From 4e0225a4c3dd5a7cab873f508828c9e72608b3d6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 18 Feb 2010 07:12:36 -0800 Subject: [PATCH] Update Documentation for per-IP rate limiting fixes. Signed-off-by: Tom Eastep --- Shorewall/releasenotes.txt | 32 ++++++++++++++++++-------------- manpages/shorewall-rules.xml | 8 ++++---- manpages6/shorewall6-rules.xml | 8 ++++---- 3 files changed, 26 insertions(+), 22 deletions(-) diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 894ca9b73..66272bbdd 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -187,17 +187,13 @@ Shorewall 4.4.8 P R O B L E M S C O R R E C T E D I N 4 . 4 . 8 ---------------------------------------------------------------------------- -1) All versions of Shorewall-perl mishandled per-IP rate limiting in - REDIRECT and DNAT rules. The effective rate and burst were 1/2 of - the values given in the rule. - -2) A CONTINUE rule specifying a log level would cause the compiler to +1) A CONTINUE rule specifying a log level would cause the compiler to generate an incorrect rule sequence. The packet would be logged but the CONTINUE action would not occur. -3) If multiple entries were present in /etc/shorewall/tcdevices and - unique class numbers were not explicitly specified in - /etc/shorewall/tc, then 'shorewall start' would fail with a +2) If multiple entries were present in /etc/shorewall/tcdevices and + globally unique class numbers were not explicitly specified in + /etc/shorewall/tcclasses, then 'shorewall start' would fail with a diagnostic such as: Setting up Traffic Control... @@ -206,14 +202,22 @@ Shorewall 4.4.8 1500 limit 127 perturb 10" Failed Processing /etc/shorewall/stop ... -4) Previously, when per-IP rate limiting was specified with a low rate - (such as 1/hour), the effective rate was much higher (once every 10 - seconds). The Shorewall compiler now configures the hashlimit table - based on the rate such that the rate is more accurately enforced. +3) Previously, when a low per-IP rate limit (such as 1/hour) was + specified, the effective enforced rate was much higher + (approximately 6/min). The Shorewall compiler now configures the + hashlimit table idle timeout based on the rate units (min, hour, + ...) so that the rate is more accurately enforced. As part of this change, a unique hash table name is assigned to - each rule that does not specify a table name in the rule. The - assigned names are of the form 'shorewallN' where N is an integer. + each per-IP rate limiting rule that does not specify a table name + in the rule. The assigned names are of the form 'shorewallN' where + N is an integer. Previously, all such rules shared a single + 'shorewall' table which lead to unexpected results. + +4) All prior versions of Shorewall-perl mishandle per-IP rate limiting + in REDIRECT and DNAT rules. The effective rate and burst are 1/2 of + the values given in the rule. This problem has been corrected so + that the specified rate is now the effective rate. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index 577b5daff..ff02dac57 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -891,10 +891,10 @@ respectively. The name may be chosen by the user and specifies a hash table to be used to count matching connections. If not give, the name shorewall is assumed. Where more than one - rule specifies the same name, the connections counts for the rules - are aggregated and the individual rates apply to the aggregated - count. + role="bold">shorewallN (where N is a unique integer) is + assumed. Where more than one rule specifies the same name, the + connections counts for the rules are aggregated and the individual + rates apply to the aggregated count. Example: s:ssh:3/min:5 diff --git a/manpages6/shorewall6-rules.xml b/manpages6/shorewall6-rules.xml index f362bee70..2b7755185 100644 --- a/manpages6/shorewall6-rules.xml +++ b/manpages6/shorewall6-rules.xml @@ -692,10 +692,10 @@ respectively. The name may be chosen by the user and specifies a hash table to be used to count matching connections. If not give, the name shorewall is assumed. Where more than one - POLICY specifies the same name, the connections counts for the rules - are aggregated and the individual rates apply to the aggregated - count. + role="bold">shorewallN (where N is a unique integer) is + assumed. Where more than one POLICY specifies the same name, the + connections counts for the rules are aggregated and the individual + rates apply to the aggregated count.