type ' . lc $policy ) if $audit;
|
||||||
|
|
||||||
@ -860,15 +854,14 @@ sub add_common_rules ( $ ) {
|
|||||||
if ( supplied $config{SMURF_LOG_LEVEL} ) {
|
if ( supplied $config{SMURF_LOG_LEVEL} ) {
|
||||||
my $smurfref = new_chain( 'filter', 'smurflog' );
|
my $smurfref = new_chain( 'filter', 'smurflog' );
|
||||||
|
|
||||||
my $ruleref = log_irule_limit( $config{SMURF_LOG_LEVEL},
|
log_irule_limit( $config{SMURF_LOG_LEVEL},
|
||||||
$smurfref,
|
$smurfref,
|
||||||
'smurfs' ,
|
'smurfs' ,
|
||||||
'DROP',
|
'DROP',
|
||||||
$globals{LOGILIMIT},
|
$globals{LOGILIMIT},
|
||||||
$globals{SMURF_LOG_TAG},
|
$globals{SMURF_LOG_TAG},
|
||||||
'add' );
|
'add',
|
||||||
|
$origin{SMURF_LOG_LEVEL} );
|
||||||
$ruleref->{origin} = $origin{SMURF_LOG_LEVEL};
|
|
||||||
|
|
||||||
add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
|
add_ijump_extended( $smurfref, j => 'AUDIT', $origin, targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
|
||||||
|
|
||||||
@ -1015,16 +1008,15 @@ sub add_common_rules ( $ ) {
|
|||||||
|
|
||||||
$globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";
|
$globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";
|
||||||
|
|
||||||
my $ruleref = log_rule_limit( $level,
|
log_rule_limit( $level,
|
||||||
$logflagsref,
|
$logflagsref,
|
||||||
'logflags',
|
'logflags',
|
||||||
$disposition,
|
$disposition,
|
||||||
$globals{LOGLIMIT},
|
$globals{LOGLIMIT},
|
||||||
$tag,
|
$tag,
|
||||||
'add',
|
'add',
|
||||||
'' );
|
'' ,
|
||||||
|
$origin{TCP_FLAGS_LOG_LEVEL} );
|
||||||
$ruleref->{origin} = $origin{TCP_FLAGS_LOG_LEVEL};
|
|
||||||
|
|
||||||
$globals{LOGPARMS} = $savelogparms;
|
$globals{LOGPARMS} = $savelogparms;
|
||||||
|
|
||||||
@ -1301,7 +1293,7 @@ sub setup_mac_lists( $ ) {
|
|||||||
|
|
||||||
run_user_exit2( 'maclog', $chainref );
|
run_user_exit2( 'maclog', $chainref );
|
||||||
|
|
||||||
log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add' if $level ne '';
|
log_irule_limit $level, $chainref , $chain , $disposition, [], $tag, 'add', '' if $level ne '';
|
||||||
add_ijump $chainref, j => $target;
|
add_ijump $chainref, j => $target;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -2280,15 +2272,15 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
for my $table ( qw/mangle nat filter/ ) {
|
for my $table ( qw/mangle nat filter/ ) {
|
||||||
for my $chain ( @{$builtins{$table}} ) {
|
for my $chain ( @{$builtins{$table}} ) {
|
||||||
my $ruleref = log_rule_limit( $config{LOGALLNEW} ,
|
log_rule_limit( $config{LOGALLNEW} ,
|
||||||
$chain_table{$table}{$chain} ,
|
$chain_table{$table}{$chain} ,
|
||||||
$table ,
|
$table ,
|
||||||
$chain ,
|
$chain ,
|
||||||
'' ,
|
'' ,
|
||||||
'' ,
|
'' ,
|
||||||
'insert' ,
|
'insert' ,
|
||||||
state_match('NEW') );
|
state_match('NEW') ,
|
||||||
$ruleref->{origin} = $origin;
|
$origin );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -975,7 +975,8 @@ sub setup_syn_flood_chains() {
|
|||||||
'DROP',
|
'DROP',
|
||||||
@{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
|
@{$globals{LOGILIMIT}} ? $globals{LOGILIMIT} : [ limit => "--limit 5/min --limit-burst 5" ] ,
|
||||||
'' ,
|
'' ,
|
||||||
'add' )
|
'add',
|
||||||
|
'' )
|
||||||
if $level ne '';
|
if $level ne '';
|
||||||
add_ijump $synchainref, j => 'DROP';
|
add_ijump $synchainref, j => 'DROP';
|
||||||
}
|
}
|
||||||
@ -1547,11 +1548,11 @@ sub dropBcast( $$$$ ) {
|
|||||||
|
|
||||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||||
if ( $level ne '' ) {
|
if ( $level ne '' ) {
|
||||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', addrtype => '--dst-type BROADCAST' );
|
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' );
|
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' );
|
||||||
} else {
|
} else {
|
||||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST );
|
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1564,17 +1565,17 @@ sub dropBcast( $$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
incr_cmd_level $chainref;
|
incr_cmd_level $chainref;
|
||||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '$address' ) if $level ne '';
|
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '$address' ) if $level ne '';
|
||||||
add_ijump $chainref, j => $target, d => '$address';
|
add_ijump $chainref, j => $target, d => '$address';
|
||||||
decr_cmd_level $chainref;
|
decr_cmd_level $chainref;
|
||||||
add_commands $chainref, 'done';
|
add_commands $chainref, 'done';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => '224.0.0.0/4' if $level ne '';
|
log_irule_limit $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => '224.0.0.0/4' if $level ne '';
|
||||||
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
|
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
