Rate Limiting in Rules - Part 7

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@711 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-16 03:10:39 +01:00 · 2003-08-13 21:31:02 +00:00 · 2003-08-13 21:31:02 +00:00 · d55bcfca0b
commit d55bcfca0b
parent fe4a195b91
3 changed files with 24 additions and 8 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -45,3 +45,5 @@ Changes since 1.4.6
 20) Bridge interfaces (br[0-9]) can now be used in /etc/shorewall/maclist.

 21) Rate-limited rules added.
+
+22) Make burst optional in rate limited rules and policies.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -1466,13 +1466,18 @@ setup_syn_flood_chain ()
 	# $2 = synparams
 {
    local chain=$1
-    local limit=${2%:*}
-    local limit_burst=${2#*:}
+    local limit=$2
+    local limit_burst=
+
+    case $limit in
+	*:*)
+	    limit_burst="--limit-burst ${limit#*:}"
+	    limit=${limit%:*}
+	    ;;
+    esac

    run_iptables -N @$chain
-    run_iptables -A @$chain \
-	-m limit --limit $limit --limit-burst $limit_burst \
-	-j RETURN
+    run_iptables -A @$chain -m limit --limit $limit $limit_burst -j RETURN
    run_iptables -A @$chain -j DROP
 }

@ -2454,7 +2459,14 @@ process_rule() # $1 = target
 	ratelimit="${ratelimit%>*}"
 	target="${target%<*}${target#*>}"
 	expandv ratelimit
-	ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
+	case $ratelimit in
+	    *:*)
+		ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
+		;;
+	    *)
+		ratelimit="-m limit --limit $ratelimit"
+		;;
+	esac
    fi

    # Isolate log level
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -261,13 +261,14 @@ New Features:
   To specify a rate limit, follow ACCEPT, DNAT[-], REDIRECT[-] or LOG
   with

-      < <rate>/<interval>:<burst> >
+      < <rate>/<interval>[:<burst>] >

   where

      <rate> is the sustained rate per <interval>
      <interval> is "sec" or "min"
-      <burst> is the largest burst accepted within an <interval>
+      <burst> is the largest burst accepted within an <interval>. If
+              not given, the default of 5 is assumed.

   There may be no white space between the ACTION and "<" nor there may
   be any white space within the burst specification. If you want to
@ -292,4 +293,5 @@ New Features:
   zones individually rather than as a single limit for all pairs of
   zones covered by the rule.

+