mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-16 11:20:53 +01:00
Disallow DROP with ratelimiting
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6214 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d1b9a71a3b
commit
b98c2dc661
@ -223,7 +223,7 @@ sub createactionchain( $ ) {
|
||||
|
||||
my $chainref;
|
||||
|
||||
if ( $level ne '' ) {
|
||||
if ( defined $level && $level ne '' ) {
|
||||
if ( $level eq 'none' ) {
|
||||
createsimpleactionchain $action;
|
||||
} else {
|
||||
@ -402,7 +402,7 @@ sub process_action3( $$$$$ ) {
|
||||
|
||||
expand_rule ( $chainref ,
|
||||
NO_RESTRICT ,
|
||||
do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user ,
|
||||
do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
|
||||
$source ,
|
||||
$dest ,
|
||||
'', #Original Dest
|
||||
|
@ -184,12 +184,12 @@ our $comment = '';
|
||||
# Target Table. Each entry maps a target to a set of flags defined as follows.
|
||||
#
|
||||
use constant { STANDARD => 1, #defined by Netfilter
|
||||
NATRULE => 2, #Involved NAT
|
||||
NATRULE => 2, #Involves NAT
|
||||
BUILTIN => 4, #A built-in action
|
||||
NONAT => 8, #'NONAT' or 'ACCEPT+'
|
||||
NATONLY => 16, #'DNAT-' or 'REDIRECT-'
|
||||
REDIRECT => 32, #'REDIRECT'
|
||||
ACTION => 64, #An action
|
||||
ACTION => 64, #An action (may be built-in)
|
||||
MACRO => 128, #A Macro
|
||||
LOGRULE => 256, #'LOG'
|
||||
};
|
||||
@ -905,11 +905,13 @@ sub do_test ( $$ )
|
||||
#
|
||||
# Create a "-m limit" match for the passed LIMIT/BURST
|
||||
#
|
||||
sub do_ratelimit( $ ) {
|
||||
my $rate = $_[0];
|
||||
sub do_ratelimit( $$ ) {
|
||||
my ( $rate, $action ) = @_;
|
||||
|
||||
return '' unless $rate and $rate ne '-';
|
||||
|
||||
fatal_error "Rate Limiting not available with DROP" if $action eq 'DROP';
|
||||
|
||||
if ( $rate =~ /^([^:]+):([^:]+)$/ ) {
|
||||
"-m limit --limit $1 --limit-burst $2 ";
|
||||
} else {
|
||||
|
@ -962,7 +962,7 @@ sub process_rule1 ( $$$$$$$$$$ ) {
|
||||
#
|
||||
# Generate Fixed part of the rule
|
||||
#
|
||||
$rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit ) , do_user( $user ) , do_test( $mark , 0xFF ) );
|
||||
$rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) );
|
||||
|
||||
#
|
||||
# Generate NAT rule(s), if any
|
||||
@ -1044,7 +1044,7 @@ sub process_rule1 ( $$$$$$$$$$ ) {
|
||||
# - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
|
||||
#
|
||||
unless ( $actiontype & NATONLY ) {
|
||||
$rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit ), do_user $user );
|
||||
$rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user );
|
||||
$loglevel = '';
|
||||
$dest = $server;
|
||||
$action = 'ACCEPT';
|
||||
|
Loading…
Reference in New Issue
Block a user