|
||||||
} else {
|
} else {
|
||||||
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', d => IPv6_MULTICAST ) if $level ne '';
|
log_irule_limit( $level, $chainref, 'dropBcast' , 'DROP', [], $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
|
||||||
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
|
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1586,8 +1587,8 @@ sub allowBcast( $$$$ ) {
|
|||||||
|
|
||||||
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
|
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
|
||||||
if ( $level ne '' ) {
|
if ( $level ne '' ) {
|
||||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', addrtype => '--dst-type BROADCAST' );
|
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
|
||||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' );
|
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', ''. d => '224.0.0.0/4' );
|
||||||
}
|
}
|
||||||
|
|
||||||
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
|
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
|
||||||
@ -1599,17 +1600,17 @@ sub allowBcast( $$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
incr_cmd_level $chainref;
|
incr_cmd_level $chainref;
|
||||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '$address' ) if $level ne '';
|
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '$address' ) if $level ne '';
|
||||||
add_ijump $chainref, j => $target, d => '$address';
|
add_ijump $chainref, j => $target, d => '$address';
|
||||||
decr_cmd_level $chainref;
|
decr_cmd_level $chainref;
|
||||||
add_commands $chainref, 'done';
|
add_commands $chainref, 'done';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', d => '224.0.0.0/4' ) if $level ne '';
|
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' ) if $level ne '';
|
||||||
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
|
add_ijump $chainref, j => $target, d => '224.0.0.0/4';
|
||||||
} else {
|
} else {
|
||||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', d => IPv6_MULTICAST ) if $level ne '';
|
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', '', d => IPv6_MULTICAST ) if $level ne '';
|
||||||
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
|
add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1619,7 +1620,7 @@ sub dropNotSyn ( $$$$ ) {
|
|||||||
|
|
||||||
my $target = require_audit( 'DROP', $audit );
|
my $target = require_audit( 'DROP', $audit );
|
||||||
|
|
||||||
log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', p => '6 ! --syn' ) if $level ne '';
|
log_irule_limit( $level, $chainref, 'dropNotSyn' , 'DROP', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
|
||||||
add_ijump $chainref , j => $target, p => '6 ! --syn';
|
add_ijump $chainref , j => $target, p => '6 ! --syn';
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1634,7 +1635,7 @@ sub rejNotSyn ( $$$$ ) {
|
|||||||
$target = require_audit( 'REJECT' , $audit );
|
$target = require_audit( 'REJECT' , $audit );
|
||||||
}
|
}
|
||||||
|
|
||||||
log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', p => '6 ! --syn' ) if $level ne '';
|
log_irule_limit( $level, $chainref, 'rejNotSyn' , 'REJECT', [], $tag, 'add', '', p => '6 ! --syn' ) if $level ne '';
|
||||||
add_ijump $chainref , j => $target, p => '6 ! --syn';
|
add_ijump $chainref , j => $target, p => '6 ! --syn';
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1650,8 +1651,8 @@ sub allowinUPnP ( $$$$ ) {
|
|||||||
my $target = require_audit( 'ACCEPT', $audit );
|
my $target = require_audit( 'ACCEPT', $audit );
|
||||||
|
|
||||||
if ( $level ne '' ) {
|
if ( $level ne '' ) {
|
||||||
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '17 --dport 1900' );
|
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '17 --dport 1900' );
|
||||||
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', p => '6 --dport 49152' );
|
log_irule_limit( $level, $chainref, 'allowinUPnP' , 'ACCEPT', [], $tag, 'add', '', p => '6 --dport 49152' );
|
||||||
}
|
}
|
||||||
|
|
||||||
add_ijump $chainref, j => $target, p => '17 --dport 1900';
|
add_ijump $chainref, j => $target, p => '17 --dport 1900';
|
||||||
@ -1688,7 +1689,7 @@ sub Limit( $$$$ ) {
|
|||||||
|
|
||||||
if ( $level ne '' ) {
|
if ( $level ne '' ) {
|
||||||
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
||||||
log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' );
|
log_irule_limit( $level, $xchainref, $param[0], 'DROP', [], $tag, 'add' , '' );
|
||||||
add_ijump $xchainref, j => 'DROP';
|
add_ijump $xchainref, j => 'DROP';
|
||||||
add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
|
add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
|
||||||
} else {
|
} else {
|
||||||
|
Loading…
Reference in New Issue
Block a user