diff --git a/Shorewall/Limit b/Shorewall/Limit deleted file mode 100644 index ac322a7b2..000000000 --- a/Shorewall/Limit +++ /dev/null @@ -1,22 +0,0 @@ -# -# Shorewall version 3.2 -- Extension Script to create Limit action. -# -# /usr/share/shorewall/Limit -############################################################################## - -set -- $(separate_list $TAG) - -[ $# -eq 3 ] || fatal_error "Rule must include ,, as the log tag" - -run_iptables -A $CHAIN -m recent --name $1 --set - -if [ -n "$LEVEL" ]; then - run_iptables -N $CHAIN% - log_rule_limit $LEVEL $CHAIN% $1 DROP "" "" -A - run_iptables -A $CHAIN% -j DROP - run_iptables -A $CHAIN -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $CHAIN% -else - run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP -fi - -run_iptables -A $CHAIN -j ACCEPT diff --git a/Shorewall/action.Limit b/Shorewall/action.Limit deleted file mode 100644 index 350a27999..000000000 --- a/Shorewall/action.Limit +++ /dev/null @@ -1,29 +0,0 @@ -# -# Shorewall version 3.2 - Limit Action -# -# /usr/share/shorewall/action.Limit -# -# Invoke this action as follows: -# -# Limit::,, -# -# Where: -# -# = none, if you don't want rejected packets dropped -# = A log level otherwise. -# = The name you want to assign to the -# 'recent set' that tracks this rate -# / = The rate at which you are willing to accept -# connections -# Example: -# Limit:info:SSHA,3,60 Logs at the info level, uses a recent set -# named "SSHA" and accepts connections at a -# maximum rate of 3/minute. -# -############################################################################### -#TARGET SOURCE DEST PROTO DPORT SPORT -# -# This action has no rules. It is created entirely by the Limit extension -# script /usr/share/shorewall/Limit -# -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/actions.std b/Shorewall/actions.std index e12e1c2c3..de93d89f8 100644 --- a/Shorewall/actions.std +++ b/Shorewall/actions.std @@ -20,10 +20,11 @@ # allowinUPnP # Allow UPnP inbound (to firewall) traffic # forwardUPnP # Allow traffic that upnpd has redirected from # # 'upnp' interfaces. +# Limit # Limit the rate of connections from each individual +# # IP address # ############################################################################### #ACTION Drop # Default Action for DROP policy Reject # Default Action for REJECT policy -Limit # Limit the rate of connections from each individual IP #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Shorewall/compiler b/Shorewall/compiler index e5dac7d19..14d0e6861 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -1256,7 +1256,7 @@ merge_levels() # $1=level at which superior action is called, $2=level at which # Define the builtin actions. They are available even when USE_ACTIONS=No # define_builtin_actions() { - ACTIONS="dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP" + ACTIONS="dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP Limit" USEDACTIONS= } @@ -1495,6 +1495,24 @@ __EOF__ log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT ;; + Limit) + set -- $(separate_list $xtag) + + [ $# -eq 3 ] || fatal_error "Rule must include ,, as the log tag" + + run_iptables -A $xchain -m recent --name $1 --set + + if [ -n "$xlevel" ]; then + run_iptables -N $xchain% + log_rule_limit $xlevel $xchain% $1 DROP "" "" -A + run_iptables -A $xchain% -j DROP + run_iptables -A $xchain -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $xchain% + else + run_iptables -A $xchain -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP + fi + + run_iptables -A $xchain -j ACCEPT + ;; *) # # Not a builtin diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 0f1393fec..c5b8a21e2 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -637,9 +637,6 @@ for f in action.* ; do echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" done -install_file Limit ${PREFIX}/usr/share/shorewall/Limit 0644 -echo "Limit action extension script installed as ${PREFIX}/usr/share/shorewall/Limit" -# # Install the Macro files # for f in macro.* ; do diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 0184b47ad..8094396ac 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -107,14 +107,12 @@ fi %attr(0644,root,root) /usr/share/shorewall/version %attr(0644,root,root) /usr/share/shorewall/actions.std %attr(0644,root,root) /usr/share/shorewall/action.Drop -%attr(0644,root,root) /usr/share/shorewall/action.Limit %attr(0644,root,root) /usr/share/shorewall/action.Reject %attr(0644,root,root) /usr/share/shorewall/action.template %attr(0555,root,root) /usr/share/shorewall/compiler %attr(0444,root,root) /usr/share/shorewall/functions %attr(0555,root,root) /usr/share/shorewall/firewall %attr(0555,root,root) /usr/share/shorewall/help -%attr(0644,root,root) /usr/share/shorewall/Limit %attr(0444,root,root) /usr/share/shorewall/lib.accounting %attr(0444,root,root) /usr/share/shorewall/lib.dynamiczones %attr(0444,root,root) /usr/share/shorewall/lib.maclist