Finish CONNLIMIT

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8758 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-10-08 16:54:08 +00:00
parent 28cc9eec76
commit 35fd52c42b
5 changed files with 22 additions and 10 deletions

View File

@ -35,7 +35,7 @@
#
SHOREWALL_LIBVERSION=40000
SHOREWALL_CAPVERSION=40190
SHOREWALL_CAPVERSION=40200
[ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -1076,6 +1076,7 @@ determine_capabilities() {
NFQUEUE_TARGET=
REALM_MATCH=
HELPER_MATCH=
CONNLIMIT_MATCH=
chain=fooX$$
@ -1177,6 +1178,7 @@ determine_capabilities() {
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
qt $IPTABLES -F $chain
qt $IPTABLES -X $chain
@ -1230,6 +1232,7 @@ report_capabilities() {
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
report_capability "Realm Match" $REALM_MATCH
report_capability "Helper Match" $HELPER_MATCH
report_capability "Connlimit Match" $CONNLIMIT_MATCH
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1277,6 +1280,8 @@ report_capabilities1() {
report_capability1 HASHLIMIT_MATCH
report_capability1 NFQUEUE_TARGET
report_capability1 REALM_MATCH
report_capability1 HELPER_MATCH
report_capability1 CONNLIMIT_MATCH
echo CAPVERSION=$SHOREWALL_CAPVERSION
}

View File

@ -125,6 +125,11 @@ Other changes in Shorewall 4.2.1
current connections is calculated over all destinations and not
just the destination specified in the DEST column.
Use of this feature requires the connlimit match capability in your
kernel and iptables. If you use a capabilities file when compiling
your Shorewall configuration(s), then you need to regenerate the
file using Shorewall or Shorewall-lite 4.2.1.
New Features in Shorewall 4.2.
1) Shorewall 4.2 contains support for multiple Internet providers

View File

@ -1278,11 +1278,13 @@ sub do_connlimit( $ ) {
return '' unless $limit and $limit ne '-';
require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's';
my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below'
if ( $limit =~ /^(\d+):(\d+)$/ ) {
fatal_error "Invalid Mask ($2)" unless $2 > 0 || $2 < 31;
"-m connlimit ${invert}--connlimit-above $1 --connmask $2";
"-m connlimit ${invert}--connlimit-above $1 --connlimit-mask $2 ";
} elsif ( $limit =~ /^(\d+)$/ ) {
"-m connlimit ${invert}--connlimit-above $limit ";
} else {

View File

@ -205,6 +205,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
NFQUEUE_TARGET => 'NFQUEUE Target',
REALM_MATCH => 'Realm Match',
HELPER_MATCH => 'Helper Match',
CONNLIMIT_MATCH => 'Connlimit Match',
CAPVERSION => 'Capability Version',
);
#
@ -267,7 +268,7 @@ sub initialize() {
LOGPARMS => '',
TC_SCRIPT => '',
VERSION => "4.2.0",
CAPVERSION => 40190 ,
CAPVERSION => 40200 ,
);
#
# From shorewall.conf file
@ -412,6 +413,7 @@ sub initialize() {
NFQUEUE_TARGET => undef,
REALM_MATCH => undef,
HELPER_MATCH => undef,
CONNLIMIT_MATCH => undef,
CAPVERSION => undef,
);
#
@ -1628,6 +1630,7 @@ sub determine_capabilities( $ ) {
$capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
$capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
$capabilities{CONNLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" );

View File

@ -239,8 +239,8 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CONNLIMIT</emphasis> - [<emphasis
role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
<term><emphasis role="bold">CONNLIMIT</emphasis> -
<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
<listitem>
<para>Added in Shorewall-perl 4.2.1. May be used to limit the number
@ -254,10 +254,7 @@
<replaceable>mask</replaceable> specifies the width of a VLSM mask
to be applied to the source address; the number of current
connections is then taken over all hosts in the subnet
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
When<option> !</option> is specified, the rule matches when the
number of connection exceeds the
<replaceable>limit</replaceable>.</para>
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.</para>
</listitem>
</varlistentry>
</variablelist>