mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-03 03:59:16 +01:00
Make Limit a builtin Action
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4488 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
cf8cc1a899
commit
d96767b50a
@ -1,22 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall version 3.2 -- Extension Script to create Limit action.
|
|
||||||
#
|
|
||||||
# /usr/share/shorewall/Limit
|
|
||||||
##############################################################################
|
|
||||||
|
|
||||||
set -- $(separate_list $TAG)
|
|
||||||
|
|
||||||
[ $# -eq 3 ] || fatal_error "Rule must include <set name>,<max connections>,<interval> as the log tag"
|
|
||||||
|
|
||||||
run_iptables -A $CHAIN -m recent --name $1 --set
|
|
||||||
|
|
||||||
if [ -n "$LEVEL" ]; then
|
|
||||||
run_iptables -N $CHAIN%
|
|
||||||
log_rule_limit $LEVEL $CHAIN% $1 DROP "" "" -A
|
|
||||||
run_iptables -A $CHAIN% -j DROP
|
|
||||||
run_iptables -A $CHAIN -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $CHAIN%
|
|
||||||
else
|
|
||||||
run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP
|
|
||||||
fi
|
|
||||||
|
|
||||||
run_iptables -A $CHAIN -j ACCEPT
|
|
||||||
@ -1,29 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall version 3.2 - Limit Action
|
|
||||||
#
|
|
||||||
# /usr/share/shorewall/action.Limit
|
|
||||||
#
|
|
||||||
# Invoke this action as follows:
|
|
||||||
#
|
|
||||||
# Limit:<log level>:<set name>,<count>,<seconds>
|
|
||||||
#
|
|
||||||
# Where:
|
|
||||||
#
|
|
||||||
# <log level> = none, if you don't want rejected packets dropped
|
|
||||||
# = A log level otherwise.
|
|
||||||
# <set name> = The name you want to assign to the
|
|
||||||
# 'recent set' that tracks this rate
|
|
||||||
# <count>/<seconds> = The rate at which you are willing to accept
|
|
||||||
# connections
|
|
||||||
# Example:
|
|
||||||
# Limit:info:SSHA,3,60 Logs at the info level, uses a recent set
|
|
||||||
# named "SSHA" and accepts connections at a
|
|
||||||
# maximum rate of 3/minute.
|
|
||||||
#
|
|
||||||
###############################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
