Finish CONNLIMIT

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8758 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-10-08 16:54:08 +00:00
parent 28cc9eec76
commit 35fd52c42b
5 changed files with 22 additions and 10 deletions

View File

@ -35,7 +35,7 @@
# #
SHOREWALL_LIBVERSION=40000 SHOREWALL_LIBVERSION=40000
SHOREWALL_CAPVERSION=40190 SHOREWALL_CAPVERSION=40200
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -1076,6 +1076,7 @@ determine_capabilities() {
NFQUEUE_TARGET= NFQUEUE_TARGET=
REALM_MATCH= REALM_MATCH=
HELPER_MATCH= HELPER_MATCH=
CONNLIMIT_MATCH=
chain=fooX$$ chain=fooX$$
@ -1177,6 +1178,7 @@ determine_capabilities() {
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
qt $IPTABLES -F $chain qt $IPTABLES -F $chain
qt $IPTABLES -X $chain qt $IPTABLES -X $chain
@ -1230,6 +1232,7 @@ report_capabilities() {
report_capability "NFQUEUE Target" $NFQUEUE_TARGET report_capability "NFQUEUE Target" $NFQUEUE_TARGET
report_capability "Realm Match" $REALM_MATCH report_capability "Realm Match" $REALM_MATCH
report_capability "Helper Match" $HELPER_MATCH report_capability "Helper Match" $HELPER_MATCH
report_capability "Connlimit Match" $CONNLIMIT_MATCH
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1277,6 +1280,8 @@ report_capabilities1() {
report_capability1 HASHLIMIT_MATCH report_capability1 HASHLIMIT_MATCH
report_capability1 NFQUEUE_TARGET report_capability1 NFQUEUE_TARGET
report_capability1 REALM_MATCH report_capability1 REALM_MATCH
report_capability1 HELPER_MATCH
report_capability1 CONNLIMIT_MATCH
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
} }

View File

@ -125,6 +125,11 @@ Other changes in Shorewall 4.2.1
current connections is calculated over all destinations and not current connections is calculated over all destinations and not
just the destination specified in the DEST column. just the destination specified in the DEST column.
Use of this feature requires the connlimit match capability in your
kernel and iptables. If you use a capabilities file when compiling
your Shorewall configuration(s), then you need to regenerate the
file using Shorewall or Shorewall-lite 4.2.1.
New Features in Shorewall 4.2. New Features in Shorewall 4.2.
1) Shorewall 4.2 contains support for multiple Internet providers 1) Shorewall 4.2 contains support for multiple Internet providers

View File

@ -1278,11 +1278,13 @@ sub do_connlimit( $ ) {
return '' unless $limit and $limit ne '-'; return '' unless $limit and $limit ne '-';
require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's';
my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below' my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below'
if ( $limit =~ /^(\d+):(\d+)$/ ) { if ( $limit =~ /^(\d+):(\d+)$/ ) {
fatal_error "Invalid Mask ($2)" unless $2 > 0 || $2 < 31; fatal_error "Invalid Mask ($2)" unless $2 > 0 || $2 < 31;
"-m connlimit ${invert}--connlimit-above $1 --connmask $2"; "-m connlimit ${invert}--connlimit-above $1 --connlimit-mask $2 ";
} elsif ( $limit =~ /^(\d+)$/ ) { } elsif ( $limit =~ /^(\d+)$/ ) {
"-m connlimit ${invert}--connlimit-above $limit "; "-m connlimit ${invert}--connlimit-above $limit ";
} else { } else {

View File

@ -205,6 +205,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
NFQUEUE_TARGET => 'NFQUEUE Target', NFQUEUE_TARGET => 'NFQUEUE Target',
REALM_MATCH => 'Realm Match', REALM_MATCH => 'Realm Match',
HELPER_MATCH => 'Helper Match', HELPER_MATCH => 'Helper Match',
CONNLIMIT_MATCH => 'Connlimit Match',
CAPVERSION => 'Capability Version', CAPVERSION => 'Capability Version',
); );
# #
@ -267,7 +268,7 @@ sub initialize() {
LOGPARMS => '', LOGPARMS => '',
TC_SCRIPT => '', TC_SCRIPT => '',
VERSION => "4.2.0", VERSION => "4.2.0",
CAPVERSION => 40190 , CAPVERSION => 40200 ,
); );
# #
# From shorewall.conf file # From shorewall.conf file
@ -412,6 +413,7 @@ sub initialize() {
NFQUEUE_TARGET => undef, NFQUEUE_TARGET => undef,
REALM_MATCH => undef, REALM_MATCH => undef,
HELPER_MATCH => undef, HELPER_MATCH => undef,
CONNLIMIT_MATCH => undef,
CAPVERSION => undef, CAPVERSION => undef,
); );
# #
@ -1628,6 +1630,7 @@ sub determine_capabilities( $ ) {
$capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" ); $capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" ); $capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
$capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" ); $capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
$capabilities{CONNLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
qt1( "$iptables -F $sillyname" ); qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" ); qt1( "$iptables -X $sillyname" );

View File

@ -239,8 +239,8 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CONNLIMIT</emphasis> - [<emphasis <term><emphasis role="bold">CONNLIMIT</emphasis> -
role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term> <emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall-perl 4.2.1. May be used to limit the number <para>Added in Shorewall-perl 4.2.1. May be used to limit the number
@ -254,10 +254,7 @@
<replaceable>mask</replaceable> specifies the width of a VLSM mask <replaceable>mask</replaceable> specifies the width of a VLSM mask
to be applied to the source address; the number of current to be applied to the source address; the number of current
connections is then taken over all hosts in the subnet connections is then taken over all hosts in the subnet
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>. <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.</para>
When<option> !</option> is specified, the rule matches when the
number of connection exceeds the
<replaceable>limit</replaceable>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>