Correct/improve LOGLIMIT handling

This commit is contained in:
Tom Eastep 2010-07-29 16:50:17 -07:00
parent d483725474
commit e598dc77b7

View File

@ -2850,33 +2850,51 @@ sub get_configuration( $ ) {
$globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH'; $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
if ( my $rate = $config{LOGLIMIT} ) { if ( my $rate = $config{LOGLIMIT} ) {
require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' , 's'; my $limit;
my $limit = "-m hashlimit "; if ( $rate =~ /^[sd]:/ ) {
my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto'; require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' , 's';
my $units;
if ( $rate =~ /^[sd]:(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) { $limit = "-m hashlimit ";
$limit .= "--hashlimit $1 --hashlimit-burst $4 --hashlimit-name lograte --hashlimit-mode ";
$units = $3;
} elsif ( $rate =~ /^[sd]:(\d+(\/(sec|min|hour|day))?)$/ ) {
$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
$units = $3;
} else {
fatal_error "Invalid rate ($rate)";
}
$limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip '; my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
my $units;
if ( $units && $units ne 'sec' ) { if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
my $expire = 60000; # 1 minute in milliseconds fatal_error "Invalid rate ($1)" unless $2;
fatal_error "Invalid burst value ($5)" unless $5;
if ( $units ne 'min' ) { $limit .= "--hashlimit $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
$expire *= 60; #At least an hour $units = $4;
$expire *= 24 if $units eq 'day'; } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
fatal_error "Invalid rate ($1)" unless $2;
$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
$units = $4;
} else {
fatal_error "Invalid rate ($rate)";
} }
$limit .= "--hashlimit-htable-expire $expire "; $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
if ( $units && $units ne 'sec' ) {
my $expire = 60000; # 1 minute in milliseconds
if ( $units ne 'min' ) {
$expire *= 60; #At least an hour
$expire *= 24 if $units eq 'day';
}
$limit .= "--hashlimit-htable-expire $expire ";
}
} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
fatal_error "Invalid rate ($1)" unless $2;
fatal_error "Invalid burst value ($5)" unless $5;
$limit = "-m limit --limit $1 --limit-burst $5 ";
} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ ) {
fatal_error "Invalid rate (${1}${2})" unless $1;
$limit = "-m limit --limit $rate ";
} else {
fatal_error "Invalid rate ($rate)";
} }
$globals{LOGLIMIT} = $limit; $globals{LOGLIMIT} = $limit;