diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 1dd112b02..8edadf45a 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -20,6 +20,8 @@ Changes in Shorewall 4.3.8 10) Fix LOG_MARTIANS=Yes. +11) Adapt I. Buijs's hashlimit patch. + Changes in Shorewall 4.3.7 1) Fix forward treatment of interface options. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index d8f8f4b3b..1255bbe58 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -30,6 +30,11 @@ released late in 2009. the compilation phase during start/restart if no configuration changes have occurred since the last start/restart. +7) The LIMIT:BURST column in /etc/shorewall/policy + (/etc/shorewall6/policy) and the RATE LIMIT column in + /etc/shorewall/rules (/etc/shorewall6/rules) may now be used to + limit on a per source IP or per destination IP basis. + ---------------------------------------------------------------------------- M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- @@ -140,6 +145,35 @@ None. In other words, you can compile the current configuration then install it at a later time. +7) Thanks to I. Buijs, it is now possible to rate-limit connections by + source IP or destination IP. The LIMIT:BURST column in + /etc/shorewall/policy (/etc/shorewall6/policy) and the RATE LIMIT + column /etc/shorewall/rules (/etc/shorewall6/rules) have been + extended as follows: + + [{s|d}:[[]:]]/{sec|min}[:] + + When s: is specified, the rate is per source IP address. + When d: is specified, the rate is per destination IP address. + The specifies the name of a hash table -- you get to choose + the name. If you don't specify a name, the name 'shorewall' is + assumed. Rules with the same name have their connection counts + aggregated and the individual rates are applied to the aggregate. + + Example: + + ACCEPT net fw tcp 22 - - s:ssh:3/min + + This will limit SSH connections from net->fw to 3 per minute. + + ACCEPT net fw tcp 25 - - s:mail:3/min + ACCEPT net fw tcp 587 - - s:mail:3/min + + Since the same hash table name is used in both rules, the above is + equivalent to this single rule: + + ACCEPT net fw tcp 25,587 - - s:mail:3/min + ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 3 ---------------------------------------------------------------------------- diff --git a/manpages/shorewall-policy.xml b/manpages/shorewall-policy.xml index 51fc15e96..02be84131 100644 --- a/manpages/shorewall-policy.xml +++ b/manpages/shorewall-policy.xml @@ -226,7 +226,9 @@ BURST:LIMIT - - rate/{s|d}:[[name]:]]]rate/{second|minute}:burst @@ -235,6 +237,16 @@ rate and the size of an acceptable burst. If not specified, TCP connections are not limited. + + When or is specified, + the rate applies per source IP address or per destination IP address + respectively. The name may be chosen by + the user and specifies a hash table to be used to count matching + connections. If not give, the name shorewall is assumed. Where more than one + POLICY specifies the same name, the connections counts for the + policies are aggregated and the individual rates apply to the + aggregated count. diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index 55097358e..f112b859a 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -922,7 +922,8 @@ RATE LIMIT (Optional) - - [-|rate-|[{s|d}:[[name]:]]]rate/{sec|min}[:burst] @@ -939,6 +940,18 @@ the specification. Example: 10/sec:20 + + When or is specified, + the rate applies per source IP address or per destination IP address + respectively. The name may be chosen by + the user and specifies a hash table to be used to count matching + connections. If not give, the name shorewall is assumed. Where more than one + rule specifies the same name, the connections counts for the + policies are aggregated and the individual rates apply to the + aggregated count. + + Example: s:ssh:3/min:5 diff --git a/manpages6/shorewall6-policy.xml b/manpages6/shorewall6-policy.xml index 42cdb3932..4061925c0 100644 --- a/manpages6/shorewall6-policy.xml +++ b/manpages6/shorewall6-policy.xml @@ -226,7 +226,9 @@ BURST:LIMIT - - rate/{s|d}:[[name]:]]]rate/{second|minute}:burst @@ -235,6 +237,16 @@ rate and the size of an acceptable burst. If not specified, TCP connections are not limited. + + When or is specified, + the rate applies per source IP address or per destination IP address + respectively. The name may be chosen by + the user and specifies a hash table to be used to count matching + connections. If not give, the name shorewall is assumed. Where more than one + POLICY specifies the same name, the connections counts for the + policies are aggregated and the individual rates apply to the + aggregated count. diff --git a/manpages6/shorewall6-rules.xml b/manpages6/shorewall6-rules.xml index 154249048..4a0d87dcd 100644 --- a/manpages6/shorewall6-rules.xml +++ b/manpages6/shorewall6-rules.xml @@ -665,7 +665,8 @@ RATE LIMIT (Optional) - - [-|rate-|[{s|d}:[[name]:]]]rate/{sec|min}[:burst] @@ -682,6 +683,16 @@ the specification. Example: 10/sec:20 + + When or is specified, + the rate applies per source IP address or per destination IP address + respectively. The name may be chosen by + the user and specifies a hash table to be used to count matching + connections. If not give, the name shorewall is assumed. Where more than one + POLICY specifies the same name, the connections counts for the + policies are aggregated and the individual rates apply to the + aggregated count.