From 5fbe4e2c81e258a63ef2bbd1a10e9518bfbdb07e Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 21 Apr 2004 00:03:35 +0000
Subject: [PATCH] Add log rate limiting text to shorewall.conf

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1276 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/changelog.txt  |  2 ++
 Shorewall2/firewall       |  1 -
 Shorewall2/shorewall.conf | 11 ++++++++++-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index ca6952ccf..47968f3c9 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -22,3 +22,5 @@ Changes since 2.0.1
     have invented.
 
 11) Update the bogons file
+
+12) Added example for log rate limiting knobs in shorewall.conf.
\ No newline at end of file
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 660f81299..c9080050d 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -1092,7 +1092,6 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi
 
 	rulenum=$(($rulenum + 1))
 	eval ${chain}_logrules=$rulenum
-
     else
 	prefix="$(printf "$LOGFORMAT" $chain $disposition)${tag:+$tag }"
     fi
diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf
index 637b173c6..e99a0e4ba 100755
--- a/Shorewall2/shorewall.conf
+++ b/Shorewall2/shorewall.conf
@@ -90,12 +90,21 @@ LOGFORMAT="Shorewall:%s:%s:"
 # maximum initial burst size that will be logged. If set empty, the default
 # value of 5 will be used.
 #
+# If BOTH variables are set empty then logging will not be rate-limited.
+#
 # Example:
 #
 #	LOGRATE=10/minute
 #	LOGBURST=5
 #
-# If BOTH variables are set empty then logging will not be rate-limited.
+# For each logging rule, the first time the rule is reached, the packet
+# will be logged; in fact, since the burst is 5, the first five packets
+# will be logged. After this, it will be 6 seconds (1 minute divided by
+# the rate of 10) before a message will be logged from the rule, regardless
+# of how many packets reach it. Also, every 6 seconds which passes without
+# matching a packet, one of the bursts will be regained; if no packets hit
+# the rule for 30 seconds, the burst will be fully recharged; back where
+# we started.
 #
 
 LOGRATE=