mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-25 15:09:12 +01:00
Finish CONNLIMIT
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8758 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
28cc9eec76
commit
35fd52c42b
@ -35,7 +35,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_LIBVERSION=40000
|
SHOREWALL_LIBVERSION=40000
|
||||||
SHOREWALL_CAPVERSION=40190
|
SHOREWALL_CAPVERSION=40200
|
||||||
|
|
||||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||||
@ -1076,6 +1076,7 @@ determine_capabilities() {
|
|||||||
NFQUEUE_TARGET=
|
NFQUEUE_TARGET=
|
||||||
REALM_MATCH=
|
REALM_MATCH=
|
||||||
HELPER_MATCH=
|
HELPER_MATCH=
|
||||||
|
CONNLIMIT_MATCH=
|
||||||
|
|
||||||
chain=fooX$$
|
chain=fooX$$
|
||||||
|
|
||||||
@ -1177,6 +1178,7 @@ determine_capabilities() {
|
|||||||
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
|
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
|
||||||
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
|
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
|
||||||
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
|
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
|
||||||
|
qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
|
||||||
|
|
||||||
qt $IPTABLES -F $chain
|
qt $IPTABLES -F $chain
|
||||||
qt $IPTABLES -X $chain
|
qt $IPTABLES -X $chain
|
||||||
@ -1230,6 +1232,7 @@ report_capabilities() {
|
|||||||
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
|
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
|
||||||
report_capability "Realm Match" $REALM_MATCH
|
report_capability "Realm Match" $REALM_MATCH
|
||||||
report_capability "Helper Match" $HELPER_MATCH
|
report_capability "Helper Match" $HELPER_MATCH
|
||||||
|
report_capability "Connlimit Match" $CONNLIMIT_MATCH
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||||
@ -1277,6 +1280,8 @@ report_capabilities1() {
|
|||||||
report_capability1 HASHLIMIT_MATCH
|
report_capability1 HASHLIMIT_MATCH
|
||||||
report_capability1 NFQUEUE_TARGET
|
report_capability1 NFQUEUE_TARGET
|
||||||
report_capability1 REALM_MATCH
|
report_capability1 REALM_MATCH
|
||||||
|
report_capability1 HELPER_MATCH
|
||||||
|
report_capability1 CONNLIMIT_MATCH
|
||||||
|
|
||||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||||
}
|
}
|
||||||
|
@ -125,6 +125,11 @@ Other changes in Shorewall 4.2.1
|
|||||||
current connections is calculated over all destinations and not
|
current connections is calculated over all destinations and not
|
||||||
just the destination specified in the DEST column.
|
just the destination specified in the DEST column.
|
||||||
|
|
||||||
|
Use of this feature requires the connlimit match capability in your
|
||||||
|
kernel and iptables. If you use a capabilities file when compiling
|
||||||
|
your Shorewall configuration(s), then you need to regenerate the
|
||||||
|
file using Shorewall or Shorewall-lite 4.2.1.
|
||||||
|
|
||||||
New Features in Shorewall 4.2.
|
New Features in Shorewall 4.2.
|
||||||
|
|
||||||
1) Shorewall 4.2 contains support for multiple Internet providers
|
1) Shorewall 4.2 contains support for multiple Internet providers
|
||||||
|
@ -1278,11 +1278,13 @@ sub do_connlimit( $ ) {
|
|||||||
|
|
||||||
return '' unless $limit and $limit ne '-';
|
return '' unless $limit and $limit ne '-';
|
||||||
|
|
||||||
|
require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's';
|
||||||
|
|
||||||
my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below'
|
my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below'
|
||||||
|
|
||||||
if ( $limit =~ /^(\d+):(\d+)$/ ) {
|
if ( $limit =~ /^(\d+):(\d+)$/ ) {
|
||||||
fatal_error "Invalid Mask ($2)" unless $2 > 0 || $2 < 31;
|
fatal_error "Invalid Mask ($2)" unless $2 > 0 || $2 < 31;
|
||||||
"-m connlimit ${invert}--connlimit-above $1 --connmask $2";
|
"-m connlimit ${invert}--connlimit-above $1 --connlimit-mask $2 ";
|
||||||
} elsif ( $limit =~ /^(\d+)$/ ) {
|
} elsif ( $limit =~ /^(\d+)$/ ) {
|
||||||
"-m connlimit ${invert}--connlimit-above $limit ";
|
"-m connlimit ${invert}--connlimit-above $limit ";
|
||||||
} else {
|
} else {
|
||||||
|
@ -205,6 +205,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
NFQUEUE_TARGET => 'NFQUEUE Target',
|
NFQUEUE_TARGET => 'NFQUEUE Target',
|
||||||
REALM_MATCH => 'Realm Match',
|
REALM_MATCH => 'Realm Match',
|
||||||
HELPER_MATCH => 'Helper Match',
|
HELPER_MATCH => 'Helper Match',
|
||||||
|
CONNLIMIT_MATCH => 'Connlimit Match',
|
||||||
CAPVERSION => 'Capability Version',
|
CAPVERSION => 'Capability Version',
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
@ -267,7 +268,7 @@ sub initialize() {
|
|||||||
LOGPARMS => '',
|
LOGPARMS => '',
|
||||||
TC_SCRIPT => '',
|
TC_SCRIPT => '',
|
||||||
VERSION => "4.2.0",
|
VERSION => "4.2.0",
|
||||||
CAPVERSION => 40190 ,
|
CAPVERSION => 40200 ,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# From shorewall.conf file
|
# From shorewall.conf file
|
||||||
@ -412,6 +413,7 @@ sub initialize() {
|
|||||||
NFQUEUE_TARGET => undef,
|
NFQUEUE_TARGET => undef,
|
||||||
REALM_MATCH => undef,
|
REALM_MATCH => undef,
|
||||||
HELPER_MATCH => undef,
|
HELPER_MATCH => undef,
|
||||||
|
CONNLIMIT_MATCH => undef,
|
||||||
CAPVERSION => undef,
|
CAPVERSION => undef,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
@ -1628,6 +1630,7 @@ sub determine_capabilities( $ ) {
|
|||||||
$capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
|
$capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
|
||||||
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
|
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
|
||||||
$capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
|
$capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
|
||||||
|
$capabilities{CONNLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
|
||||||
|
|
||||||
qt1( "$iptables -F $sillyname" );
|
qt1( "$iptables -F $sillyname" );
|
||||||
qt1( "$iptables -X $sillyname" );
|
qt1( "$iptables -X $sillyname" );
|
||||||
|
@ -239,8 +239,8 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">CONNLIMIT</emphasis> - [<emphasis
|
<term><emphasis role="bold">CONNLIMIT</emphasis> -
|
||||||
role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
|
<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall-perl 4.2.1. May be used to limit the number
|
<para>Added in Shorewall-perl 4.2.1. May be used to limit the number
|
||||||
@ -254,10 +254,7 @@
|
|||||||
<replaceable>mask</replaceable> specifies the width of a VLSM mask
|
<replaceable>mask</replaceable> specifies the width of a VLSM mask
|
||||||
to be applied to the source address; the number of current
|
to be applied to the source address; the number of current
|
||||||
connections is then taken over all hosts in the subnet
|
connections is then taken over all hosts in the subnet
|
||||||
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
|
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.</para>
|
||||||
When<option> !</option> is specified, the rule matches when the
|
|
||||||
number of connection exceeds the
|
|
||||||
<replaceable>limit</replaceable>.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
Loading…
Reference in New Issue
Block a user