extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-26 01:23:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add capability to detect old hashlimit syntax

Browse Source
This commit is contained in:
Tom Eastep 2009-09-23 16:56:31 -04:00
parent 428c3d1e4e
commit d84458518e
5 changed files with 36 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1531,12 +1531,14 @@ sub do_ratelimit( $$ ) {
require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
my $limit = "-m hashlimit ";
my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto';
if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
$limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
$limit .= $2 ? $2 : 'shorewall';
$limit .= ' --hashlimit-mode ';
} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
$limit .= "--hashlimit-upto $3 --hashlimit-name ";
$limit .= "--$match $3 --hashlimit-name ";
$limit .= $2 ? $2 : 'shorewall';
$limit .= ' --hashlimit-mode ';
} else {

16
Shorewall/Perl/Shorewall/Config.pm
View File

@ -242,6 +242,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
LOGMARK_TARGET => 'LOGMARK Target',
IPMARK_TARGET => 'IPMARK Target',
PERSISTENT_SNAT => 'Persistent SNAT',
OLD_HL_MATCH => 'Old Hash Limit Match',
CAPVERSION => 'Capability Version',
);
#
@ -328,7 +329,7 @@ sub initialize( $ ) {
EXPORT => 0,
UNTRACKED => 0,
VERSION => "4.4.2",
CAPVERSION => 40401 ,
CAPVERSION => 40402 ,
);
#
@ -566,7 +567,7 @@ sub initialize( $ ) {
NONE => '',
NFLOG => 'NFLOG',
LOGMARK => 'LOGMARK' );
}
}
#
# From parsing the capabilities file
#
@ -614,6 +615,7 @@ sub initialize( $ ) {
IPMARK_TARGET => undef,
LOG_TARGET => 1, # Assume that we have it.
PERSISTENT_SNAT => undef,
OLD_HL_MATCH => undef,
CAPVERSION => undef,
);
#
@ -2027,6 +2029,15 @@ sub determine_capabilities( $ ) {
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
if ( $capabilities{HASHLIMIT_MATCH} ) {
$capabilities{OLD_HL_MATCH} = '';
} else {
$capabilities{OLD_HL_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
$capabilities{HASHLIMIT_MATCH} = $capabilities{OLD_HL_MATCH};
}
if ( $capabilities{MANGLE_ENABLED} ) {
qt1( "$iptables -t mangle -N $sillyname" );
@ -2071,7 +2082,6 @@ sub determine_capabilities( $ ) {
$capabilities{USEPKTTYPE} = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
$capabilities{ADDRTYPE} = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
$capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
$capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
$capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );

10
Shorewall/lib.base
View File

@ -30,7 +30,7 @@
#
SHOREWALL_LIBVERSION=40000
SHOREWALL_CAPVERSION=40401
SHOREWALL_CAPVERSION=40402
[ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -945,7 +945,11 @@ determine_capabilities() {
qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
if [ -z "$HASHLIMIT_MATCH" ]; then
qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
HASHLIMIT_MATCH=$OLD_HL_MATCH
fi
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@ -1011,6 +1015,7 @@ report_capabilities() {
report_capability "Address Type Match" $ADDRTYPE
report_capability "TCPMSS Match" $TCPMSS_MATCH
report_capability "Hashlimit Match" $HASHLIMIT_MATCH
report_capability "Old Hashlimit Match" $OLD_HL_MATCH
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
report_capability "Realm Match" $REALM_MATCH
report_capability "Helper Match" $HELPER_MATCH
@ -1069,6 +1074,7 @@ report_capabilities1() {
report_capability1 ADDRTYPE
report_capability1 TCPMSS_MATCH
report_capability1 HASHLIMIT_MATCH
report_capability1 OLD_HL_MATCH
report_capability1 NFQUEUE_TARGET
report_capability1 REALM_MATCH
report_capability1 HELPER_MATCH

5
Shorewall/releasenotes.txt
View File

@ -215,7 +215,10 @@ Shorewall 4.4.2
correctly with no PATH.
8) The new per-IP LIMIT feature now works with ancient iptables
releases (e.g., 1.3.5 as found on RHEL 5).
releases (e.g., 1.3.5 as found on RHEL 5). This change required
testing for an additional capability which means that those who use
a capabilities file should regenerate that file after installing
4.4.2.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G

10
Shorewall6/lib.base
View File

@ -33,7 +33,7 @@
#
SHOREWALL_LIBVERSION=40300
SHOREWALL_CAPVERSION=40401
SHOREWALL_CAPVERSION=40402
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@ -853,7 +853,11 @@ determine_capabilities() {
qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
if [ -z "$HASHLIMIT_MATCH" ]; then
qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
HASHLIMIT_MATCH=$OLD_HL_MATCH
fi
qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@ -917,6 +921,7 @@ report_capabilities() {
report_capability "Address Type Match" $ADDRTYPE
report_capability "TCPMSS Match" $TCPMSS_MATCH
report_capability "Hashlimit Match" $HASHLIMIT_MATCH
report_capability "Old Hashlimit Match" $OLD_HL_MATCH
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
report_capability "Realm Match" $REALM_MATCH
report_capability "Helper Match" $HELPER_MATCH
@ -972,6 +977,7 @@ report_capabilities1() {
report_capability1 ADDRTYPE
report_capability1 TCPMSS_MATCH
report_capability1 HASHLIMIT_MATCH
report_capability1 OLD_HL_MATCH
report_capability1 NFQUEUE_TARGET
report_capability1 REALM_MATCH
report_capability1 HELPER_MATCH