forked from extern/shorewall_code
Finish CONNLIMIT
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8758 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
28cc9eec76
commit
35fd52c42b
@ -35,7 +35,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40000
|
||||
SHOREWALL_CAPVERSION=40190
|
||||
SHOREWALL_CAPVERSION=40200
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||
@ -1076,6 +1076,7 @@ determine_capabilities() {
|
||||
NFQUEUE_TARGET=
|
||||
REALM_MATCH=
|
||||
HELPER_MATCH=
|
||||
CONNLIMIT_MATCH=
|
||||
|
||||
chain=fooX$$
|
||||
|
||||
@ -1177,6 +1178,7 @@ determine_capabilities() {
|
||||
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
|
||||
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
|
||||
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
|
||||
qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
|
||||
|
||||
qt $IPTABLES -F $chain
|
||||
qt $IPTABLES -X $chain
|
||||
@ -1230,6 +1232,7 @@ report_capabilities() {
|
||||
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
|
||||
report_capability "Realm Match" $REALM_MATCH
|
||||
report_capability "Helper Match" $HELPER_MATCH
|
||||
report_capability "Connlimit Match" $CONNLIMIT_MATCH
|
||||
fi
|
||||
|
||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||
@ -1277,6 +1280,8 @@ report_capabilities1() {
|
||||
report_capability1 HASHLIMIT_MATCH
|
||||
report_capability1 NFQUEUE_TARGET
|
||||
report_capability1 REALM_MATCH
|
||||
report_capability1 HELPER_MATCH
|
||||
report_capability1 CONNLIMIT_MATCH
|
||||
|
||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||
}
|
||||
|
@ -123,7 +123,12 @@ Other changes in Shorewall 4.2.1
|
||||
It is important to note that while the limit is only checked for
|
||||
those destinations specified in the DEST column, the number of
|
||||
current connections is calculated over all destinations and not
|
||||
just the destination specified in the DEST column.
|
||||
just the destination specified in the DEST column.
|
||||
|
||||
Use of this feature requires the connlimit match capability in your
|
||||
kernel and iptables. If you use a capabilities file when compiling
|
||||
your Shorewall configuration(s), then you need to regenerate the
|
||||
file using Shorewall or Shorewall-lite 4.2.1.
|
||||
|
||||
New Features in Shorewall 4.2.
|
||||
|
||||
|
@ -1278,11 +1278,13 @@ sub do_connlimit( $ ) {
|
||||
|
||||
return '' unless $limit and $limit ne '-';
|
||||
|
||||
require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's';
|
||||
|
||||
my $invert = $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below'
|
||||
|
||||
if ( $limit =~ /^(\d+):(\d+)$/ ) {
|
||||
fatal_error "Invalid Mask ($2)" unless $2 > 0 || $2 < 31;
|
||||
"-m connlimit ${invert}--connlimit-above $1 --connmask $2";
|
||||
"-m connlimit ${invert}--connlimit-above $1 --connlimit-mask $2 ";
|
||||
} elsif ( $limit =~ /^(\d+)$/ ) {
|
||||
"-m connlimit ${invert}--connlimit-above $limit ";
|
||||
} else {
|
||||
|
@ -205,6 +205,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
NFQUEUE_TARGET => 'NFQUEUE Target',
|
||||
REALM_MATCH => 'Realm Match',
|
||||
HELPER_MATCH => 'Helper Match',
|
||||
CONNLIMIT_MATCH => 'Connlimit Match',
|
||||
CAPVERSION => 'Capability Version',
|
||||
);
|
||||
#
|
||||
@ -267,7 +268,7 @@ sub initialize() {
|
||||
LOGPARMS => '',
|
||||
TC_SCRIPT => '',
|
||||
VERSION => "4.2.0",
|
||||
CAPVERSION => 40190 ,
|
||||
CAPVERSION => 40200 ,
|
||||
);
|
||||
#
|
||||
# From shorewall.conf file
|
||||
@ -412,6 +413,7 @@ sub initialize() {
|
||||
NFQUEUE_TARGET => undef,
|
||||
REALM_MATCH => undef,
|
||||
HELPER_MATCH => undef,
|
||||
CONNLIMIT_MATCH => undef,
|
||||
CAPVERSION => undef,
|
||||
);
|
||||
#
|
||||
@ -1628,6 +1630,7 @@ sub determine_capabilities( $ ) {
|
||||
$capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
|
||||
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
|
||||
$capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
|
||||
$capabilities{CONNLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
|
||||
|
||||
qt1( "$iptables -F $sillyname" );
|
||||
qt1( "$iptables -X $sillyname" );
|
||||
|
@ -239,8 +239,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CONNLIMIT</emphasis> - [<emphasis
|
||||
role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
|
||||
<term><emphasis role="bold">CONNLIMIT</emphasis> -
|
||||
<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall-perl 4.2.1. May be used to limit the number
|
||||
@ -254,10 +254,7 @@
|
||||
<replaceable>mask</replaceable> specifies the width of a VLSM mask
|
||||
to be applied to the source address; the number of current
|
||||
connections is then taken over all hosts in the subnet
|
||||
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
|
||||
When<option> !</option> is specified, the rule matches when the
|
||||
number of connection exceeds the
|
||||
<replaceable>limit</replaceable>.</para>
|
||||
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
Loading…
Reference in New Issue
Block a user