Add RATE LIMIT column; allow multiple chains in a 'show' command

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@718 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -48,4 +48,7 @@ Changes since 1.4.6
 
 22) Make burst optional in rate limited rules and policies.
 
-23) Allow display of multiple chains in one "shorewall show" command.
+23) Allow display of multiple chains in one "shorewall show" command.
+
+24) Add "RATE LIMIT" column for those who prefer their config files to
+    be wide but normalized.

Shorewall/firewall

@@ -2440,6 +2440,7 @@ process_rule() # $1 = target
                # $5 = ports
                # $6 = cports
                # $7 = address
+               # $8 = ratelimit
 {
     local target="$1"
     local clients="$2"
@@ -2448,17 +2449,21 @@ process_rule() # $1 = target
     local ports="$5"
     local cports="$6"
     local address="$7"
+    local ratelimit="$8"
     local rule="`echo $target $clients $servers $protocol $ports $cports $address`"
 
     # Function Body - isolate rate limit
 
-    if [ "$target" = "${target%<*}" ]; then
-	ratelimit=
-    else
-	ratelimit="${target#*<}"
-	ratelimit="${ratelimit%>*}"
-	target="${target%<*}${target#*>}"
-	expandv ratelimit
+    if [ -z "$ratelimit" ]; then
+	if [ "$target" != "${target%<*}" ]; then
+	    ratelimit="${target#*<}"
+	    ratelimit="${ratelimit%>*}"
+	    target="${target%<*}${target#*>}"
+	    expandv ratelimit
+	fi
+    fi
+    
+    if [ -n "$ratelimit" ]; then
 	case $ratelimit in
 	    *:*)
 		ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
@@ -2716,17 +2721,17 @@ process_rules() # $1 = name of rules file
 	for yclients in $xclients; do
 	    for yservers in $xservers; do
 		if [ "${yclients}" != "${yservers}" ] ; then
-		    process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress
+		    process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit
 		fi
 	    done
 	done
     }
 
-    while read xtarget xclients xservers xprotocol xports xcports xaddress; do
+    while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit; do
 	temp="${xtarget%:*}"
 	case "${temp%<*}" in
 	    ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
-		expandv xclients xservers xprotocol xports xcports xaddress
+		expandv xclients xservers xprotocol xports xcports xaddress xratelimit
 
 		if [ "x$xclients" = xall ]; then
 		    xclients="$zones $FW"
@@ -2743,10 +2748,10 @@ process_rules() # $1 = name of rules file
 		    continue
 		fi
 
-		process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress
+		process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit
 		;;
 	    *)
-		rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
+		rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit`"
 		fatal_error "Invalid Action in rule \"$rule\""
 		;;
 

Shorewall/releasenotes.txt

@@ -258,23 +258,33 @@ New Features:
    to create two rules; a DNAT- rule and an ACCEPT rule which can be
    rate-limited separately.
 
-   To specify a rate limit, follow ACCEPT, DNAT[-], REDIRECT[-] or LOG
-   with
+   To specify a rate limit, you can follow one of two approaches:
 
-      < <rate>/<interval>[:<burst>] >
+   a) You may follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with
 
-   where
+	  < <rate>/<interval>[:<burst>] >
 
-      <rate> is the sustained rate per <interval>
-      <interval> is "sec" or "min"
-      <burst> is the largest burst accepted within an <interval>. If
-              not given, the default of 5 is assumed.
+	  where
 
-   There may be no white space between the ACTION and "<" nor there may
-   be any white space within the burst specification. If you want to
-   specify logging of a rate-limited rule, the ":" and log level comes
-   after the ">" (e.g., ACCEPT<2/sec:4>:info ).
+	  <rate> is the sustained rate per <interval>
+	  <interval> is "sec" or "min"
+	  <burst> is the largest burst accepted within an
+	          <interval>. If not given, the default of 5 is
+		  assumed.
 
+      There may be no white space between the ACTION and "<" nor there
+      may be any white space within the burst specification. If you want
+      to specify logging of a rate-limited rule, the ":" and log level
+      comes after the ">" (e.g., ACCEPT<2/sec:4>:info ).
+
+   b) There is a new RATE LIMIT column at the far right of the
+      file (beyond column 80). You may place the rate limit there in
+      the format:
+
+	  <rate>/<interval>[:<burst>]
+
+	  where <rate>, <interval> and <burst> are as above.
+   
    Let's take an example:
 
 	 ACCEPT<2/sec:4>	net	dmz	tcp	80
@@ -295,4 +305,3 @@ New Features:
 
 10) Multiple chains may now be displayed in one "shorewall show"
     command (e.g., shorewall show INPUT FORWARD OUTPUT).
-   

Shorewall/rules

@@ -50,11 +50,12 @@
 #			You may rate-limit the rule by optionally
 #			following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
 # 
-#				< <rate>/<interval>:<burst> >
+#				< <rate>/<interval>[:<burst>] >
 #
 #			where <rate> is the number of connections per 
 #			<interval> ("sec" or "min") and <burst> is the
-#			largest burst permitted. There may be
+#			largest burst permitted. If no <burst> is given,
+#			a value of 5 is assumed. There may be no
 #			no whitespace embedded in the specification.
 #
 #				Example: ACCEPT<10/sec:20>
@@ -64,6 +65,11 @@
 #			DNAT<4/sec:8>:debugging). This causes the packet to be
 #			logged at the specified level.
 #
+#			NOTE: For those of you who prefer to place the
+#			rate limit in a separate column, see the RATE LIMIT
+#			column below. If you specify a value in that column,
+#			you must not include a rate limit in the ACTION column
+#
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
 #			to a separate log through use of ulogd
@@ -206,6 +212,22 @@
 #			If no source IP address is given, the original source
 #			address is not altered.
 #
+#	RATE LIMIT	You may rate-limit the rule by placing a value in 
+#			this colume:
+# 
+#				<rate>/<interval>[:<burst>]
+#
+#			where <rate> is the number of connections per 
+#			<interval> ("sec" or "min") and <burst> is the
+#			largest burst permitted. If no <burst> is given,
+#			a value of 5 is assumed. There may be no
+#			no whitespace embedded in the specification.
+#
+#				Example: 10/sec:20
+#
+#			If you place a rate limit in this column, you may not
+#			place a similar limit in the ACTION column.
+#
 #	Example: Accept SMTP requests from the DMZ to the internet
 #
 #	#ACTION SOURCE	DEST PROTO	DEST    SOURCE	ORIGINAL
@@ -249,7 +271,7 @@
 #	#                               	PORT    PORT(S) DEST
 #	ACCEPT	 net:130.252.100.69,130.252.100.70 \
 #					tcp	22
-##############################################################################
-#ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL
-#                       	        	PORT    PORT(S)    DEST
+#########################################################################################
+#ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE
+#                       	        	PORT    PORT(S)    DEST		LIMIT
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/shorewall

@@ -786,9 +786,13 @@ case "$1" in
 	    echo "Shorewall-$version `[ $# -gt 1 ] && echo Chains || echo Chain` $* at $HOSTNAME - `date`"
 	    echo
 	    show_reset
-	    for chain in $*; do
-		iptables -L $chain -n -v
-	    done
+	    if [ $# -gt 0 ]; then
+		for chain in $*; do
+		    iptables -L $chain -n -v
+		done
+	    else
+		iptables -L -n -v
+	    fi
 	    ;;
 	esac
 	;;