mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 02:08:48 +02:00
Rate Limiting in Rules - Part 3
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@707 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
ec4c44a162
commit
e454c7fe73
@ -43,3 +43,5 @@ Changes since 1.4.6
|
|||||||
"shorewall monitor".
|
"shorewall monitor".
|
||||||
|
|
||||||
20) Bridge interfaces (br[0-9]) can now be used in /etc/shorewall/maclist.
|
20) Bridge interfaces (br[0-9]) can now be used in /etc/shorewall/maclist.
|
||||||
|
|
||||||
|
21) Rate-limited rules added.
|
||||||
|
@ -2510,7 +2510,7 @@ process_rule() # $1 = target
|
|||||||
servers="$FW::$servers"
|
servers="$FW::$servers"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
ACCEPT)
|
ACCEPT|LOG)
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
[ -n "$ratelimit" ] && fatal_error \
|
[ -n "$ratelimit" ] && fatal_error \
|
||||||
|
@ -249,3 +249,40 @@ New Features:
|
|||||||
|
|
||||||
|
|
||||||
8) Bridge interfaces (br[0-9]) may now be used in /etc/shorewall/maclist.
|
8) Bridge interfaces (br[0-9]) may now be used in /etc/shorewall/maclist.
|
||||||
|
|
||||||
|
9) ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
|
||||||
|
/etc/shorewall/rules may now be rate-limited. For DNAT and
|
||||||
|
REDIRECT rules, rate limiting occurs in the nat table DNAT rule; the
|
||||||
|
corresponding ACCEPT rule in the filter table is not rate
|
||||||
|
limited. If you want to limit the filter table rule, you will need
|
||||||
|
to create two rules; a DNAT- rule and an ACCEPT rule which can be
|
||||||
|
rate-limited separately.
|
||||||
|
|
||||||
|
To specify a rate limit, follow ACCEPT, DNAT[-], REDIRECT[-] or LOG
|
||||||
|
with
|
||||||
|
|
||||||
|
< <rate>/<interval>:<burst> >
|
||||||
|
|
||||||
|
where
|
||||||
|
|
||||||
|
<rate> is the sustained rate per <interval>
|
||||||
|
<interval> is "sec" or "min"
|
||||||
|
<burst> is the largest burst accepted within an <interval>
|
||||||
|
|
||||||
|
There may be no white space between the ACTION and "<" nor there may
|
||||||
|
be any white space within the burst specification. If you want to
|
||||||
|
specify logging of a rate-limited rule, the ":" and log level comes
|
||||||
|
after the ">" (e.g., ACCEPT<2/sec:4>:info ).
|
||||||
|
|
||||||
|
Let's take an example:
|
||||||
|
|
||||||
|
ACCEPT<2/sec:4> net dmz tcp 80
|
||||||
|
|
||||||
|
The first time this rule is reached, the packet will be accepted; in
|
||||||
|
fact, since the burst is 4, the first four packets will be
|
||||||
|
accepted. After this, it will be 500ms (1 second divided by the rate
|
||||||
|
of 2) before a packet will be accepted from this rule, regardless of
|
||||||
|
how many packets reach it. Also, every 500ms which passes without
|
||||||
|
matching a packet, one of the bursts will be regained; if no packets
|
||||||
|
hit the rule for 2 second, the burst will be fully recharged;
|
||||||
|
back where we started.
|
||||||
|
@ -48,7 +48,7 @@
|
|||||||
# LOG -- Simply log the packet and continue.
|
# LOG -- Simply log the packet and continue.
|
||||||
#
|
#
|
||||||
# You may rate-limit the rule by optionally
|
# You may rate-limit the rule by optionally
|
||||||
# following ACCEPT,DNAT[-] or REDIRECT[-] with
|
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
|
||||||
#
|
#
|
||||||
# < <rate>/<interval>:<burst> >
|
# < <rate>/<interval>:<burst> >
|
||||||
#
|
#
|
||||||
|
Loading…
x
Reference in New Issue
Block a user