From 35fd52c42b734ab24b9f548994c20efecce9d345 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 8 Oct 2008 16:54:08 +0000 Subject: [PATCH] Finish CONNLIMIT git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8758 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/lib.base | 7 ++++++- Shorewall-common/releasenotes.txt | 7 ++++++- Shorewall-perl/Shorewall/Chains.pm | 4 +++- Shorewall-perl/Shorewall/Config.pm | 5 ++++- manpages/shorewall-policy.xml | 9 +++------ 5 files changed, 22 insertions(+), 10 deletions(-) diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base index 09787f270..0e994fbac 100644 --- a/Shorewall-common/lib.base +++ b/Shorewall-common/lib.base @@ -35,7 +35,7 @@ # SHOREWALL_LIBVERSION=40000 -SHOREWALL_CAPVERSION=40190 +SHOREWALL_CAPVERSION=40200 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] @@ -1076,6 +1076,7 @@ determine_capabilities() { NFQUEUE_TARGET= REALM_MATCH= HELPER_MATCH= + CONNLIMIT_MATCH= chain=fooX$$ @@ -1177,6 +1178,7 @@ determine_capabilities() { qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes + qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes qt $IPTABLES -F $chain qt $IPTABLES -X $chain @@ -1230,6 +1232,7 @@ report_capabilities() { report_capability "NFQUEUE Target" $NFQUEUE_TARGET report_capability "Realm Match" $REALM_MATCH report_capability "Helper Match" $HELPER_MATCH + report_capability "Connlimit Match" $CONNLIMIT_MATCH fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1277,6 +1280,8 @@ report_capabilities1() { report_capability1 HASHLIMIT_MATCH report_capability1 NFQUEUE_TARGET report_capability1 REALM_MATCH + report_capability1 HELPER_MATCH + report_capability1 CONNLIMIT_MATCH echo CAPVERSION=$SHOREWALL_CAPVERSION } diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 268881fe3..7f55a18ee 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -123,7 +123,12 @@ Other changes in Shorewall 4.2.1 It is important to note that while the limit is only checked for those destinations specified in the DEST column, the number of current connections is calculated over all destinations and not - just the destination specified in the DEST column. + just the destination specified in the DEST column. + + Use of this feature requires the connlimit match capability in your + kernel and iptables. If you use a capabilities file when compiling + your Shorewall configuration(s), then you need to regenerate the + file using Shorewall or Shorewall-lite 4.2.1. New Features in Shorewall 4.2. diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index f054558cb..7f593ce65 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -1278,11 +1278,13 @@ sub do_connlimit( $ ) { return '' unless $limit and $limit ne '-'; + require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's'; + my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below' if ( $limit =~ /^(\d+):(\d+)$/ ) { fatal_error "Invalid Mask ($2)" unless $2 > 0 || $2 < 31; - "-m connlimit ${invert}--connlimit-above $1 --connmask $2"; + "-m connlimit ${invert}--connlimit-above $1 --connlimit-mask $2 "; } elsif ( $limit =~ /^(\d+)$/ ) { "-m connlimit ${invert}--connlimit-above $limit "; } else { diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 219218e8a..e8990c66e 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -205,6 +205,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', NFQUEUE_TARGET => 'NFQUEUE Target', REALM_MATCH => 'Realm Match', HELPER_MATCH => 'Helper Match', + CONNLIMIT_MATCH => 'Connlimit Match', CAPVERSION => 'Capability Version', ); # @@ -267,7 +268,7 @@ sub initialize() { LOGPARMS => '', TC_SCRIPT => '', VERSION => "4.2.0", - CAPVERSION => 40190 , + CAPVERSION => 40200 , ); # # From shorewall.conf file @@ -412,6 +413,7 @@ sub initialize() { NFQUEUE_TARGET => undef, REALM_MATCH => undef, HELPER_MATCH => undef, + CONNLIMIT_MATCH => undef, CAPVERSION => undef, ); # @@ -1628,6 +1630,7 @@ sub determine_capabilities( $ ) { $capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" ); $capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" ); $capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" ); + $capabilities{CONNLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" ); qt1( "$iptables -F $sillyname" ); qt1( "$iptables -X $sillyname" ); diff --git a/manpages/shorewall-policy.xml b/manpages/shorewall-policy.xml index 1e5584ab8..1f4539967 100644 --- a/manpages/shorewall-policy.xml +++ b/manpages/shorewall-policy.xml @@ -239,8 +239,8 @@ - CONNLIMIT - [!]limit[:mask] + CONNLIMIT - + limit[:mask] Added in Shorewall-perl 4.2.1. May be used to limit the number @@ -254,10 +254,7 @@ mask specifies the width of a VLSM mask to be applied to the source address; the number of current connections is then taken over all hosts in the subnet - source-address/mask. - When is specified, the rule matches when the - number of connection exceeds the - limit. + source-address/mask.