mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-27 08:39:00 +01:00
Add capability to detect old hashlimit syntax
This commit is contained in:
parent
428c3d1e4e
commit
d84458518e
@ -1531,12 +1531,14 @@ sub do_ratelimit( $$ ) {
|
||||
require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
|
||||
|
||||
my $limit = "-m hashlimit ";
|
||||
my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto';
|
||||
|
||||
if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
|
||||
$limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
|
||||
$limit .= $2 ? $2 : 'shorewall';
|
||||
$limit .= ' --hashlimit-mode ';
|
||||
} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
|
||||
$limit .= "--hashlimit-upto $3 --hashlimit-name ";
|
||||
$limit .= "--$match $3 --hashlimit-name ";
|
||||
$limit .= $2 ? $2 : 'shorewall';
|
||||
$limit .= ' --hashlimit-mode ';
|
||||
} else {
|
||||
|
@ -242,6 +242,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
LOGMARK_TARGET => 'LOGMARK Target',
|
||||
IPMARK_TARGET => 'IPMARK Target',
|
||||
PERSISTENT_SNAT => 'Persistent SNAT',
|
||||
OLD_HL_MATCH => 'Old Hash Limit Match',
|
||||
CAPVERSION => 'Capability Version',
|
||||
);
|
||||
#
|
||||
@ -328,7 +329,7 @@ sub initialize( $ ) {
|
||||
EXPORT => 0,
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.4.2",
|
||||
CAPVERSION => 40401 ,
|
||||
CAPVERSION => 40402 ,
|
||||
);
|
||||
|
||||
#
|
||||
@ -566,7 +567,7 @@ sub initialize( $ ) {
|
||||
NONE => '',
|
||||
NFLOG => 'NFLOG',
|
||||
LOGMARK => 'LOGMARK' );
|
||||
}
|
||||
}
|
||||
#
|
||||
# From parsing the capabilities file
|
||||
#
|
||||
@ -614,6 +615,7 @@ sub initialize( $ ) {
|
||||
IPMARK_TARGET => undef,
|
||||
LOG_TARGET => 1, # Assume that we have it.
|
||||
PERSISTENT_SNAT => undef,
|
||||
OLD_HL_MATCH => undef,
|
||||
CAPVERSION => undef,
|
||||
);
|
||||
#
|
||||
@ -2027,6 +2029,15 @@ sub determine_capabilities( $ ) {
|
||||
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
|
||||
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
|
||||
|
||||
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
|
||||
|
||||
if ( $capabilities{HASHLIMIT_MATCH} ) {
|
||||
$capabilities{OLD_HL_MATCH} = '';
|
||||
} else {
|
||||
$capabilities{OLD_HL_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
|
||||
$capabilities{HASHLIMIT_MATCH} = $capabilities{OLD_HL_MATCH};
|
||||
}
|
||||
|
||||
if ( $capabilities{MANGLE_ENABLED} ) {
|
||||
qt1( "$iptables -t mangle -N $sillyname" );
|
||||
|
||||
@ -2071,7 +2082,6 @@ sub determine_capabilities( $ ) {
|
||||
$capabilities{USEPKTTYPE} = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
|
||||
$capabilities{ADDRTYPE} = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
|
||||
$capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
|
||||
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
|
||||
$capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
|
||||
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
|
||||
$capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
|
||||
|
@ -30,7 +30,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40000
|
||||
SHOREWALL_CAPVERSION=40401
|
||||
SHOREWALL_CAPVERSION=40402
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||
@ -945,7 +945,11 @@ determine_capabilities() {
|
||||
qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
|
||||
qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
|
||||
qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
|
||||
qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
|
||||
qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
|
||||
if [ -z "$HASHLIMIT_MATCH" ]; then
|
||||
qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
|
||||
HASHLIMIT_MATCH=$OLD_HL_MATCH
|
||||
fi
|
||||
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
|
||||
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
|
||||
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
|
||||
@ -1011,6 +1015,7 @@ report_capabilities() {
|
||||
report_capability "Address Type Match" $ADDRTYPE
|
||||
report_capability "TCPMSS Match" $TCPMSS_MATCH
|
||||
report_capability "Hashlimit Match" $HASHLIMIT_MATCH
|
||||
report_capability "Old Hashlimit Match" $OLD_HL_MATCH
|
||||
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
|
||||
report_capability "Realm Match" $REALM_MATCH
|
||||
report_capability "Helper Match" $HELPER_MATCH
|
||||
@ -1069,6 +1074,7 @@ report_capabilities1() {
|
||||
report_capability1 ADDRTYPE
|
||||
report_capability1 TCPMSS_MATCH
|
||||
report_capability1 HASHLIMIT_MATCH
|
||||
report_capability1 OLD_HL_MATCH
|
||||
report_capability1 NFQUEUE_TARGET
|
||||
report_capability1 REALM_MATCH
|
||||
report_capability1 HELPER_MATCH
|
||||
|
@ -215,7 +215,10 @@ Shorewall 4.4.2
|
||||
correctly with no PATH.
|
||||
|
||||
8) The new per-IP LIMIT feature now works with ancient iptables
|
||||
releases (e.g., 1.3.5 as found on RHEL 5).
|
||||
releases (e.g., 1.3.5 as found on RHEL 5). This change required
|
||||
testing for an additional capability which means that those who use
|
||||
a capabilities file should regenerate that file after installing
|
||||
4.4.2.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
K N O W N P R O B L E M S R E M A I N I N G
|
||||
|
@ -33,7 +33,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40300
|
||||
SHOREWALL_CAPVERSION=40401
|
||||
SHOREWALL_CAPVERSION=40402
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||
@ -853,7 +853,11 @@ determine_capabilities() {
|
||||
qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
|
||||
qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
|
||||
qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
|
||||
qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
|
||||
qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
|
||||
if [ -z "$HASHLIMIT_MATCH" ]; then
|
||||
qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
|
||||
HASHLIMIT_MATCH=$OLD_HL_MATCH
|
||||
fi
|
||||
qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
|
||||
qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
|
||||
qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
|
||||
@ -917,6 +921,7 @@ report_capabilities() {
|
||||
report_capability "Address Type Match" $ADDRTYPE
|
||||
report_capability "TCPMSS Match" $TCPMSS_MATCH
|
||||
report_capability "Hashlimit Match" $HASHLIMIT_MATCH
|
||||
report_capability "Old Hashlimit Match" $OLD_HL_MATCH
|
||||
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
|
||||
report_capability "Realm Match" $REALM_MATCH
|
||||
report_capability "Helper Match" $HELPER_MATCH
|
||||
@ -972,6 +977,7 @@ report_capabilities1() {
|
||||
report_capability1 ADDRTYPE
|
||||
report_capability1 TCPMSS_MATCH
|
||||
report_capability1 HASHLIMIT_MATCH
|
||||
report_capability1 OLD_HL_MATCH
|
||||
report_capability1 NFQUEUE_TARGET
|
||||
report_capability1 REALM_MATCH
|
||||
report_capability1 HELPER_MATCH
|
||||
|
Loading…
Reference in New Issue
Block a user