extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-26 20:51:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Disallow DROP with ratelimiting

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6214 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-05-03 16:30:59 +00:00
parent d1b9a71a3b
commit b98c2dc661
3 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-perl/Shorewall/Actions.pm
View File

@ -223,7 +223,7 @@ sub createactionchain( $ ) {
my $chainref; my $chainref;
if ( $level ne '' ) { if ( defined $level && $level ne '' ) {
if ( $level eq 'none' ) { if ( $level eq 'none' ) {
createsimpleactionchain $action; createsimpleactionchain $action;
} else { } else {
@ -402,7 +402,7 @@ sub process_action3( $$$$$ ) {
expand_rule ( $chainref , expand_rule ( $chainref ,
NO_RESTRICT , NO_RESTRICT ,
do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user , do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
$source , $source ,
$dest , $dest ,
'', #Original Dest '', #Original Dest

10
Shorewall-perl/Shorewall/Chains.pm
View File

@ -184,12 +184,12 @@ our $comment = '';
# Target Table. Each entry maps a target to a set of flags defined as follows. # Target Table. Each entry maps a target to a set of flags defined as follows.
# #
use constant { STANDARD => 1, #defined by Netfilter use constant { STANDARD => 1, #defined by Netfilter
NATRULE => 2, #Involved NAT NATRULE => 2, #Involves NAT
BUILTIN => 4, #A built-in action BUILTIN => 4, #A built-in action
NONAT => 8, #'NONAT' or 'ACCEPT+' NONAT => 8, #'NONAT' or 'ACCEPT+'
NATONLY => 16, #'DNAT-' or 'REDIRECT-' NATONLY => 16, #'DNAT-' or 'REDIRECT-'
REDIRECT => 32, #'REDIRECT' REDIRECT => 32, #'REDIRECT'
ACTION => 64, #An action ACTION => 64, #An action (may be built-in)
MACRO => 128, #A Macro MACRO => 128, #A Macro
LOGRULE => 256, #'LOG' LOGRULE => 256, #'LOG'
}; };
@ -905,11 +905,13 @@ sub do_test ( $$ )
# #
# Create a "-m limit" match for the passed LIMIT/BURST # Create a "-m limit" match for the passed LIMIT/BURST
# #
sub do_ratelimit( $ ) { sub do_ratelimit( $$ ) {
my $rate = $_[0]; my ( $rate, $action ) = @_;
return '' unless $rate and $rate ne '-'; return '' unless $rate and $rate ne '-';
fatal_error "Rate Limiting not available with DROP" if $action eq 'DROP';
if ( $rate =~ /^([^:]+):([^:]+)$/ ) { if ( $rate =~ /^([^:]+):([^:]+)$/ ) {
"-m limit --limit $1 --limit-burst $2 "; "-m limit --limit $1 --limit-burst $2 ";
} else { } else {

4
Shorewall-perl/Shorewall/Rules.pm
View File

@ -962,7 +962,7 @@ sub process_rule1 ( $$$$$$$$$$ ) {
# #
# Generate Fixed part of the rule # Generate Fixed part of the rule
# #
$rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit ) , do_user( $user ) , do_test( $mark , 0xFF ) ); $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) );
# #
# Generate NAT rule(s), if any # Generate NAT rule(s), if any
@ -1044,7 +1044,7 @@ sub process_rule1 ( $$$$$$$$$$ ) {
# - there will be no log level (we log NAT rules in the nat table rather than in the filter table). # - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
# #
unless ( $actiontype & NATONLY ) { unless ( $actiontype & NATONLY ) {
$rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit ), do_user $user ); $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user );
$loglevel = ''; $loglevel = '';
$dest = $server; $dest = $server;
$action = 'ACCEPT'; $action = 'ACCEPT';