Add log rate limiting text to shorewall.conf

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1276 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-04-21 00:03:35 +00:00 · 2004-04-21 00:03:35 +00:00 · 5fbe4e2c81
commit 5fbe4e2c81
parent 942693a8e7
3 changed files with 12 additions and 2 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -22,3 +22,5 @@ Changes since 2.0.1
    have invented.

 11) Update the bogons file
+
+12) Added example for log rate limiting knobs in shorewall.conf.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -1092,7 +1092,6 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi

 	rulenum=$(($rulenum + 1))
 	eval ${chain}_logrules=$rulenum
-
    else
 	prefix="$(printf "$LOGFORMAT" $chain $disposition)${tag:+$tag }"
    fi
--- a/Shorewall2/shorewall.conf
+++ b/Shorewall2/shorewall.conf
@ -90,12 +90,21 @@ LOGFORMAT="Shorewall:%s:%s:"
 # maximum initial burst size that will be logged. If set empty, the default
 # value of 5 will be used.
 #
+# If BOTH variables are set empty then logging will not be rate-limited.
+#
 # Example:
 #
 #	LOGRATE=10/minute
 #	LOGBURST=5
 #
-# If BOTH variables are set empty then logging will not be rate-limited.
+# For each logging rule, the first time the rule is reached, the packet
+# will be logged; in fact, since the burst is 5, the first five packets
+# will be logged. After this, it will be 6 seconds (1 minute divided by
+# the rate of 10) before a message will be logged from the rule, regardless
+# of how many packets reach it. Also, every 6 seconds which passes without
+# matching a packet, one of the bursts will be regained; if no packets hit
+# the rule for 30 seconds, the burst will be fully recharged; back where
+# we started.
 #

 LOGRATE=