From e598dc77b79044f2d4a2c69ae44be2aee433da4d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 29 Jul 2010 16:50:17 -0700 Subject: [PATCH] Correct/improve LOGLIMIT handling --- Shorewall/Perl/Shorewall/Config.pm | 58 +++++++++++++++++++----------- 1 file changed, 38 insertions(+), 20 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index a6d47a800..dda49858e 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -2850,33 +2850,51 @@ sub get_configuration( $ ) { $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH'; if ( my $rate = $config{LOGLIMIT} ) { - require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' , 's'; + my $limit; - my $limit = "-m hashlimit "; - my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto'; - my $units; + if ( $rate =~ /^[sd]:/ ) { + require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' , 's'; - if ( $rate =~ /^[sd]:(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) { - $limit .= "--hashlimit $1 --hashlimit-burst $4 --hashlimit-name lograte --hashlimit-mode "; - $units = $3; - } elsif ( $rate =~ /^[sd]:(\d+(\/(sec|min|hour|day))?)$/ ) { - $limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode "; - $units = $3; - } else { - fatal_error "Invalid rate ($rate)"; - } + $limit = "-m hashlimit "; - $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip '; + my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto'; + my $units; - if ( $units && $units ne 'sec' ) { - my $expire = 60000; # 1 minute in milliseconds + if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) { + fatal_error "Invalid rate ($1)" unless $2; + fatal_error "Invalid burst value ($5)" unless $5; - if ( $units ne 'min' ) { - $expire *= 60; #At least an hour - $expire *= 24 if $units eq 'day'; + $limit .= "--hashlimit $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode "; + $units = $4; + } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) { + fatal_error "Invalid rate ($1)" unless $2; + $limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode "; + $units = $4; + } else { + fatal_error "Invalid rate ($rate)"; } - $limit .= "--hashlimit-htable-expire $expire "; + $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip '; + + if ( $units && $units ne 'sec' ) { + my $expire = 60000; # 1 minute in milliseconds + + if ( $units ne 'min' ) { + $expire *= 60; #At least an hour + $expire *= 24 if $units eq 'day'; + } + + $limit .= "--hashlimit-htable-expire $expire "; + } + } elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) { + fatal_error "Invalid rate ($1)" unless $2; + fatal_error "Invalid burst value ($5)" unless $5; + $limit = "-m limit --limit $1 --limit-burst $5 "; + } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ ) { + fatal_error "Invalid rate (${1}${2})" unless $1; + $limit = "-m limit --limit $rate "; + } else { + fatal_error "Invalid rate ($rate)"; } $globals{LOGLIMIT} = $limit;