|
||||||
#
|
|
||||||
# This action has no rules. It is created entirely by the Limit extension
|
|
||||||
# script /usr/share/shorewall/Limit
|
|
||||||
#
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
||||||
@ -20,10 +20,11 @@
|
|||||||
# allowinUPnP # Allow UPnP inbound (to firewall) traffic
|
# allowinUPnP # Allow UPnP inbound (to firewall) traffic
|
||||||
# forwardUPnP # Allow traffic that upnpd has redirected from
|
# forwardUPnP # Allow traffic that upnpd has redirected from
|
||||||
# # 'upnp' interfaces.
|
# # 'upnp' interfaces.
|
||||||
|
# Limit # Limit the rate of connections from each individual
|
||||||
|
# # IP address
|
||||||
#
|
#
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#ACTION
|
#ACTION
|
||||||
Drop # Default Action for DROP policy
|
Drop # Default Action for DROP policy
|
||||||
Reject # Default Action for REJECT policy
|
Reject # Default Action for REJECT policy
|
||||||
Limit # Limit the rate of connections from each individual IP
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
|
|||||||
@ -1256,7 +1256,7 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
|
|||||||
# Define the builtin actions. They are available even when USE_ACTIONS=No
|
# Define the builtin actions. They are available even when USE_ACTIONS=No
|
||||||
#
|
#
|
||||||
define_builtin_actions() {
|
define_builtin_actions() {
|
||||||
ACTIONS="dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP"
|
ACTIONS="dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP allowoutUPnP forwardUPnP Limit"
|
||||||
|
|
||||||
USEDACTIONS=
|
USEDACTIONS=
|
||||||
}
|
}
|
||||||
@ -1495,6 +1495,24 @@ __EOF__
|
|||||||
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
|
log_rule_limit ${xlevel%\!} $xchain allowoutUPnP ACCEPT "" "$xtag" -A -m owner --owner-cmd upnpd
|
||||||
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
|
run_iptables -A $xchain -m owner --cmd-owner upnpd -j ACCEPT
|
||||||
;;
|
;;
|
||||||
|
Limit)
|
||||||
|
set -- $(separate_list $xtag)
|
||||||
|
|
||||||
|
[ $# -eq 3 ] || fatal_error "Rule must include <set name>,<max connections>,<interval> as the log tag"
|
||||||
|
|
||||||
|
run_iptables -A $xchain -m recent --name $1 --set
|
||||||
|
|
||||||
|
if [ -n "$xlevel" ]; then
|
||||||
|
run_iptables -N $xchain%
|
||||||
|
log_rule_limit $xlevel $xchain% $1 DROP "" "" -A
|
||||||
|
run_iptables -A $xchain% -j DROP
|
||||||
|
run_iptables -A $xchain -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $xchain%
|
||||||
|
else
|
||||||
|
run_iptables -A $xchain -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP
|
||||||
|
fi
|
||||||
|
|
||||||
|
run_iptables -A $xchain -j ACCEPT
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
#
|
#
|
||||||
# Not a builtin
|
# Not a builtin
|
||||||
|
|||||||
@ -637,9 +637,6 @@ for f in action.* ; do
|
|||||||
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
|
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
|
||||||
done
|
done
|
||||||
|
|
||||||
install_file Limit ${PREFIX}/usr/share/shorewall/Limit 0644
|
|
||||||
echo "Limit action extension script installed as ${PREFIX}/usr/share/shorewall/Limit"
|
|
||||||
#
|
|
||||||
# Install the Macro files
|
# Install the Macro files
|
||||||
#
|
#
|
||||||
for f in macro.* ; do
|
for f in macro.* ; do
|
||||||
|
|||||||
@ -107,14 +107,12 @@ fi
|
|||||||
%attr(0644,root,root) /usr/share/shorewall/version
|
%attr(0644,root,root) /usr/share/shorewall/version
|
||||||
%attr(0644,root,root) /usr/share/shorewall/actions.std
|
%attr(0644,root,root) /usr/share/shorewall/actions.std
|
||||||
%attr(0644,root,root) /usr/share/shorewall/action.Drop
|
%attr(0644,root,root) /usr/share/shorewall/action.Drop
|
||||||
%attr(0644,root,root) /usr/share/shorewall/action.Limit
|
|
||||||
%attr(0644,root,root) /usr/share/shorewall/action.Reject
|
%attr(0644,root,root) /usr/share/shorewall/action.Reject
|
||||||
%attr(0644,root,root) /usr/share/shorewall/action.template
|
%attr(0644,root,root) /usr/share/shorewall/action.template
|
||||||
%attr(0555,root,root) /usr/share/shorewall/compiler
|
%attr(0555,root,root) /usr/share/shorewall/compiler
|
||||||
%attr(0444,root,root) /usr/share/shorewall/functions
|
%attr(0444,root,root) /usr/share/shorewall/functions
|
||||||
%attr(0555,root,root) /usr/share/shorewall/firewall
|
%attr(0555,root,root) /usr/share/shorewall/firewall
|
||||||
%attr(0555,root,root) /usr/share/shorewall/help
|
%attr(0555,root,root) /usr/share/shorewall/help
|
||||||
%attr(0644,root,root) /usr/share/shorewall/Limit
|
|
||||||
%attr(0444,root,root) /usr/share/shorewall/lib.accounting
|
%attr(0444,root,root) /usr/share/shorewall/lib.accounting
|
||||||
%attr(0444,root,root) /usr/share/shorewall/lib.dynamiczones
|
%attr(0444,root,root) /usr/share/shorewall/lib.dynamiczones
|
||||||
%attr(0444,root,root) /usr/share/shorewall/lib.maclist
|
%attr(0444,root,root) /usr/share/shorewall/lib.maclist
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user