Disallow DROP with ratelimiting

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6214 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-15 19:01:19 +01:00 · 2007-05-03 16:30:59 +00:00 · 2007-05-03 16:30:59 +00:00 · b98c2dc661
commit b98c2dc661
parent d1b9a71a3b
3 changed files with 10 additions and 8 deletions
--- a/Shorewall-perl/Shorewall/Actions.pm
+++ b/Shorewall-perl/Shorewall/Actions.pm
@ -223,7 +223,7 @@ sub createactionchain( $ ) {

    my $chainref;

-    if ( $level ne '' ) {
+    if ( defined $level && $level ne '' ) {
 	if ( $level eq 'none' ) {
 	    createsimpleactionchain $action;
 	} else {
@ -402,7 +402,7 @@ sub process_action3( $$$$$ ) {

 	expand_rule ( $chainref ,
 		      NO_RESTRICT ,
-		      do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user ,
+		      do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
 		      $source ,
 		      $dest ,
 		      '', #Original Dest
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -184,12 +184,12 @@ our $comment = '';
 #  Target Table. Each entry maps a target to a set of flags defined as follows.
 #
 use constant { STANDARD => 1,              #defined by Netfilter
-	       NATRULE  => 2,              #Involved NAT
+	       NATRULE  => 2,              #Involves NAT
 	       BUILTIN  => 4,              #A built-in action
 	       NONAT    => 8,              #'NONAT' or 'ACCEPT+'
 	       NATONLY  => 16,             #'DNAT-' or 'REDIRECT-'
 	       REDIRECT => 32,             #'REDIRECT'
-	       ACTION   => 64,             #An action
+	       ACTION   => 64,             #An action (may be built-in)
 	       MACRO    => 128,            #A Macro
 	       LOGRULE  => 256,            #'LOG'
 	   };
@ -905,11 +905,13 @@ sub do_test ( $$ )
 #
 # Create a "-m limit" match for the passed LIMIT/BURST
 #
-sub do_ratelimit( $ ) {
-    my $rate = $_[0];
+sub do_ratelimit( $$ ) {
+    my ( $rate, $action ) = @_;

    return '' unless $rate and $rate ne '-';

+    fatal_error "Rate Limiting not available with DROP" if $action eq 'DROP';
+
    if ( $rate =~ /^([^:]+):([^:]+)$/ ) {
 	"-m limit --limit $1 --limit-burst $2 ";
    } else {
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@ -962,7 +962,7 @@ sub process_rule1 ( $$$$$$$$$$ ) {
    #
    # Generate Fixed part of the rule
    #
-    $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit ) , do_user( $user ) , do_test( $mark , 0xFF ) );
+    $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) );

    #
    # Generate NAT rule(s), if any
@ -1044,7 +1044,7 @@ sub process_rule1 ( $$$$$$$$$$ ) {
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#
 	unless ( $actiontype & NATONLY ) {
-	    $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit ), do_user $user );
+	    $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user );
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';