extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-21 02:08:48 +02:00
Code Issues Packages Projects Releases Wiki Activity

Rate Limiting in Rules - Part 3

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@707 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-08-13 18:48:28 +00:00
parent ec4c44a162
commit e454c7fe73
4 changed files with 41 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -43,3 +43,5 @@ Changes since 1.4.6
"shorewall monitor". "shorewall monitor".
20) Bridge interfaces (br[0-9]) can now be used in /etc/shorewall/maclist. 20) Bridge interfaces (br[0-9]) can now be used in /etc/shorewall/maclist.
21) Rate-limited rules added.

2
Shorewall/firewall
View File

@ -2510,7 +2510,7 @@ process_rule() # $1 = target
servers="$FW::$servers" servers="$FW::$servers"
fi fi
;; ;;
ACCEPT) ACCEPT|LOG)
;; ;;
*) *)
[ -n "$ratelimit" ] && fatal_error \ [ -n "$ratelimit" ] && fatal_error \

37
Shorewall/releasenotes.txt
View File

@ -249,3 +249,40 @@ New Features:
8) Bridge interfaces (br[0-9]) may now be used in /etc/shorewall/maclist. 8) Bridge interfaces (br[0-9]) may now be used in /etc/shorewall/maclist.
9) ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
/etc/shorewall/rules may now be rate-limited. For DNAT and
REDIRECT rules, rate limiting occurs in the nat table DNAT rule; the
corresponding ACCEPT rule in the filter table is not rate
limited. If you want to limit the filter table rule, you will need
to create two rules; a DNAT- rule and an ACCEPT rule which can be
rate-limited separately.
To specify a rate limit, follow ACCEPT, DNAT[-], REDIRECT[-] or LOG
with
< <rate>/<interval>:<burst> >
where
<rate> is the sustained rate per <interval>
<interval> is "sec" or "min"
<burst> is the largest burst accepted within an <interval>
There may be no white space between the ACTION and "<" nor there may
be any white space within the burst specification. If you want to
specify logging of a rate-limited rule, the ":" and log level comes
after the ">" (e.g., ACCEPT<2/sec:4>:info ).
Let's take an example:
ACCEPT<2/sec:4> net dmz tcp 80
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be
accepted. After this, it will be 500ms (1 second divided by the rate
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
hit the rule for 2 second, the burst will be fully recharged;
back where we started.

2
Shorewall/rules
View File

@ -48,7 +48,7 @@
# LOG -- Simply log the packet and continue. # LOG -- Simply log the packet and continue.
# #
# You may rate-limit the rule by optionally # You may rate-limit the rule by optionally
# following ACCEPT,DNAT[-] or REDIRECT[-] with # following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
# #
# < <rate>/<interval>:<burst> > # < <rate>/<interval>:<burst> >
# #