extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-18 23:57:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Rate Limiting in Rules - Part 7

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@711 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-08-13 21:31:02 +00:00
parent fe4a195b91
commit d55bcfca0b
3 changed files with 24 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -45,3 +45,5 @@ Changes since 1.4.6
20) Bridge interfaces (br[0-9]) can now be used in /etc/shorewall/maclist. 20) Bridge interfaces (br[0-9]) can now be used in /etc/shorewall/maclist.
21) Rate-limited rules added. 21) Rate-limited rules added.
22) Make burst optional in rate limited rules and policies.

24
Shorewall/firewall
View File

@ -1466,13 +1466,18 @@ setup_syn_flood_chain ()
# $2 = synparams # $2 = synparams
{ {
local chain=$1 local chain=$1
local limit=${2%:*} local limit=$2
local limit_burst=${2#*:} local limit_burst=
case $limit in
*:*)
limit_burst="--limit-burst ${limit#*:}"
limit=${limit%:*}
;;
esac
run_iptables -N @$chain run_iptables -N @$chain
run_iptables -A @$chain \ run_iptables -A @$chain -m limit --limit $limit $limit_burst -j RETURN
-m limit --limit $limit --limit-burst $limit_burst \
-j RETURN
run_iptables -A @$chain -j DROP run_iptables -A @$chain -j DROP
} }
@ -2454,7 +2459,14 @@ process_rule() # $1 = target
ratelimit="${ratelimit%>*}" ratelimit="${ratelimit%>*}"
target="${target%<*}${target#*>}" target="${target%<*}${target#*>}"
expandv ratelimit expandv ratelimit
ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" case $ratelimit in
*:*)
ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
;;
*)
ratelimit="-m limit --limit $ratelimit"
;;
esac
fi fi
# Isolate log level # Isolate log level

6
Shorewall/releasenotes.txt
View File

@ -261,13 +261,14 @@ New Features:
To specify a rate limit, follow ACCEPT, DNAT[-], REDIRECT[-] or LOG To specify a rate limit, follow ACCEPT, DNAT[-], REDIRECT[-] or LOG
with with
< <rate>/<interval>:<burst> > < <rate>/<interval>[:<burst>] >
where where
<rate> is the sustained rate per <interval> <rate> is the sustained rate per <interval>
<interval> is "sec" or "min" <interval> is "sec" or "min"
<burst> is the largest burst accepted within an <interval> <burst> is the largest burst accepted within an <interval>. If
not given, the default of 5 is assumed.
There may be no white space between the ACTION and "<" nor there may There may be no white space between the ACTION and "<" nor there may
be any white space within the burst specification. If you want to be any white space within the burst specification. If you want to
@ -292,4 +293,5 @@ New Features:
zones individually rather than as a single limit for all pairs of zones individually rather than as a single limit for all pairs of
zones covered by the rule. zones covered by the rule.