From 04064d01e674e80b7615152e60355864a2ebbbe5 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 3 May 2007 16:33:49 +0000 Subject: [PATCH] Disallow rate limiting with DROP/REJECT git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6215 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/shorewall | 1 + Shorewall-perl/Shorewall/Chains.pm | 4 +++- Shorewall-shell/compiler | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Shorewall-common/shorewall b/Shorewall-common/shorewall index 9b29e2840..eb31f6e98 100755 --- a/Shorewall-common/shorewall +++ b/Shorewall-common/shorewall @@ -1546,6 +1546,7 @@ case "$COMMAND" in ;; logwatch) get_config Yes + banner="Shorewall-$version Logwatch at $HOSTNAME -" logwatch_command $@ ;; drop) diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 128a059ca..0d33a8e35 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -902,6 +902,8 @@ sub do_test ( $$ ) "$match $testval "; } +my %norate = ( DROP => 1, REJECT => 1 ); + # # Create a "-m limit" match for the passed LIMIT/BURST # @@ -910,7 +912,7 @@ sub do_ratelimit( $$ ) { return '' unless $rate and $rate ne '-'; - fatal_error "Rate Limiting not available with DROP" if $action eq 'DROP'; + fatal_error "Rate Limiting not available with $action" if $norate{$action}; if ( $rate =~ /^([^:]+):([^:]+)$/ ) { "-m limit --limit $1 --limit-burst $2 "; diff --git a/Shorewall-shell/compiler b/Shorewall-shell/compiler index 410640fa1..0c9ae7323 100755 --- a/Shorewall-shell/compiler +++ b/Shorewall-shell/compiler @@ -2169,6 +2169,7 @@ process_rule() # $1 = target [ -n "$ratelimit" ] && fatal_error "Rate Limiting not available with DROP" ;; REJECT) + [ -n "$ratelimit" ] && fatal_error "Rate Limiting not available with REJECT" target=reject ;; CONTINUE)