mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-26 08:08:59 +01:00
53495ec0a8
Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>
71 lines
2.4 KiB
Plaintext
71 lines
2.4 KiB
Plaintext
#
|
|
# Shorewall -- /usr/share/shorewall/action.Limit
|
|
#
|
|
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
|
#
|
|
# (c) 2017 Tom Eastep (teastep@shorewall.net)
|
|
#
|
|
# Complete documentation is available at http://shorewall.org
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of Version 2 of the GNU General Public License
|
|
# as published by the Free Software Foundation.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
#
|
|
# Limit(<recent-set>,<num-connections>,<timeout>)
|
|
#
|
|
###############################################################################
|
|
|
|
DEFAULTS -,-,-
|
|
|
|
?begin perl
|
|
|
|
use strict;
|
|
use Shorewall::Config;
|
|
use Shorewall::Chains;
|
|
|
|
my $chainref = get_action_chain;
|
|
my @param = get_action_params(3);
|
|
my ( $level, $tag ) = get_action_logging;
|
|
|
|
@param = split( ',', $tag ), $tag = $param[0] unless supplied( join '', @param );
|
|
|
|
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag or as parameters' unless @param == 3;
|
|
|
|
my $set = $param[0];
|
|
|
|
for ( @param[1,2] ) {
|
|
fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
|
|
}
|
|
|
|
my $count = $param[1] + 1;
|
|
|
|
require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
|
|
|
|
warning_message "The Limit action is deprecated in favor of per-IP rate limiting using the RATE LIMIT column";
|
|
|
|
add_irule $chainref, recent => "--name $set --set";
|
|
|
|
if ( $level ne '' ) {
|
|
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
|
log_irule_limit( $level, $xchainref, '', 'DROP', [], $tag, 'add' , '' );
|
|
add_ijump $xchainref, j => 'DROP';
|
|
add_ijump $chainref, j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
|
|
} else {
|
|
add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
|
|
}
|
|
|
|
add_ijump $chainref, j => 'ACCEPT';
|
|
|
|
1;
|
|
|
|
?end perl
|