Correct/improve LOGLIMIT handling

Shorewall/Perl/Shorewall/Config.pm

@@ -2850,18 +2850,26 @@ sub get_configuration( $ ) {
     $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
 
     if ( my $rate = $config{LOGLIMIT} ) {
+	my $limit;
+
+	if ( $rate =~ /^[sd]:/ ) {
 	    require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' , 's';
 
-	my $limit = "-m hashlimit ";
+	    $limit = "-m hashlimit ";
+
 	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	    my $units;
 
-	if ( $rate =~ /^[sd]:(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
-	    $limit .= "--hashlimit $1 --hashlimit-burst $4 --hashlimit-name lograte --hashlimit-mode ";
-	    $units = $3;
-	} elsif ( $rate =~ /^[sd]:(\d+(\/(sec|min|hour|day))?)$/ ) {
+	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+		fatal_error "Invalid rate ($1)" unless $2;
+		fatal_error "Invalid burst value ($5)" unless $5;
+
+		$limit .= "--hashlimit $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
+		$units = $4;
+	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
+		fatal_error "Invalid rate ($1)" unless $2;
 		$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
-	    $units = $3;
+		$units = $4;
 	    } else {
 		fatal_error "Invalid rate ($rate)";
 	    }
@@ -2878,6 +2886,16 @@ sub get_configuration( $ ) {
 		
 		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
+	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+	    fatal_error "Invalid rate ($1)" unless $2;
+	    fatal_error "Invalid burst value ($5)" unless $5;
+	    $limit = "-m limit --limit $1 --limit-burst $5 ";
+	} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
+	    fatal_error "Invalid rate (${1}${2})" unless $1;
+	    $limit = "-m limit --limit $rate ";
+	} else {
+	    fatal_error "Invalid rate ($rate)";
+	}
 
 	$globals{LOGLIMIT} = $limit;