From 0a7c65ae0d7697ff790576cd34400b7570e3103c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 26 Jul 2015 14:26:58 -0700 Subject: [PATCH] Allow connlimit by destination Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 6 +++-- Shorewall/manpages/shorewall-rules.xml | 28 ++++++++++++++---------- Shorewall6/manpages/shorewall6-rules.xml | 28 ++++++++++++++---------- 3 files changed, 38 insertions(+), 24 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 1abd4580f..086ce6294 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4981,13 +4981,15 @@ sub do_connlimit( $ ) { require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's'; + my $destination = $limit =~ s/^d:// ? '--connlimit-daddr ' : ''; + my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below' if ( $limit =~ /^(\d+):(\d+)$/ ) { fatal_error "Invalid Mask ($2)" unless $2 > 0 || $2 < 31; - "-m connlimit ${invert}--connlimit-above $1 --connlimit-mask $2 "; + "-m connlimit ${invert}--connlimit-above $1 --connlimit-mask $2 $destination"; } elsif ( $limit =~ /^(\d+)$/ ) { - "-m connlimit ${invert}--connlimit-above $limit "; + "-m connlimit ${invert}--connlimit-above $limit $destination"; } else { fatal_error "Invalid connlimit ($limit)"; } diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 2f1104f74..6023b906a 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -1522,21 +1522,27 @@ - CONNLIMIT - [CONNLIMIT - [d:][!]limit[:mask] May be used to limit the number of simultaneous connections - from each individual host to limit - connections. Requires connlimit match in your kernel and iptables. - While the limit is only checked on rules specifying CONNLIMIT, the - number of current connections is calculated over all current - connections from the SOURCE host. By default, the limit is applied - to each host but can be made to apply to networks of hosts by - specifying a mask. The - mask specifies the width of a VLSM mask - to be applied to the source address; the number of current - connections is then taken over all hosts in the subnet + to/from each individual host or network to + limit connections. Requires connlimit + match in your kernel and iptables. While the limit is only checked + on rules specifying CONNLIMIT, the number of current connections is + calculated over all current connections from the SOURCE or + DESTINATION host. By default, limiting is done by SOURCE host or + net, but if the specification begins with d:, then limiting will be donw by destination + host or net. + + By default, the limit is applied to each host but can be made + to apply to networks of hosts by specifying a + mask. The mask + specifies the width of a VLSM mask to be applied to the source + address; the number of current connections is then taken over all + hosts in the subnet source-address/mask. When is specified, the rule matches when the number of connection exceeds the diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index a77da01b1..d4c3b67b6 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -1385,21 +1385,27 @@ - CONNLIMIT - [CONNLIMIT - [d:][!]limit[:mask] May be used to limit the number of simultaneous connections - from each individual host to limit - connections. Requires connlimit match in your kernel and ip6tables. - While the limit is only checked on rules specifying CONNLIMIT, the - number of current connections is calculated over all current - connections from the SOURCE host. By default, the limit is applied - to each host but can be made to apply to networks of hosts by - specifying a mask. The - mask specifies the width of a VLSM mask - to be applied to the source address; the number of current - connections is then taken over all hosts in the subnet + to/from each individual host or network to + limit connections. Requires connlimit + match in your kernel and iptables. While the limit is only checked + on rules specifying CONNLIMIT, the number of current connections is + calculated over all current connections from the SOURCE or + DESTINATION host. By default, limiting is done by SOURCE host or + net, but if the specification begins with d:, then limiting will be donw by destination + host or net. + + By default, the limit is applied to each host but can be made + to apply to networks of hosts by specifying a + mask. The mask + specifies the width of a VLSM mask to be applied to the source + address; the number of current connections is then taken over all + hosts in the subnet source-address/mask. When is specified, the rule matches when the number of connection exceeds the